Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58

See original GitHub issue

There’s a vulnerability reported on packages that dagre-d3 uses

Unfortunately that repo is no longer supported https://github.com/dagrejs/dagre-d3

Are there any plans to mitigate this … This is reported by npm audit , but npm install will also display

This will cause serious issues for mermaid going forward as these are reported as high

Thanks

# npm audit report

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install mermaid@8.4.3, which is a breaking change
node_modules/dagre-d3/node_modules/d3-color
  d3  4.0.0-alpha.1 - 6.7.0
  Depends on vulnerable versions of d3-brush
  Depends on vulnerable versions of d3-color
  Depends on vulnerable versions of d3-interpolate
  Depends on vulnerable versions of d3-scale
  Depends on vulnerable versions of d3-transition
  Depends on vulnerable versions of d3-zoom
  node_modules/dagre-d3/node_modules/d3
    dagre-d3  >=0.5.0
    Depends on vulnerable versions of d3
    node_modules/dagre-d3
      mermaid  8.4.1 - 8.4.2 || >=8.4.4
      Depends on vulnerable versions of dagre-d3
      node_modules/mermaid
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/dagre-d3/node_modules/d3-interpolate
    d3-brush  0.1.0 - 2.1.0
    Depends on vulnerable versions of d3-interpolate
    Depends on vulnerable versions of d3-transition
    node_modules/dagre-d3/node_modules/d3-brush
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/dagre-d3/node_modules/d3-scale
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/dagre-d3/node_modules/d3-scale-chromatic
    d3-transition  0.0.7 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/dagre-d3/node_modules/d3-transition
    d3-zoom  0.0.2 - 2.0.0
    Depends on vulnerable versions of d3-interpolate
    Depends on vulnerable versions of d3-transition
    node_modules/dagre-d3/node_modules/d3-zoom