mermaid
mermaid copied to clipboard
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
There's a vulnerability reported on packages that dagre-d3 uses
Unfortunately that repo is no longer supported https://github.com/dagrejs/dagre-d3
Are there any plans to mitigate this .. This is reported by npm audit , but npm install will also display
This will cause serious issues for mermaid going forward as these are reported as high
Thanks
# npm audit report
d3-color <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/dagre-d3/node_modules/d3-color
d3 4.0.0-alpha.1 - 6.7.0
Depends on vulnerable versions of d3-brush
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
Depends on vulnerable versions of d3-scale
Depends on vulnerable versions of d3-transition
Depends on vulnerable versions of d3-zoom
node_modules/dagre-d3/node_modules/d3
dagre-d3 >=0.5.0
Depends on vulnerable versions of d3
node_modules/dagre-d3
mermaid 8.4.1 - 8.4.2 || >=8.4.4
Depends on vulnerable versions of dagre-d3
node_modules/mermaid
d3-interpolate 0.1.3 - 2.0.1
Depends on vulnerable versions of d3-color
node_modules/dagre-d3/node_modules/d3-interpolate
d3-brush 0.1.0 - 2.1.0
Depends on vulnerable versions of d3-interpolate
Depends on vulnerable versions of d3-transition
node_modules/dagre-d3/node_modules/d3-brush
d3-scale 0.1.5 - 3.3.0
Depends on vulnerable versions of d3-interpolate
node_modules/dagre-d3/node_modules/d3-scale
d3-scale-chromatic 0.1.0 - 2.0.0
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
node_modules/dagre-d3/node_modules/d3-scale-chromatic
d3-transition 0.0.7 - 2.0.0
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
node_modules/dagre-d3/node_modules/d3-transition
d3-zoom 0.0.2 - 2.0.0
Depends on vulnerable versions of d3-interpolate
Depends on vulnerable versions of d3-transition
node_modules/dagre-d3/node_modules/d3-zoom
Would love to take this on
👋🏾 As a dedicated of MermaidJS user, I would also love for this to looked into as well🙇🏾 . It's tripping our security alerts with as a high priority security issue and seems like an important vulnerability to address. Would love to assist in any way if possible.
https://github.com/mermaid-js/mermaid/pull/3712