deps: adapt to `d3` version 7

RMI-PACTA / pacta-dashboard-svelte

This is a demonstrative project, showing what a PACTA dashboard in Svelte might look like.

https://rmi-pacta.github.io/pacta-dashboard-svelte/

0 stars 0 forks source link

deps: adapt to `d3` version 7 #8

Open jdhoffa opened 2 months ago

jdhoffa commented 2 months ago

It seems that old versions of d3, in particular d3-color, have a pretty severe security dependency. Unfortunately, we can't just update directly to d3@7 as some of the breaking changes to affect and break out code here.

Will need to consider carefully the version bump, and determine how to adjust the VolTraj and TechMix plotting code to adapt to this new dependency.

Relates to #5, #6, #7 and https://github.com/RMI-PACTA/pacta-dashboard-svelte/security/dependabot/1

FYI @cjyetman @AlexAxthelm this might also be an issue in https://github.com/RMI-PACTA/pacta.interactive.plot and https://github.com/RMI-PACTA/pacta.portfolio.report but would never be caught as there is no packages.json file in that repo for dependabot to check automatically.

cjyetman commented 2 months ago

I (unfortunately) have a fair amount of experience upgrading D3 visualizations from d3v3->d3v4->d3v5->d3v6->d3v7, and to be honest it's often enough of a hassle that I've ended up re-writing things from scratch. Each new version of D3 has caused some major headaches with migrating.

Maybe I don't have permission to see security reports in this repo? The link gives me a 404, and going to the security tab doesn't list anything.

pacta.portfolio.report does have package.json here https://github.com/RMI-PACTA/pacta.portfolio.report/blob/main/npm/package.json but it looks like Dependabot is not setup to give security notifications for it. It does pickup a list of dependencies based on it that you can see here https://github.com/RMI-PACTA/pacta.portfolio.report/network/dependencies

jdhoffa commented 2 months ago

Regarding not being able to see the notifications: I've just added @RMI-PACTA/developers with "Write" privs to this repo, so check if you can see them now?

I (unfortunately) had a feeling it might be a pain in the butt... that said, I think it's pretty critical, so might be something we need to look into doing unfortunately... Apparently the severity of the vulnerability is "high" whatever that means.

Not something to tackle today, but I'll leave this issue open and maybe something we can explore next sprint

cjyetman commented 5 days ago

FYI... this issue doesn't seem to be all that "severe" to be honest, and is not relevant in our use case since we're never parsing user input as color info.

jdhoffa commented 2 days ago

Ok thanks @cjyetman that's good to know. I would elect to leave this issue open anyway, as adapting to a more recent version of d3 is probably still not a bad idea, but it's good to know that it isn't as urgent as initially thought.