Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

High Vulnerability in d3-color < v3.1.0

See original GitHub issue

Describe the bug A clear and concise description of what the bug is.

d3-color has a high vulnerability prior to v3.1.0. Ngx-charts should upgrade d3-color to v3.1.0 to resolve the issue. https://github.com/advisories/GHSA-36jr-mh4h-2g58.

To Reproduce Steps to reproduce the behavior:

Run npm audit . d3-color will get the high vulnerability.

Expected behavior A clear and concise description of what you expected to happen.

Upgrading to v3.1.0 will remove the vulnerability when running npm audit.

Screenshots If applicable, add screenshots to help explain your problem.

Demo Provide an online demo (stackblitz, codesandbox, or similar) where the issue can be reproduced

ngx-charts version Specify the version of ngx-charts where this bug is present

All versions below v20.1.0 or any new versions that have d3-color below v3.1.0.

Additional context Add any other context about the problem here.

Github advisory https://github.com/advisories/GHSA-36jr-mh4h-2g58

Issue Analytics

State:
Created a year ago
Reactions:50
Comments:7 (1 by maintainers)

Top GitHub Comments

11reactions

yazharasucommented, Oct 14, 2022

Any update on this?

6reactions

jlquijadacommented, Dec 13, 2022

Maybe I’m missing something here about the solution applied:

In package.json I have this:

    "dependencies": {
        "@angular/cdk": "^15.0.2",
        "@angular/cli": "^15.0.3",
        "@angular/common": "^15.0.3",
        "@angular/compiler": "^15.0.3",
        "@angular/core": "^15.0.3",
        "@angular/forms": "^15.0.3",
...
        "@swimlane/ngx-charts": "^20.1.2",
...
    },
    "devDependencies": {
...
        "@types/d3": "^7.4.0",
...
    }

And I still get the 6 high severity vulnerabilities when running npm i -f.

When I run the audit fix, it reports them again, and does not fix anything. Obviously the proposed --force solution would install a very old version of ngx-charts, so it would be not desirable.

npm audit fix

up to date, audited 1288 packages in 6s

166 packages are looking for funding run npm fund for details

npm audit report

d3-color ❤️.1.0 Severity: high d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58 fix available via npm audit fix --force Will install @swimlane/ngx-charts @6.1.0, which is a breaking change node_modules/d3-color d3-interpolate 0.1.3 - 2.0.1 Depends on vulnerable versions of d3-color node_modules/d3-interpolate @swimlane/ngx-charts >=7.0.0 Depends on vulnerable versions of d3-brush Depends on vulnerable versions of d3-interpolate Depends on vulnerable versions of d3-scale Depends on vulnerable versions of d3-transition node_modules/@swimlane/ngx-charts d3-brush 0.1.0 - 2.1.0 Depends on vulnerable versions of d3-interpolate Depends on vulnerable versions of d3-transition node_modules/d3-brush d3-scale 0.1.5 - 3.3.0 Depends on vulnerable versions of d3-interpolate node_modules/d3-scale d3-transition 0.0.7 - 2.0.0 Depends on vulnerable versions of d3-color Depends on vulnerable versions of d3-interpolate node_modules/d3-transition

6 high severity vulnerabilities

To address issues that do not require attention, run: npm audit fix

To address all issues (including breaking changes), run: npm audit fix --force