d3-color icon indicating copy to clipboard operation
d3-color copied to clipboard

Published 20 hours ago verified publisher icon d3

Security vulnerability fix for d3-color nice-to-have in version 1.x

Open danisluk opened this issue 2 years ago • 4 comments

Please, would it be possible to backport the fix made in https://github.com/d3/d3-color/pull/100 to d3-color 1.x ?

There are multiple people, who would be happy for this backport.

danisluk avatar Oct 07 '22 08:10 danisluk

I’m not going to do this but you are welcome to fork this repository.

mbostock avatar Oct 07 '22 14:10 mbostock

1.x fork here with fix cherry-picked: https://www.npmjs.com/package/d3-color-1-fix

Install package and point to it with "d3-color": "npm:d3-color-1-fix" in "resolutions" (yarn) or "overrides" (npm).

mpopv avatar Oct 21 '22 18:10 mpopv

After I change to:

{
    "resolutions": {
        "d3-color": "https://registry.npmmirror.com/d3-color-1-fix/-/d3-color-1-fix-1.4.2.tgz"
    }
}

It works. But audit always need 3.1.0

uwang avatar Oct 31 '22 07:10 uwang

I'd recommend not using the tgz directly because it can't be audited like a package by automated tooling.

You're also probably going to want to manually search your lockfile after adding the override to make sure vulnerable versions of d3-color are expunged; there are some versions of npm (<8.7, I believe) where lockfile generation for overrides was broken so it would not be properly expunged and you will trip automated vulnerability checkers even with the override added properly in package.json.

mpopv avatar Nov 08 '22 18:11 mpopv