search

Yoctol / react-d3-cloud

A word cloud react component built with d3-cloud.
https://yoctol.github.io/react-d3-cloud
MIT License
142 stars 47 forks source link

d3-color high severity vulnerability #148

Open duecknoah opened 2 years ago

duecknoah commented 2 years ago

react-d3-cloud depends on a version of d3-color that is vunerable to reDOS: https://github.com/advisories/GHSA-36jr-mh4h-2g58 Any version of d3-color <3.1.0 is vunerable to this. Please update the package.json to get a later version of react-d3-color

(env) duecknoah@Noahs-MacBook-Pro dashboard % npm audit
# npm audit report

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install react-d3-cloud@0.6.0, which is a breaking change
node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      react-d3-cloud  >=0.5.0
      Depends on vulnerable versions of d3-scale
      Depends on vulnerable versions of d3-scale-chromatic
      node_modules/react-d3-cloud
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale-chromatic

5 high severity vulnerabilities
ghost commented 2 years ago

Hey, any updates on this issue?

chentsulin commented 2 years ago

These packages are released as ESM, so we can't easily bump them without introducing a bundler or releasing react-d3-cloud as ESM too.

AlexSwensen commented 2 years ago

@chentsulin I would recommend using something like parcel or vite in library mode. That will take care of the bundling and requires a minimal amount of setup. Moving forward (most) everything will be in ESM anyway, so you will be ahead of the curve on that regardless. Vite is almost all ESM under the hood anyway.

It's an example of a painful migration in the Node/js ecosystem, but it does get easier with time. Most modules I am working with "just work" once I have a proper bundler included. For this reason I recommend Vite as its setup is far less complex than Webpack or Turbopack.

morganney commented 1 year ago

Use overrides (or resolutions) in your package.json.

"overrides": {
  "d3-color": "^3.1.0"
}