D3 dependencies vulnerability #2470

the-marolie · 2023-11-21T11:18:03Z

Not exactly a bug but twas wondering if the d3-scale-chromatic version used in @nivo/colors can be updated to v3.0.0 , the latest version. This would update the d3-color dependency which is currently at 2.x to 3.x which patches a vulnerability.

The version has already been updated to v3.0.0 in @nivo/[email protected] but not in @nivo/[email protected]

The text was updated successfully, but these errors were encountered:

sseide · 2023-11-24T10:55:49Z

d3-scale must be updated too to latest version 4.x. Currently used 3.x depends on vulnerable version of d3-color too.

[email protected] -> "d3-interpolate": "1.2.0 - 2" -> "d3-color": "1 - 2"

radikrisffnext · 2023-11-29T09:37:59Z

Same issue here, npm audit vulnerabilities are still flagged

m-salman-afzal · 2023-12-06T15:11:07Z

What is the progress on this? Kindly update

DaveCole · 2023-12-12T20:09:21Z

+1 - Here's the npm audit:

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install @nivo/[email protected], which is a breaking change
node_modules/d3-scale-chromatic/node_modules/d3-color
node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-scale-chromatic/node_modules/d3-interpolate
  node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/axes  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of @nivo/scales
        node_modules/@nivo/axes
        @nivo/bullet  *
        Depends on vulnerable versions of @nivo/axes
        Depends on vulnerable versions of @nivo/colors
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of @nivo/legends
        Depends on vulnerable versions of @nivo/scales
        Depends on vulnerable versions of @nivo/tooltip
        node_modules/@nivo/bullet
        @nivo/colors  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        Depends on vulnerable versions of d3-scale-chromatic
        node_modules/@nivo/colors
          @nivo/annotations  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          node_modules/@nivo/annotations
            @nivo/network  *
            Depends on vulnerable versions of @nivo/annotations
            Depends on vulnerable versions of @nivo/colors
            Depends on vulnerable versions of @nivo/core
            Depends on vulnerable versions of @nivo/tooltip
            node_modules/@nivo/network
        @nivo/legends  >=0.56.0
        Depends on vulnerable versions of @nivo/colors
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        node_modules/@nivo/legends
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip
      @nivo/scales  *
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/scales
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale-chromatic

michelacerro · 2024-01-02T12:00:57Z

Hi, same issue here.

For my project I need to install @nivo/core, @nivo/line and @nivo/geo, and all three report vulnerability issues.

By installing only @nivo/core, the npm audit report is:

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
No fix available
node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip

By installing only @nivo/line, the npm audit report is:

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install @nivo/[email protected], which is a breaking change
node_modules/@nivo/colors/node_modules/d3-interpolate/node_modules/d3-color
node_modules/@nivo/colors/node_modules/d3-scale-chromatic/node_modules/d3-color
node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/@nivo/colors/node_modules/d3-interpolate
  node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/axes  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of @nivo/scales
        node_modules/@nivo/axes
          @nivo/line  *
          Depends on vulnerable versions of @nivo/annotations
          Depends on vulnerable versions of @nivo/axes
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          Depends on vulnerable versions of @nivo/legends
          Depends on vulnerable versions of @nivo/scales
          Depends on vulnerable versions of @nivo/tooltip
          Depends on vulnerable versions of @nivo/voronoi
          node_modules/@nivo/line
        @nivo/colors  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        Depends on vulnerable versions of d3-scale-chromatic
        node_modules/@nivo/colors
          @nivo/annotations  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          node_modules/@nivo/annotations
          @nivo/legends  >=0.56.0
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          Depends on vulnerable versions of d3-scale
          node_modules/@nivo/legends
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip
        @nivo/voronoi  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        node_modules/@nivo/voronoi
      @nivo/scales  *
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/scales
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/@nivo/colors/node_modules/d3-scale-chromatic

By installing only @nivo/geo, the npm audit report is:

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install @nivo/[email protected], which is a breaking change
node_modules/@nivo/colors/node_modules/d3-interpolate/node_modules/d3-color
node_modules/@nivo/colors/node_modules/d3-scale-chromatic/node_modules/d3-color
node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/@nivo/colors/node_modules/d3-interpolate
  node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/colors  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        Depends on vulnerable versions of d3-scale-chromatic
        node_modules/@nivo/colors
          @nivo/geo  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          Depends on vulnerable versions of @nivo/legends
          Depends on vulnerable versions of @nivo/tooltip
          node_modules/@nivo/geo
        @nivo/legends  >=0.56.0
        Depends on vulnerable versions of @nivo/colors
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        node_modules/@nivo/legends
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/@nivo/colors/node_modules/d3-scale-chromatic

avocardio · 2024-01-09T05:55:38Z

Any fix for this?

cythrawll · 2024-01-10T16:25:01Z

Hi can we get this in? The vulnerability scan we are required to do is starting to cause issues.

cythrawll · 2024-01-10T16:27:15Z

Looks like there is a PR for this: #2466 can we get this in?

clemich · 2024-01-17T16:34:12Z

Please include the non-vulnerable d3 packages on nivo, it would be very nice

LeAnsman · 2024-01-24T13:41:10Z

+1

Dependencies :

