chore(deps): bump d3-color from 2.0.0 to 3.1.0 #2142
Conversation
![dependabot[bot]](https://avatars.githubusercontent.com/in/29110?s=60&v=4){kind=small}
dependabot
bot
added
the
dependencies
|
This pull request is automatically built and testable in CodeSandbox. To see build info of the built libraries, click here or the icon next to each commit SHA. Latest deployment of this branch, based on commit 64790e6:
|
|
I am getting high severity vulnerability report from npm: Will this upgrade be coming anytime soon? |
|
Might make more sense to upgrade all d3 pacakges, not just one. |
|
We are getting a vulnerability report as well, so I'm interested in this fix too. |
|
High vulnerability here |
|
seems related to d3/d3-interpolate#96 |
|
@jberney put up a pull request to resolve the test failures. Is that the last hurdle to getting this merged? I'm also on the hook to get the d3-color security vulnerability resolved. |
|
Hi, Any chance of a status update on this PR? |
|
Can someone rerun this build for us to see the logs please? This issue is as important as React-18 upgrade right now, or even more. |
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/d3-color-3.1.0
branch
from
785cda8
to
9be1bd0
Compare
Bumps [d3-color](https://github.com/d3/d3-color) from 2.0.0 to 3.1.0. - [Release notes](https://github.com/d3/d3-color/releases) - [Commits](d3/d3-color@v2.0.0...v3.1.0) --- updated-dependencies: - dependency-name: d3-color dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
force-pushed
the
dependabot/npm_and_yarn/d3-color-3.1.0
branch
from
9be1bd0
to
f8de625
Compare
|
Oh man, good to hear from you :) Are you checking the existing PRs here and issues related to d3 and React-18 in general or too busy with RL? Update: Just joined your Backers list in OpenCollective to support the project. You should really monetize your project as many open-source devs do (I love how electron-userland/electron-builder does it, calling for financial support for the features they build - the highest donation receiving features get built in no time). |
|
@shehi, quite busy with work, and personal life, just trying to review the "easy" PRs, merge dependabot ones... React 18 support is not an easy thing. Thank you for joining the backers, unfortunately, the money I get/got for this project is far from being on par with the time/efforts I've put in it, I use open collective mainly because it was easy to setup and works for where I live, I don't want to have more things to manage 😅 It would also be hard for me to commit on specific features to be built, and I think if people wants some specific feature, they should pay for it, it should not be based on some kind of gamble on donations IMHO, it's work. My main concern with updating d3 packages is that it could impact the build/test setup for users (it's already the case for jest in this repo), I understand that d3 wants to move forward and to create packages written in modern JS, but the reality is a bit different IMHO, we still have to support older browsers, platforms... This could really have a huge impact, that being said, I didn't have time to test what this impact is. |
|
I understand your concerns @plouc , but IMHO a project like this - with vastly limited resources, as you mentioned - should look forward, not back. Many projects (e.g. bundlers, compilers, component related ones like Shoelace etc) have already abandoned old browsers in their effort to move forward. Maybe you, as a developer yourself, are using old browsers, but again IMHO, for the longevity and sustainability of this great project it'd be better to move on. Release a new major version ditching old browsers (pre-Chromium Edge browsers and IE 11 primarily) completely. The world is progressing rapidly, so are almost everyone who are using this library: by the time you decide to leave legacy browsers behind it might be too late, because all of us need working solutions for our ever-growing development needs. As such, with all humility, I suggest you do that. No need to touch existing versions, let them stay at v0.80.x space with legacy stuff. Yes, d3's security implications will stay there until you upgrade, but since this project literally is bound to d3, your v0.80 version will have to remain within implicated d3 v2 space. Release v1.0 with old browsers abandoned, latest d3 and later on latest React 18 (the latter can come down the road, with a minor release) integrated. If you wish and have time for solving the old implicated version, then you can also work on that. But IMO it is critical to save the project before people hop off this ship. As with the donations: as I mentioned, monetize it more effectively. Openly ask people - your userbase - to support the project so that you could spend real time to develop and release a new version. Cater towards them, and I am confident you will see the result. You have dozens, if not hundreds of users using this great tool. 5 EUR from ea can easily offset you for a fulltime month which in turn could boost this project. It's all you and all of us need, right? Just draw a roadmap, attach a timetable to it giving people some idea how long it'd take feature-X to appear, and start collecting donations. We are not naive, neither do we see you as a slave :) every dev needs to be compensated for their time. So get compensated, man! |
|
It may be possible to do what recharts did in recharts/recharts#3167 and replace d3-color with https://www.npmjs.com/package/victory-vendor to bridge this gap. See https://formidable.com/blog/2022/victory-esm/. If this is something you'd be interested in possibly merging, I would be open to working on a PR. |
@plouc I fully agree with this. Look forward, Release v1.0 on d3 latest and abandon old browsers. Most repos I've see have or will soon drop IE 11 (really the lame duck of all browsers left). Definitely save the project before it dies from lack of attention. More over, you have a community of people attempting to improve the project with PRs. If you have limited time I suggest, putting your attention into getting them reviewed, approved and merged. Also, find a few trusted contributors who can help you, who have the ability to approve/merge PRs and cut releases. I've been doing the much of the fixing and releases for one of the projects that my company uses, with the support and blessing of the owner. And we have begun to use Nivo as well. Utilize the open source community to help you, please. |
|
@plouc Do you have an idea when the next Nivo release will be? We want to get rid of this vulnerability warning |
|
@plouc Any ideas of when the next Nivo release will be? thanks! |
Bumps d3-color from 2.0.0 to 3.1.0.
Release notes
Sourced from d3-color's releases.
Commits
7a1573e3.1.075c19c4update LICENSEef94e01update dependencies5e9f757method shorthande4bc34eformatHex8 (#103)ac660c6{rgb,hsl}.clamp() (#102)70e3a04clamp HSL format (#101)994d8fdavoid backtracking (#100)7d61bbe3.0.193bc4ffrelated d3/d33; extract copyrights from LICENSEDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)@dependabot use these labelswill set the current labels as the default for future PRs for this repo and language@dependabot use these reviewerswill set the current reviewers as the default for future PRs for this repo and language@dependabot use these assigneeswill set the current assignees as the default for future PRs for this repo and language@dependabot use this milestonewill set the current milestone as the default for future PRs for this repo and languageYou can disable automated security fix PRs for this repo from the Security Alerts page.