mermaid icon indicating copy to clipboard operation
mermaid copied to clipboard

Published 20 hours ago โ€ข verified publisher icon mermaid-js

d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58

Open huineng opened this issue 2 years ago โ€ข 1 comments

There's a vulnerability reported on packages that dagre-d3 uses

Unfortunately that repo is no longer supported https://github.com/dagrejs/dagre-d3

Are there any plans to mitigate this .. This is reported by npm audit , but npm install will also display

This will cause serious issues for mermaid going forward as these are reported as high

Thanks

# npm audit report

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/dagre-d3/node_modules/d3-color
  d3  4.0.0-alpha.1 - 6.7.0
  Depends on vulnerable versions of d3-brush
  Depends on vulnerable versions of d3-color
  Depends on vulnerable versions of d3-interpolate
  Depends on vulnerable versions of d3-scale
  Depends on vulnerable versions of d3-transition
  Depends on vulnerable versions of d3-zoom
  node_modules/dagre-d3/node_modules/d3
    dagre-d3  >=0.5.0
    Depends on vulnerable versions of d3
    node_modules/dagre-d3
      mermaid  8.4.1 - 8.4.2 || >=8.4.4
      Depends on vulnerable versions of dagre-d3
      node_modules/mermaid
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/dagre-d3/node_modules/d3-interpolate
    d3-brush  0.1.0 - 2.1.0
    Depends on vulnerable versions of d3-interpolate
    Depends on vulnerable versions of d3-transition
    node_modules/dagre-d3/node_modules/d3-brush
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/dagre-d3/node_modules/d3-scale
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/dagre-d3/node_modules/d3-scale-chromatic
    d3-transition  0.0.7 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/dagre-d3/node_modules/d3-transition
    d3-zoom  0.0.2 - 2.0.0
    Depends on vulnerable versions of d3-interpolate
    Depends on vulnerable versions of d3-transition
    node_modules/dagre-d3/node_modules/d3-zoom

huineng avatar Oct 13 '22 18:10 huineng

Would love to take this on

mishugana avatar Oct 15 '22 17:10 mishugana

๐Ÿ‘‹๐Ÿพ As a dedicated of MermaidJS user, I would also love for this to looked into as well๐Ÿ™‡๐Ÿพ . It's tripping our security alerts with as a high priority security issue and seems like an important vulnerability to address. Would love to assist in any way if possible.

MgenGlder avatar Oct 31 '22 14:10 MgenGlder

https://github.com/mermaid-js/mermaid/pull/3712

huineng avatar Oct 31 '22 15:10 huineng

It's all great work we solve these vulnerabilities. But it can only be really closed once a package is published. Is there an outlook or process when something get's published ?

huineng avatar Nov 23 '22 08:11 huineng

Is there an ETA for the release? Same issue as @MgenGlder with security alerts preventing the use of Mermaid ๐Ÿ˜ž

rinchik avatar Nov 29 '22 19:11 rinchik

can we expect a release this week ? we have corporate freeze for year end developer and would like to close off high severity vulnerabilities thanks

huineng avatar Dec 07 '22 10:12 huineng

Do we have an ETA for this release? Hoping to be able to use mermaid once the security concern has been addressed.

benjmac avatar Dec 14 '22 16:12 benjmac