"dependencies" : {
    "@nivo/bar": "^0.84.0",
    "@nivo/colors": "^0.84.0",
    "@nivo/core": "^0.84.0",
    "@nivo/pie": "^0.84.0",
    "@nivo/radar": "^0.84.0",
    "@nivo/radial-bar": "^0.84.0",
    "@nivo/sunburst": "^0.84.0"
}

Npm audit report :

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install @nivo/[email protected], which is a breaking change
node_modules/d3-scale-chromatic/node_modules/d3-color
node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-scale-chromatic/node_modules/d3-interpolate
  node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/bar  *
      Depends on vulnerable versions of @nivo/annotations
      Depends on vulnerable versions of @nivo/axes
      Depends on vulnerable versions of @nivo/colors
      Depends on vulnerable versions of @nivo/core
      Depends on vulnerable versions of @nivo/legends
      Depends on vulnerable versions of @nivo/scales
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/bar
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/axes  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of @nivo/scales
        node_modules/@nivo/axes
        @nivo/colors  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        Depends on vulnerable versions of d3-scale-chromatic
        node_modules/@nivo/colors
          @nivo/annotations  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          node_modules/@nivo/annotations
          @nivo/arcs  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          node_modules/@nivo/arcs
            @nivo/pie  *
            Depends on vulnerable versions of @nivo/arcs
            Depends on vulnerable versions of @nivo/colors
            Depends on vulnerable versions of @nivo/core
            Depends on vulnerable versions of @nivo/legends
            Depends on vulnerable versions of @nivo/tooltip
            node_modules/@nivo/pie
            @nivo/polar-axes  *
            Depends on vulnerable versions of @nivo/arcs
            Depends on vulnerable versions of @nivo/core
            Depends on vulnerable versions of @nivo/scales
            node_modules/@nivo/polar-axes
            @nivo/sunburst  *
            Depends on vulnerable versions of @nivo/arcs
            Depends on vulnerable versions of @nivo/colors
            Depends on vulnerable versions of @nivo/core
            Depends on vulnerable versions of @nivo/tooltip
            node_modules/@nivo/sunburst
          @nivo/legends  >=0.56.0
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          Depends on vulnerable versions of d3-scale
          node_modules/@nivo/legends
            @nivo/radar  *
            Depends on vulnerable versions of @nivo/colors
            Depends on vulnerable versions of @nivo/core
            Depends on vulnerable versions of @nivo/legends
            Depends on vulnerable versions of @nivo/tooltip
            Depends on vulnerable versions of d3-scale
            node_modules/@nivo/radar
            @nivo/radial-bar  *
            Depends on vulnerable versions of @nivo/arcs
            Depends on vulnerable versions of @nivo/colors
            Depends on vulnerable versions of @nivo/core
            Depends on vulnerable versions of @nivo/legends
            Depends on vulnerable versions of @nivo/polar-axes
            Depends on vulnerable versions of @nivo/scales
            Depends on vulnerable versions of @nivo/tooltip
            Depends on vulnerable versions of d3-scale
            node_modules/@nivo/radial-bar
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip
      @nivo/scales  *
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/scales
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale-chromatic

Thanks in advance.

OleksandrRakovets · 2024-02-28T12:47:29Z

Must be resolved by #2466. Looking forward to the release.

plouc · 2024-03-07T00:46:18Z

0.85.0 has been released, which fixes the issue with d3-color, but now d3-scale is also an issue.

plouc · 2024-03-08T01:42:27Z

Solved in 0.85.1.

plouc mentioned this issue Mar 7, 2024

High risk dependency reported by NPM #2506

Closed

plouc added the security label Mar 7, 2024

plouc changed the title ~~Updating d3 dependencies~~ D3 dependencies vulnerability Mar 7, 2024

plouc closed this as completed Mar 8, 2024

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

D3 dependencies vulnerability #2470

D3 dependencies vulnerability #2470

the-marolie commented Nov 21, 2023 •

edited

Loading

sseide commented Nov 24, 2023

radikrisffnext commented Nov 29, 2023

m-salman-afzal commented Dec 6, 2023

DaveCole commented Dec 12, 2023 •

edited

Loading

michelacerro commented Jan 2, 2024

avocardio commented Jan 9, 2024

cythrawll commented Jan 10, 2024

cythrawll commented Jan 10, 2024

clemich commented Jan 17, 2024

LeAnsman commented Jan 24, 2024 •

edited

Loading

OleksandrRakovets commented Feb 28, 2024

plouc commented Mar 7, 2024

plouc commented Mar 8, 2024

D3 dependencies vulnerability #2470

D3 dependencies vulnerability #2470

Comments

the-marolie commented Nov 21, 2023 • edited Loading

sseide commented Nov 24, 2023

radikrisffnext commented Nov 29, 2023

m-salman-afzal commented Dec 6, 2023

DaveCole commented Dec 12, 2023 • edited Loading

michelacerro commented Jan 2, 2024

avocardio commented Jan 9, 2024

cythrawll commented Jan 10, 2024

cythrawll commented Jan 10, 2024

clemich commented Jan 17, 2024

LeAnsman commented Jan 24, 2024 • edited Loading

OleksandrRakovets commented Feb 28, 2024

plouc commented Mar 7, 2024

plouc commented Mar 8, 2024

the-marolie commented Nov 21, 2023 •

edited

Loading

DaveCole commented Dec 12, 2023 •

edited

Loading

LeAnsman commented Jan 24, 2024 •

edited

Loading