d3-color vulnerable to ReDoS
krusche opened this issue · comments
Dependabot cannot update d3-color to a non-vulnerable version
The latest possible version that can be installed is 1.4.1 because of the following conflicting dependencies:
@swimlane/ngx-graph@8.0.2 requires d3-color@1 via a transitive dependency on d3-interpolate@1.4.0
@swimlane/ngx-graph@8.0.2 requires d3-color@1 via d3-transition@1.3.2
@swimlane/ngx-charts@20.1.0 requires d3-color@^2.0.0
@swimlane/ngx-charts@20.1.0 requires d3-color@1 - 2 via d3-interpolate@2.0.1
@swimlane/ngx-charts@20.1.0 requires d3-color@1 - 2 via d3-transition@2.0.0
No patched version available for d3-color
The earliest fixed version is 3.1.0.
The d3-color module provides representations for various color spaces in the browser. Versions prior to 3.1.0 are vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0. There are no known workarounds.
Severity: High
Weaknesses: CWE-400
CVE ID: No CVE
Note: this is a repost of a dependabot issue in our repository https://github.com/ls1intum/Artemis/security/dependabot/25
Please take a look into this issue urgently and update transitive dependency d3-color to 3.1.0
I also wait for this update, please look into this issue.
Chiming in that this impacts my project as well. Thanks in advance for resolving.
Is there anything we can do to help progress this update?
Created a PR - #477
The PR was merged, thanks!
@marjan-georgiev can you please create a new npm release?
@krusche Perhaps someone else could do that (is it legal?). This project seems to be on very low maintenance, or maybe abandoned.
It's open source and MIT license. So probably we should create a fork. Best would be to do it with an organization so that multiple people can contribute.
Apologies for the delay, gentlemen. Released 8.0.3.
Issue still exist, we checked in 8.0.3 release
