mermaid icon indicating copy to clipboard operation
mermaid copied to clipboard

Published 20 hours ago verified publisher icon mermaid-js

d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58

Open huineng opened this issue 1 year ago • 1 comments

There's a vulnerability reported on packages that dagre-d3 uses

Unfortunately that repo is no longer supported https://github.com/dagrejs/dagre-d3

Are there any plans to mitigate this .. This is reported by npm audit , but npm install will also display

This will cause serious issues for mermaid going forward as these are reported as high

Thanks

# npm audit report

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/dagre-d3/node_modules/d3-color
  d3  4.0.0-alpha.1 - 6.7.0
  Depends on vulnerable versions of d3-brush
  Depends on vulnerable versions of d3-color
  Depends on vulnerable versions of d3-interpolate
  Depends on vulnerable versions of d3-scale
  Depends on vulnerable versions of d3-transition
  Depends on vulnerable versions of d3-zoom
  node_modules/dagre-d3/node_modules/d3
    dagre-d3  >=0.5.0
    Depends on vulnerable versions of d3
    node_modules/dagre-d3
      mermaid  8.4.1 - 8.4.2 || >=8.4.4
      Depends on vulnerable versions of dagre-d3
      node_modules/mermaid
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/dagre-d3/node_modules/d3-interpolate
    d3-brush  0.1.0 - 2.1.0
    Depends on vulnerable versions of d3-interpolate
    Depends on vulnerable versions of d3-transition
    node_modules/dagre-d3/node_modules/d3-brush
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/dagre-d3/node_modules/d3-scale
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/dagre-d3/node_modules/d3-scale-chromatic
    d3-transition  0.0.7 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/dagre-d3/node_modules/d3-transition
    d3-zoom  0.0.2 - 2.0.0
    Depends on vulnerable versions of d3-interpolate
    Depends on vulnerable versions of d3-transition
    node_modules/dagre-d3/node_modules/d3-zoom

huineng avatar Oct 13 '22 18:10 huineng

Would love to take this on

mishugana avatar Oct 15 '22 17:10 mishugana

👋🏾 As a dedicated of MermaidJS user, I would also love for this to looked into as well🙇🏾 . It's tripping our security alerts with as a high priority security issue and seems like an important vulnerability to address. Would love to assist in any way if possible.

MgenGlder avatar Oct 31 '22 14:10 MgenGlder

https://github.com/mermaid-js/mermaid/pull/3712

huineng avatar Oct 31 '22 15:10 huineng