search

DomParfitt / graphviz-react

React component for displaying Graphviz graphs
MIT License
101 stars 21 forks source link

d3-color severe vulnerability #86

Open JoshidCoates opened 1 year ago

JoshidCoates commented 1 year ago

The d3-color dependency is out of date. What should I do about this?

DomParfitt commented 1 year ago

Hi @JoshidCoates, where are you seeing the dependency being out of date? Which version of graphviz-react are you using?

JoshidCoates commented 1 year ago

Hi @DomParfitt I'm using version 1.2.5

# npm audit report

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
No fix available
node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-interpolate
    d3-transition  0.0.7 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-transition
      d3-graphviz  *
      Depends on vulnerable versions of d3-transition
      node_modules/d3-graphviz
        graphviz-react  *
        Depends on vulnerable versions of d3-graphviz
        node_modules/graphviz-react
      d3-zoom  0.0.2 - 2.0.0
      Depends on vulnerable versions of d3-transition
      node_modules/d3-zoom

6 high severity vulnerabilities
JoshidCoates commented 1 year ago

I see that there is 

  "overrides": {
    "d3-color": "^3.1.0"
  }

in your package.json. So I'm not sure why it is saying that it is <3.1.0

DomParfitt commented 1 year ago

What version of npm are you using? The dependency override behaviour was added in 8.3 I think, so if you're using an older version then that may be why. It may be worth deleting your node_modules and package-lock.json and re-running npm install.

DomParfitt commented 1 year ago

Could you also try running npm ls d3-color and posting the output?

JoshidCoates commented 1 year ago

I was using an old version of npm. Have updated it to 9.1.1 and reinstalled. Still getting the same issue,

`-- graphviz-react@1.2.5
  `-- d3-graphviz@2.6.1
    +-- d3-interpolate@1.4.0
    | `-- d3-color@1.4.1
    `-- d3-transition@1.3.2
      `-- d3-color@1.4.1 deduped
DomParfitt commented 1 year ago

Did you delete your node_modules and package-lock.json before reinstalling?

JoshidCoates commented 1 year ago

Yep

JoshidCoates commented 1 year ago

I've added

  "overrides": {
    "d3-color": "3.1.0"
  }

to my package.json and the vulnerability is no longer showing. ls is now showing:

`-- graphviz-react@1.2.5
  `-- d3-graphviz@2.6.1
    +-- d3-interpolate@1.4.0
    | `-- d3-color@3.1.0 overridden
    `-- d3-transition@1.3.2
      `-- d3-color@3.1.0 deduped

Thank you so much for your help Dom and your package :) sorry for using github issues for a non-bug

DomParfitt commented 1 year ago

@JoshidCoates I've had a bit of a look at this today and I'm going to reopen this issue as I think it warrants a bit of investigation. Looking at the RFC for npm overrides, it does explicitly state that overrides are only applied in the root package.json, not in any dependent packages, which is what I assumed it did.

Unfortunately the dependency which pulls in d3-color (d3-interpolate) hasn't yet been updated to patch the vulnerability, so fixing it directly would involve that patch being applied in d3-interpolate but then also backported into v2 of d3-graphviz (as we aren't on the latest version of that package as detailed in #28).

I think it would be possible to force the overrides behaviour using npm shrinkwrap although the docs discourage its use in packages in favour of allow end users full control over dependencies (i.e. adding the overrides themselves if they wish). Alternatively it may just be worth adding a note in the README about this, although it doesn't necessarily feel like an issue that is specific to this package.