d3 / d3-scale

Encodings that map abstract data to visual representation.

Home Page:https://d3js.org/d3-scale

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

d3 dependency tree depends on a security vulnerable version of d3-color

AtishayMsft opened this issue · comments

d3 dependency tree depends on version 3.0.1 of d3-color which is vulnerable to a Regular expression Denial of Service.
This issue has been patched in version 3.1.0. See GHSA-36jr-mh4h-2g58 for details.

Kindly update the d3 dependency chain from 3.0.1 to 3.1.0.
We would also like to get this updated for version 2.x of library modules as version 3.x switches to using ESM only for d3 which is not supported by our project.

The dependency ranges are shown here in the package.json:

d3-scale/package.json

Lines 35 to 48 in 83555bd

"dependencies": {
"d3-array": "2.10.0 - 3",
"d3-format": "1 - 3",
"d3-interpolate": "1.2.0 - 3",
"d3-time": "2.1.1 - 3",
"d3-time-format": "2 - 4"
},
"devDependencies": {
"d3-color": "1 - 3",
"eslint": "7",
"mocha": "9",
"rollup": "2",
"rollup-plugin-terser": "7"
},

If you’re referring to the yarn.lock, that only applies if you clone this repository and run yarn install, i.e., when you’re developing changes to d3-scale locally. It doesn’t affect downstream packages.

We would like to get the fix d3/d3-color#100 updated for version 2.x of library modules as version 3.x switches to using ESM only for d3 which is not supported by our project.