nivo
nivo copied to clipboard
plouc
Use of library with vulnerabilities
Is your feature request related to a problem? Please describe. The d3-color library has vulnerabilities in version 1-2
Describe the solution you'd like Update d3-color to version 3 or higher
Describe alternatives you've considered A clear and concise description of any alternative solutions or features you've considered.
Additional context Add any other context or screenshots about the feature request here.
Upgrading d3-color is actually a lot of work, d3 packages are now released in modern JS, while nivo supports older browsers, we need to change the build/release workflow for that, and probably upgrade some other packages as well.
It seems like due to this recent update: https://github.com/advisories/GHSA-36jr-mh4h-2g58 this vulnerability is now being flagged in all audits.
This came up as a high severity vulnerability in our audit too and we need to act on it.
@plouc Given it's a lot of work, I'm wondering if you could guess at some rough timeframe. If days or weeks, we might be able to suppress the warning. If months, we might need to switch charting libraries.
Echoing @tony-scio comment/concern, would be great to get an idea on a timeframe for this. Thank you
It seems like setting a resolution in my package.json "just works". I don't get any errors, my graphs still render without problems (only bar and line charts).
"resolutions": {
"d3-color": "^3.1.0"
}
Don't forget to run yarn/npm install after setting the resolution.
That's weird, I remember having issues with it, I'll give it another try then (I tried to upgrade once in https://github.com/plouc/nivo/pull/1743), a bit hard to give a timeframe as it really depends on the time I can find to work on the project, but I'll try to have a look at it next week.
@plouc It's probably not causing any issues for me because I think we're using an ESM ready bundler (not 100% sure tbh, setup was not done by me). I did have to add d3-color to my jest.transformIgnorePatterns for the tests to run. I haven't gone through the steps to get our Jest setup ready for ESM-only packages.
It seems like setting a resolution in my package.json "just works". I don't get any errors, my graphs still render without problems (only bar and line charts).
"resolutions": { "d3-color": "^3.1.0" }Don't forget to run yarn/npm install after setting the resolution.
This work with yarn only.
Npm equivalent to yarn resolutions is overrides.
"overrides": {
"d3-color": "^3.1.0"
}
It was released in npm v8.3.0 https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides
It seems like setting a resolution in my package.json "just works". I don't get any errors, my graphs still render without problems (only bar and line charts).
"resolutions": { "d3-color": "^3.1.0" }Don't forget to run yarn/npm install after setting the resolution.
@AdrianMrn Do you mind sharing what bundler you're using?
I get the following ESM error w/ Next.js
web:build: Error [ERR_REQUIRE_ESM]: require() of ES Module path/node_modules/d3-color/src/index.js from path/node_modules/d3-interpolate/dist/d3-interpolate.js not supported.
web:build: Instead change the require of index.js in path/node_modules/d3-interpolate/dist/d3-interpolate.js to a dynamic import() which is available in all CommonJS modules.
@plouc Thanks for this awesome library! Do you have an update on addressing the vulnerabilities?
@plouc Also just wanted to say thanks for the library and adding my voice to those who are waiting patiently for an update :)
Echoing the others in this thread - we love nivo, but this pesky vulnerability is problematic. Any updates on when this might be addressed? Thanks!
Here's the relevant pull request to get this updated. There's a linked request to resolve the test failures on it. https://github.com/plouc/nivo/pull/2142
@plouc Do we have any plans about solving this issue? The issue is opened for 3 months already, and I'm wondering whether I need to come up with plan b instead of waiting for vulnerability fix in Nivo.
Just installed nivo for a new project, loving the docs and code base, we're replacing FusionCharts and will probably be adding some sponsoring if used, but getting 14 high severity vulnerabilities so the lib use might get rejected, will try the https://github.com/plouc/nivo/issues/2133#issuecomment-1275824489
Update: seems to be a temporary solution
npm overrides workaround mentioned above doesn't work. Next 13 with React 18 here.
package.json overrides does not working here, I'm using Remix JS.
Is there any effort of yours in order to solve this vulnerability?
Hello, are there any plans to update the library to address these vulnerabilities?
High d3-color vulnerable to ReDoS
Package d3-color
Patched in >=3.1.0
Thank you for your time.
@plouc I understand it is time-consuming to fix the issue and very disappointing that many people come and put pressure by asking to fix it, in the same way as I do.
Maybe you could explain your vision and what should be done, and we could help you get it done?
@acherkashin I think @plouc made it clear before https://github.com/plouc/nivo/pull/2142#issuecomment-1401309459.
unfortunately, the money I get/got for this project is far from being on par with the time/efforts I've put in it, I use open collective mainly because it was easy to setup and works for where I live, I don't want to have more things to manage 😅 It would also be hard for me to commit on specific features to be built, and I think if people wants some specific feature, they should pay for it, it should not be based on some kind of gamble on donations IMHO, it's work.
@AmirHmZz, it's out of context, and not a vision, I was simply replying to:
Update: Just joined your Backers list in OpenCollective to support the project. You should really monetize your project as many open-source devs do (I love how electron-userland/electron-builder does it, calling for financial support for the features they build - the highest donation receiving features get built in no time).
My main concern for upgrading D3 dependencies was more about this:
My main concern with updating d3 packages is that it could impact the build/test setup for users (it's already the case for jest in this repo), I understand that d3 wants to move forward and to create packages written in modern JS, but the reality is a bit different IMHO, we still have to support older browsers, platforms... This could really have a huge impact, that being said, I didn't have time to test what this impact is.
But I did upgrade d3-color in 0.81.0, which is unfortunately already breaking for several users, I'm not the only one facing this issue, I've added more context in the issue. And this will not be easy to address.
This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!
![stale[bot] avatar](https://avatars.githubusercontent.com/in/1724?v=4 "Published by a pub.dev verified publisher"){kind=small}
Bump
On Mon, 7 Aug 2023, 06:25 stale[bot], @.***> wrote:
This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!
— Reply to this email directly, view it on GitHub https://github.com/plouc/nivo/issues/2133#issuecomment-1667164135, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAE7SAOMI2CFJKTJTGZT4ATXUBU2FANCNFSM6AAAAAAQUDXHNY . You are receiving this because you are subscribed to this thread.Message ID: @.***>
This is related to those dependencies. Probably the owners stopped to support, so in order to fix the vulnerability, this lib needs to update to 3.1.0.
https://github.com/d3/d3-scale-chromatic/pull/43
Also, this one, that uses 3.0.1 https://github.com/d3/d3-interpolate/blob/main/yarn.lock#L271
This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!
Bump
On Fri, 15 Dec 2023, 05:13 stale[bot], @.***> wrote:
This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!
— Reply to this email directly, view it on GitHub https://github.com/plouc/nivo/issues/2133#issuecomment-1857247306, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAE7SAJR2QYZEAMKCUPFUCTYJPE45AVCNFSM6AAAAAAQUDXHN2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNJXGI2DOMZQGY . You are receiving this because you are subscribed to this thread.Message ID: @.***>
Believe that this issue would be resolved by merging https://github.com/plouc/nivo/pull/2466
