search

NuCivic / react-dash

A framework for building data visualization dashboards using react. Docs: http://react-dashboard.readthedocs.io/en/latest/
MIT License
98 stars 22 forks source link

Security vulnerability in React-dash #91

Closed iris-i closed 4 years ago

iris-i commented 6 years ago

Details here: https://nodesecurity.io/check/react-dash

alexiscott commented 6 years ago

@iris I took an initial look at this and the security issue seems to appear via topojson. given that topojson does not include a fix, I am not sure what would be the best approach to move forward with it. What do you think?

This is the report from snyk:

Introduced through: react-dash@0.7.2 › topojson@1.6.27 › d3-geo-projection@0.2.16 › brfs@1.4.3 › static-module@1.3.2 › static-eval@0.2.4 Remediation: No remediation path available.

alexiscott commented 6 years ago

Discussed with @iris-i . We think this is probably not urgent as a user would need to be able to run npm build to inject this into the compiled code, so would need shell access.

erogray commented 4 years ago

Some of these have been addressed; closing so that we can re-ticket as needed