react-simple-maps icon indicating copy to clipboard operation
react-simple-maps copied to clipboard

Published 20 hours ago verified publisher icon zcreativelabs

High severity vulnerability

Open jmca opened this issue 2 years ago • 9 comments

npm audit --production yields "5 high severity vulnerabilities":

# npm audit report

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install [email protected], which is a breaking change
node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-interpolate
    d3-transition  0.0.7 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-transition
    d3-zoom  0.0.2 - 2.0.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-zoom
      react-simple-maps  >=2.0.0
      Depends on vulnerable versions of d3-zoom
      node_modules/react-simple-maps

5 high severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

npm audit fix --force is not an option since it will clamp to [email protected]

Is there a path forward for correcting this?

jmca avatar Sep 30 '22 14:09 jmca

It appears @zimrick that d3-zoom v3 has no breaking changes, just that it requires Node 12+.

https://github.com/d3/d3-zoom/compare/v2.0.0...v3.0.0

It'd be great if you could bump react-simple-maps 3 up to the newer d3-zoom (or create a react-simple-maps 3.1/4.0 that's a breaking change for node 12+ if that's an issue) and chase out this potential downstream vuln. Greatly appreciated!

wmhartl avatar Oct 03 '22 15:10 wmhartl

For a temporary workaround in package.json:

"overrides": {
  "react-simple-maps": {
    "d3-zoom": "^3.0.0",
    "d3-interpolate": "^3.0.1",
    "d3-color": "^3.1.0"
  }
}

Note that you will probably have to npm uninstall react-simple-maps -S then npm i react-simple-maps -S for the overrides to take affect due to the oddities of npm and overrides. Alternatively you could remove the lock file and node_modules directory, but that is a bit nuclear and may cause other issues.

jmca avatar Oct 03 '22 15:10 jmca

Note: you will need a recent npm for the overrides directive to work.

With the overrides, I receive the following error: Error [ERR_REQUIRE_ESM]: require() of ES Module C:\...\app\node_modules\d3-zoom\src\index.js from C:\...\app\node_modules\react-simple-maps\dist\index.js not supported.

My app seems to not like that react-simple-maps is using require instead of import: image

Would love to see this package fixed, as it's a high severity vulnerability.

enricoros avatar Oct 17 '22 07:10 enricoros

Bumping this - recharts solved this by successfully moving over to victory-vendor: https://github.com/recharts/recharts/commit/bcb199c0d60b79fa09704413ed9a440cc0a7b1c9

Issue thread: https://github.com/recharts/recharts/issues/3012

Would that work here? (turns out both it would not work here and isn't needed given ESM imports)

wmhartl avatar Jan 30 '23 14:01 wmhartl

Note: you will need a recent npm for the overrides directive to work.

With the overrides, I receive the following error: Error [ERR_REQUIRE_ESM]: require() of ES Module C:\...\app\node_modules\d3-zoom\src\index.js from C:\...\app\node_modules\react-simple-maps\dist\index.js not supported.

My app seems to not like that react-simple-maps is using require instead of import: image

Would love to see this package fixed, as it's a high severity vulnerability.

The error occurs because package.json doesn't have a type, and newer node versions will assume it's a module (using ES instead of CommonJS). This can be fixed by adding the following to package.json:

type: "commonjs"

jvannistelrooy avatar May 09 '23 08:05 jvannistelrooy

Just confirming that "4.0.0-beta" works (in my use case) and clears the d3 vulns. For those of you using Jest, I did have to add d3-* and react-simple-maps to transformIgnorePatterns with the change.

Thanks again for merging the PR @zimrick.

wmhartl avatar Jul 05 '23 23:07 wmhartl

@wmhartl would you mind sharing more explicitly what you've done to transformIgnorePatterns to get jest and react-simple-maps@beta working together? I can't seem to bypass:

/node_modules/react-simple-maps/dist/index.js:1
    ({"Object.<anonymous>":function(module,exports,require,__dirname,__filename,jest){import React, { createContext, useMemo, useCallback, useContext, forwardRef, useState, useEffect, memo, useRef, Fragment } from 'react';
                                                                                      ^^^^^^

    SyntaxError: Cannot use import statement outside a module

@zimrick any update on releasing 4.0.0? It would be very helpful to have this security vulnerability addressed in a stable version. I would also be satisfied with another beta version with a CommonJS export (i.e., require instead of import). Thanks to both of you for your work on this!

tplante avatar Aug 10 '23 14:08 tplante

Hey @tplante in my jest.config.js, I included the following:

   transformIgnorePatterns: [
     "/node_modules/(?!d3-*|react-simple-maps).+\\.js$",
   ],

wmhartl avatar Aug 10 '23 14:08 wmhartl

@wmhartl that solved it for me! Thanks for sharing so quickly. Hoping @zimrick can deliver with an official release soon.

tplante avatar Aug 10 '23 14:08 tplante