Closed ojhawkins closed 1 year ago
Fixed in https://github.com/bkrem/react-d3-tree/releases/tag/v3.3.6
Thanks for raising this explicitly @ojhawkins 🙏
Normally the vuln reports are devDeps only so I missed this initially. Need to clean up dependabot PRs for the devDeps at some point to avoid that in future.
Hello,
The issue seems for me still present, by d3-zoom, results from npm audit
High d3-color vulnerable to ReDoS
Package d3-color
Dependency of react-d3-tree
Path react-d3-tree > d3-zoom > d3-interpolate > d3-color
More info https://github.com/advisories/GHSA-36jr-mh4h-2g58
Regards
Thank you for taking the time to report an issue with react-d3-tree!
Feel free to delete any questions that do not apply.
Are you reporting a bug, or opening a feature request?
Vulnerability with a dependency see: https://github.com/advisories/GHSA-36jr-mh4h-2g58 dependabot PR: https://github.com/bkrem/react-d3-tree/pull/407
What is the actual behavior/output?
The d3-color dependency has a vulnerability.
What is the behavior/output you expect?
The d3-color referenced version does not have a vulnerability.
Can you consistently reproduce the issue/create a reproduction case (e.g. on https://codesandbox.io)?
N/A
What version of react-d3-tree are you using?
3.3.5
If react-d3-tree crashed with a traceback, please paste the full traceback below.
N/A