nivo icon indicating copy to clipboard operation
nivo copied to clipboard

Published 20 hours ago verified publisher icon plouc

High risk dependency reported by NPM

Open ItamarShDev opened this issue 1 year ago • 1 comments

npm audit reports 16 high severity vulnerabilities when using nivo.

# npm audit report

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
No fix available
node_modules/d3-scale-chromatic/node_modules/d3-color
node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-scale-chromatic/node_modules/d3-interpolate
  node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/bar  *
      Depends on vulnerable versions of @nivo/annotations
      Depends on vulnerable versions of @nivo/axes
      Depends on vulnerable versions of @nivo/colors
      Depends on vulnerable versions of @nivo/core
      Depends on vulnerable versions of @nivo/legends
      Depends on vulnerable versions of @nivo/scales
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/bar
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/axes  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of @nivo/scales
        node_modules/@nivo/axes
        @nivo/colors  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        Depends on vulnerable versions of d3-scale-chromatic
        node_modules/@nivo/colors
          @nivo/annotations  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          node_modules/@nivo/annotations
          @nivo/arcs  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          node_modules/@nivo/arcs
          @nivo/radar  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          Depends on vulnerable versions of @nivo/legends
          Depends on vulnerable versions of @nivo/tooltip
          Depends on vulnerable versions of d3-scale
          node_modules/@nivo/radar
        @nivo/legends  >=0.56.0
        Depends on vulnerable versions of @nivo/colors
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        node_modules/@nivo/legends
          @nivo/radial-bar  *
          Depends on vulnerable versions of @nivo/arcs
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          Depends on vulnerable versions of @nivo/legends
          Depends on vulnerable versions of @nivo/polar-axes
          Depends on vulnerable versions of @nivo/scales
          Depends on vulnerable versions of @nivo/tooltip
          Depends on vulnerable versions of d3-scale
          node_modules/@nivo/radial-bar
        @nivo/polar-axes  *
        Depends on vulnerable versions of @nivo/arcs
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of @nivo/scales
        node_modules/@nivo/polar-axes
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip
      @nivo/scales  *
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/scales
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale-chromatic

ItamarShDev avatar Feb 02 '24 07:02 ItamarShDev

This is still the case, any indication on if this will be fixed?

brandanking-decently avatar Feb 13 '24 09:02 brandanking-decently

I'm getting this as well on v0.84.0:

# npm audit report
d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
No fix available
node_modules/@nivo/core/node_modules/d3-scale/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/@nivo/core/node_modules/d3-scale/node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/@nivo/core/node_modules/d3-scale
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip

Additionally, it appears [email protected] contains the vulnerable d3-color sub dependency.

# npm list d3-color
└─┬ @nivo/[email protected]
  ├── [email protected]
  ├─┬ [email protected]
  │ └── [email protected] deduped
  ├─┬ [email protected]
  │ └── [email protected] deduped
  └─┬ [email protected]
    └─┬ [email protected]
      └── [email protected]

rhendz avatar Feb 28 '24 20:02 rhendz

I fixed this issue on our project using override's feature of npm:

Reference: npm's package.json Documentation

  "overrides": {
    "d3-color": "^3.1.0"
  }

zC4sTr0 avatar Feb 29 '24 04:02 zC4sTr0

I fixed this issue on our project using override's feature of npm:

Reference: npm's package.json Documentation

  "overrides": {
    "d3-color": "^3.1.0"
  }

great solution meanwhile. thanks!

ItamarShDev avatar Mar 02 '24 07:03 ItamarShDev

Duplicate of https://github.com/plouc/nivo/issues/2470

plouc avatar Mar 07 '24 01:03 plouc