react-simple-maps icon indicating copy to clipboard operation
react-simple-maps copied to clipboard

Published 20 hours ago verified publisher icon zcreativelabs

Vulnerability CWE-400: d3-color vulnerable to ReDoS

Open agforero opened this issue 1 year ago • 1 comments

Hey there,

It appears that the current version of react-simple-maps relies on a vulnerable version of another package, d3-color. My team and I are getting the following Dependabot Alert:

Dependabot cannot update d3-color to a non-vulnerable version

The latest possible version that can be installed is 2.0.0 because of the following conflicting dependencies:

[email protected] requires d3-color@1 - 2 via a transitive dependency on [email protected]
[email protected] requires d3-color@1 - 2 via a transitive dependency on [email protected]
No patched version available for d3-color

The earliest fixed version is 3.1.0.

react-simple-maps has to upgrade to d3-color version 3.1.0 or higher.

agforero avatar May 15 '24 16:05 agforero

there is workaround https://github.com/zcreativelabs/react-simple-maps/issues/349#issuecomment-1973832916

OleksiiKachan avatar May 24 '24 16:05 OleksiiKachan