search

carbon-design-system / carbon

A design system built by IBM
https://www.carbondesignsystem.com
Apache License 2.0
7.73k stars 1.79k forks source link

Known vulnerability in d3-colour #9133

Closed gmc77 closed 3 years ago

gmc77 commented 3 years ago

Known vulnerability in d3-colour: Regular Expression Denial of Service (ReDoS)

What package(s) are you using?

Detailed description

As flagged by Snyk when we use Carbon in our product. 

Issues to fix by upgrading:
  Upgrade d3@5.16.0 to d3@7.0.0 to fix
  ✗ Regular Expression Denial of Service (ReDoS) (new) [Medium Severity][https://snyk.io/vuln/SNYK-JS-D3COLOR-1076592] in d3-color@1.4.1
    introduced by d3@5.16.0 > d3-color@1.4.1

See https://snyk.io/vuln/SNYK-JS-D3COLOR-1076592 for details. It can be fixed by upgrading to later versions of d3

Steps to reproduce the issue

Run Snyk against a Carbon application

emyarod commented 3 years ago

can you confirm where d3-color is being used?

gmc77 commented 3 years ago

Apologies, missed the question when it was raised.

We're not using it directly, and neither is Carbon, but in Carbon Charts imports d3, which imports d3-color

https://github.com/carbon-design-system/carbon-charts/blob/524c00d012f567799b35f834e57648273420adc2/yarn.lock#L3596

Have raised a carbon charts issue https://github.com/carbon-design-system/carbon-charts/issues/1069