Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
d3-color vulnerable to ReDoS
See original GitHub issueDependabot cannot update d3-color to a non-vulnerable version
The latest possible version that can be installed is 1.4.1 because of the following conflicting dependencies:
@swimlane/ngx-graph@8.0.2 requires d3-color@1 via a transitive dependency on d3-interpolate@1.4.0
@swimlane/ngx-graph@8.0.2 requires d3-color@1 via d3-transition@1.3.2
@swimlane/ngx-charts@20.1.0 requires d3-color@^2.0.0
@swimlane/ngx-charts@20.1.0 requires d3-color@1 - 2 via d3-interpolate@2.0.1
@swimlane/ngx-charts@20.1.0 requires d3-color@1 - 2 via d3-transition@2.0.0
No patched version available for d3-color The earliest fixed version is 3.1.0.
The d3-color module provides representations for various color spaces in the browser. Versions prior to 3.1.0 are vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0. There are no known workarounds.
Severity: High Weaknesses: CWE-400 CVE ID: No CVE
Issue Analytics
- State:
- Created a year ago
- Reactions:3
- Comments:9 (1 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
Created a PR - https://github.com/swimlane/ngx-graph/pull/477
Please take a look into this issue urgently and update transitive dependency d3-color to 3.1.0