d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
See original GitHub issueThere’s a vulnerability reported on packages that dagre-d3 uses
Unfortunately that repo is no longer supported https://github.com/dagrejs/dagre-d3
Are there any plans to mitigate this … This is reported by npm audit , but npm install will also display
This will cause serious issues for mermaid going forward as these are reported as high
Thanks
# npm audit report
d3-color <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install mermaid@8.4.3, which is a breaking change
node_modules/dagre-d3/node_modules/d3-color
d3 4.0.0-alpha.1 - 6.7.0
Depends on vulnerable versions of d3-brush
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
Depends on vulnerable versions of d3-scale
Depends on vulnerable versions of d3-transition
Depends on vulnerable versions of d3-zoom
node_modules/dagre-d3/node_modules/d3
dagre-d3 >=0.5.0
Depends on vulnerable versions of d3
node_modules/dagre-d3
mermaid 8.4.1 - 8.4.2 || >=8.4.4
Depends on vulnerable versions of dagre-d3
node_modules/mermaid
d3-interpolate 0.1.3 - 2.0.1
Depends on vulnerable versions of d3-color
node_modules/dagre-d3/node_modules/d3-interpolate
d3-brush 0.1.0 - 2.1.0
Depends on vulnerable versions of d3-interpolate
Depends on vulnerable versions of d3-transition
node_modules/dagre-d3/node_modules/d3-brush
d3-scale 0.1.5 - 3.3.0
Depends on vulnerable versions of d3-interpolate
node_modules/dagre-d3/node_modules/d3-scale
d3-scale-chromatic 0.1.0 - 2.0.0
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
node_modules/dagre-d3/node_modules/d3-scale-chromatic
d3-transition 0.0.7 - 2.0.0
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
node_modules/dagre-d3/node_modules/d3-transition
d3-zoom 0.0.2 - 2.0.0
Depends on vulnerable versions of d3-interpolate
Depends on vulnerable versions of d3-transition
node_modules/dagre-d3/node_modules/d3-zoom
Issue Analytics
- State:
- Created a year ago
- Reactions:2
- Comments:7
Top Results From Across the Web
GHSA-36jr-mh4h-2g58 - d3-color vulnerable to ReDoS - GitHub
The d3-color module provides representations for various color spaces in the browser. Versions prior to 3.1.0 are vulnerable to a Regular ...
Read more >d3-color vulnerable to ReDoS · Issue #106 - GitHub
Is there any chance of an update to a less vulnerable version of d3-color? See the vulnerability report here.
Read more >[Security] d3-color vulnerable to ReDoS · Issue #111 - GitHub
We used recharts to generate dashboard, while it depends on d3-color@1 - 2 which is vulnerable to ReDoS. Alert link The recharts project ......
Read more >d3/d3-color: Color spaces! RGB, HSL, Cubehelix ... - GitHub
Constructs a new RGB color. The channel values are exposed as r , g and b properties on the returned instance. Use the...
Read more >d3-color vulnerable to ReDoS #469 - swimlane/ngx-graph
The d3-color module provides representations for various color spaces in the browser. Versions prior to 3.1.0 are vulnerable to a Regular ...
Read more >Top Related Medium Post
No results found
Top Related StackOverflow Question
No results found
Troubleshoot Live Code
Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start FreeTop Related Reddit Thread
No results found
Top Related Hackernoon Post
No results found
Top Related Tweet
No results found
Top Related Dev.to Post
No results found
Top Related Hashnode Post
No results found
Top GitHub Comments
can we expect a release this week ? we have corporate freeze for year end developer and would like to close off high severity vulnerabilities thanks
Do we have an ETA for this release? Hoping to be able to use mermaid once the security concern has been addressed.