Vulnerability with dependency "d3-color"

[ojhawkins]

Thank you for taking the time to report an issue with react-d3-tree!

Feel free to delete any questions that do not apply.

Are you reporting a bug, or opening a feature request?

Vulnerability with a dependency see: https://github.com/advisories/GHSA-36jr-mh4h-2g58 dependabot PR: https://github.com/bkrem/react-d3-tree/pull/407

What is the actual behavior/output?

The d3-color dependency has a vulnerability.

What is the behavior/output you expect?

The d3-color referenced version does not have a vulnerability.

Can you consistently reproduce the issue/create a reproduction case (e.g. on https://codesandbox.io)?

N/A

What version of react-d3-tree are you using?

3.3.5

If react-d3-tree crashed with a traceback, please paste the full traceback below.

N/A

[bkrem]

Fixed in https://github.com/bkrem/react-d3-tree/releases/tag/v3.3.6

Thanks for raising this explicitly @ojhawkins 🙏

Normally the vuln reports are devDeps only so I missed this initially. Need to clean up dependabot PRs for the devDeps at some point to avoid that in future.

[rtremblet-fr]

Hello,

The issue seems for me still present, by d3-zoom, results from npm audit

Run npm update d3-color --depth 5 to resolve 2 vulnerabilities

High d3-color vulnerable to ReDoS

Package d3-color

Dependency of react-d3-tree

Path react-d3-tree > d3-zoom > d3-interpolate > d3-color

More info https://github.com/advisories/GHSA-36jr-mh4h-2g58

Regards