pprof icon indicating copy to clipboard operation
pprof copied to clipboard
verified publisher icon google

upgrade d3-flamegraph to fix security vuln

Open fsperling opened this issue 2 years ago • 2 comments

What version of pprof are you using?

the latest from main

What is the issue

The d3flamegraph version used by pprof is using a vulnerable version of d3-color. d3-color should be upgraded to 3.1.0

https://github.com/google/pprof/blob/main/third_party/d3flamegraph/package-lock.json#L325

The vuln report could be more detailed: https://git.soma.salesforce.com/pages/Infrastructure-Security/ast.github.io/sonatype-2021-0795.html The snyk report says that it's fixed in 3.1.0

fsperling avatar Jan 18 '23 13:01 fsperling

@raidancampbell @aalexand https://github.com/google/pprof/pull/767#issuecomment-1506258288 please check this

sameemcodes avatar Apr 13 '23 03:04 sameemcodes

FYI - we plan to get rid of the d3 dependency altogether, see #777.

As a note, it is discouraged overall to expose the pprof web interface beyond any trusted network domains like local machine.

And as a reminder, pprof is not an official Google product, see the main page.

aalexand avatar May 02 '23 17:05 aalexand

#777 removed the d3 dep so this is not relevant anymore.

aalexand avatar Jul 16 '24 00:07 aalexand