d3-graphviz icon indicating copy to clipboard operation
d3-graphviz copied to clipboard
verified publisher icon magjac

Vulnerability with d3-color

Open AndrewJohnBenjamin opened this issue 4 years ago • 2 comments

A new vulnerability has been detected with the d3-color package that make is vulnerable to ReDOS attacks. Upgrading to version 3 of d3-color solves this issue.

The following libraries are invluded in the project and make use of d3-color and would need to be upgraded to ^3.0.0 in order to remove this vulnerability -d3-transition -d3-interpolate -d3-zoom

Is this something you are aware of and willing to fix?

Thanks

Andy

AndrewJohnBenjamin avatar Jul 06 '21 12:07 AndrewJohnBenjamin

Sorry for the delay. Thanks. I wasn't aware of this. I will upgrade the next time I make a release. PRs are also welcome.

magjac avatar Jul 29 '21 14:07 magjac

To clarify, the vulnerability was apparently in the ws package, which is required by the devDependency jsdom. This does not appear to affect the published builds.

mootari avatar Oct 14 '21 11:10 mootari

Not sure if it's the same vulnerability reported here, but since yesterday, npm audit is reporting an issue with d3-color dependency:

✗ npm audit --audit-level=high --production --parseable
review	d3-color	high	>=3.1.0	d3-color vulnerable to ReDoS	https://github.com/advisories/GHSA-36jr-mh4h-2g58	d3-graphviz>d3-interpolate>d3-color
review	d3-color	high	>=3.1.0	d3-color vulnerable to ReDoS	https://github.com/advisories/GHSA-36jr-mh4h-2g58	d3-graphviz>d3-transition>d3-interpolate>d3-color
review	d3-color	high	>=3.1.0	d3-color vulnerable to ReDoS	https://github.com/advisories/GHSA-36jr-mh4h-2g58	d3-graphviz>d3-zoom>d3-transition>d3-interpolate>d3-color

EAlexRojas avatar Sep 30 '22 15:09 EAlexRojas

An automated PR was created for upgrading d3-color, d3-transition, d3-interpolate... https://github.com/magjac/d3-graphviz/pull/250 (currently in error) @magjac could we expect a new release soon including the upgraded versions of the dependencies to fix the ReDoS vulnerability? Thanks in advance

EAlexRojas avatar Oct 04 '22 15:10 EAlexRojas

@EAlexRojas I intend to make that as part of https://github.com/magjac/d3-graphviz/pull/242, but I'm currently blocked by https://github.com/hpcc-systems/hpcc-js-wasm/issues/120. I appreciate any help I can get.

magjac avatar Oct 05 '22 14:10 magjac

Good morning @magjac.

Do you have any update on this topic?

Thank you in advance.

Sawthis avatar Apr 11 '23 06:04 Sawthis

Fixed by https://github.com/magjac/d3-graphviz/commit/ab08920ec5adda5e55f7303fcf69ad64213fbb1d.

magjac avatar Apr 11 '23 16:04 magjac