Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

High risk dependency reported by NPM #2506

Closed
ItamarShDev opened this issue Feb 2, 2024 · 5 comments
Closed

High risk dependency reported by NPM #2506

ItamarShDev opened this issue Feb 2, 2024 · 5 comments
Labels
security ⚠️ duplicate

Comments

@ItamarShDev
Copy link

npm audit reports 16 high severity vulnerabilities when using nivo.

# npm audit report

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
No fix available
node_modules/d3-scale-chromatic/node_modules/d3-color
node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-scale-chromatic/node_modules/d3-interpolate
  node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/bar  *
      Depends on vulnerable versions of @nivo/annotations
      Depends on vulnerable versions of @nivo/axes
      Depends on vulnerable versions of @nivo/colors
      Depends on vulnerable versions of @nivo/core
      Depends on vulnerable versions of @nivo/legends
      Depends on vulnerable versions of @nivo/scales
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/bar
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/axes  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of @nivo/scales
        node_modules/@nivo/axes
        @nivo/colors  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        Depends on vulnerable versions of d3-scale-chromatic
        node_modules/@nivo/colors
          @nivo/annotations  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          node_modules/@nivo/annotations
          @nivo/arcs  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          node_modules/@nivo/arcs
          @nivo/radar  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          Depends on vulnerable versions of @nivo/legends
          Depends on vulnerable versions of @nivo/tooltip
          Depends on vulnerable versions of d3-scale
          node_modules/@nivo/radar
        @nivo/legends  >=0.56.0
        Depends on vulnerable versions of @nivo/colors
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        node_modules/@nivo/legends
          @nivo/radial-bar  *
          Depends on vulnerable versions of @nivo/arcs
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          Depends on vulnerable versions of @nivo/legends
          Depends on vulnerable versions of @nivo/polar-axes
          Depends on vulnerable versions of @nivo/scales
          Depends on vulnerable versions of @nivo/tooltip
          Depends on vulnerable versions of d3-scale
          node_modules/@nivo/radial-bar
        @nivo/polar-axes  *
        Depends on vulnerable versions of @nivo/arcs
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of @nivo/scales
        node_modules/@nivo/polar-axes
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip
      @nivo/scales  *
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/scales
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale-chromatic
@brandanking-decently
Copy link

This is still the case, any indication on if this will be fixed?

@rhendz
Copy link

rhendz commented Feb 28, 2024

I'm getting this as well on v0.84.0:

# npm audit report
d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
No fix available
node_modules/@nivo/core/node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/@nivo/core/node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/@nivo/core/node_modules/d3-scale
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip

Additionally, it appears [email protected] contains the vulnerable d3-color sub dependency.

# npm list d3-color
└─┬ @nivo/[email protected]
  ├── [email protected]
  ├─┬ [email protected]
  │ └── [email protected] deduped
  ├─┬ [email protected]
  │ └── [email protected] deduped
  └─┬ [email protected]
    └─┬ [email protected]
      └── [email protected]

@rhendz rhendz mentioned this issue Feb 29, 2024
Closed
@zC4sTr0
Copy link

zC4sTr0 commented Feb 29, 2024
edited
Loading

I fixed this issue on our project using override's feature of npm:

Reference: npm's package.json Documentation

  "overrides": {
    "d3-color": "^3.1.0"
  }

@ItamarShDev
Copy link
Author

I fixed this issue on our project using override's feature of npm:

Reference: npm's package.json Documentation

  "overrides": {
    "d3-color": "^3.1.0"
  }

great solution meanwhile. thanks!

@plouc
Copy link
Owner

plouc commented Mar 7, 2024

Duplicate of #2470

@plouc plouc marked this as a duplicate of #2470 Mar 7, 2024
@plouc plouc closed this as completed Mar 7, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security ⚠️ duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@plouc @ItamarShDev @rhendz @zC4sTr0 @brandanking-decently