Open JoshidCoates opened 1 year ago
Hi @JoshidCoates, where are you seeing the dependency being out of date? Which version of graphviz-react
are you using?
Hi @DomParfitt I'm using version 1.2.5
# npm audit report
d3-color <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
No fix available
node_modules/d3-color
d3-interpolate 0.1.3 - 2.0.1
Depends on vulnerable versions of d3-color
node_modules/d3-interpolate
d3-transition 0.0.7 - 2.0.0
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
node_modules/d3-transition
d3-graphviz *
Depends on vulnerable versions of d3-transition
node_modules/d3-graphviz
graphviz-react *
Depends on vulnerable versions of d3-graphviz
node_modules/graphviz-react
d3-zoom 0.0.2 - 2.0.0
Depends on vulnerable versions of d3-transition
node_modules/d3-zoom
6 high severity vulnerabilities
I see that there is
"overrides": {
"d3-color": "^3.1.0"
}
in your package.json. So I'm not sure why it is saying that it is <3.1.0
What version of npm are you using? The dependency override behaviour was added in 8.3
I think, so if you're using an older version then that may be why. It may be worth deleting your node_modules
and package-lock.json
and re-running npm install
.
Could you also try running npm ls d3-color
and posting the output?
I was using an old version of npm. Have updated it to 9.1.1
and reinstalled. Still getting the same issue,
`-- graphviz-react@1.2.5
`-- d3-graphviz@2.6.1
+-- d3-interpolate@1.4.0
| `-- d3-color@1.4.1
`-- d3-transition@1.3.2
`-- d3-color@1.4.1 deduped
Did you delete your node_modules
and package-lock.json
before reinstalling?
Yep
I've added
"overrides": {
"d3-color": "3.1.0"
}
to my package.json
and the vulnerability is no longer showing. ls
is now showing:
`-- graphviz-react@1.2.5
`-- d3-graphviz@2.6.1
+-- d3-interpolate@1.4.0
| `-- d3-color@3.1.0 overridden
`-- d3-transition@1.3.2
`-- d3-color@3.1.0 deduped
Thank you so much for your help Dom and your package :) sorry for using github issues for a non-bug
@JoshidCoates I've had a bit of a look at this today and I'm going to reopen this issue as I think it warrants a bit of investigation. Looking at the RFC for npm
overrides, it does explicitly state that overrides are only applied in the root package.json
, not in any dependent packages, which is what I assumed it did.
Unfortunately the dependency which pulls in d3-color
(d3-interpolate) hasn't yet been updated to patch the vulnerability, so fixing it directly would involve that patch being applied in d3-interpolate
but then also backported into v2 of d3-graphviz
(as we aren't on the latest version of that package as detailed in #28).
I think it would be possible to force the overrides behaviour using npm shrinkwrap although the docs discourage its use in packages in favour of allow end users full control over dependencies (i.e. adding the overrides themselves if they wish). Alternatively it may just be worth adding a note in the README
about this, although it doesn't necessarily feel like an issue that is specific to this package.
The d3-color dependency is out of date. What should I do about this?