react-d3-cloud
react-d3-cloud copied to clipboard
Yoctol
d3-color high severity vulnerability
react-d3-cloud depends on a version of d3-color that is vunerable to reDOS: https://github.com/advisories/GHSA-36jr-mh4h-2g58 Any version of d3-color <3.1.0 is vunerable to this. Please update the package.json to get a later version of react-d3-color
(env) duecknoah@Noahs-MacBook-Pro dashboard % npm audit
# npm audit report
d3-color <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/d3-color
d3-interpolate 0.1.3 - 2.0.1
Depends on vulnerable versions of d3-color
node_modules/d3-interpolate
d3-scale 0.1.5 - 3.3.0
Depends on vulnerable versions of d3-interpolate
node_modules/d3-scale
react-d3-cloud >=0.5.0
Depends on vulnerable versions of d3-scale
Depends on vulnerable versions of d3-scale-chromatic
node_modules/react-d3-cloud
d3-scale-chromatic 0.1.0 - 2.0.0
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
node_modules/d3-scale-chromatic
5 high severity vulnerabilities
These packages are released as ESM, so we can't easily bump them without introducing a bundler or releasing react-d3-cloud as ESM too.
@chentsulin I would recommend using something like parcel or vite in library mode. That will take care of the bundling and requires a minimal amount of setup. Moving forward (most) everything will be in ESM anyway, so you will be ahead of the curve on that regardless. Vite is almost all ESM under the hood anyway.
It's an example of a painful migration in the Node/js ecosystem, but it does get easier with time. Most modules I am working with "just work" once I have a proper bundler included. For this reason I recommend Vite as its setup is far less complex than Webpack or Turbopack.
Use overrides (or resolutions) in your package.json.
"overrides": {
"d3-color": "^3.1.0"
}
