search

chartjs / Chart.js

Simple HTML5 Charts using the <canvas> tag
https://www.chartjs.org/
MIT License
64.85k stars 11.92k forks source link

chartjs-color-string Vulnerability #11265

Open joelrichardvitrana opened 1 year ago

joelrichardvitrana commented 1 year ago

Expected behavior

Currently we have updated our chartjs-color-string package to version 0.6.0. In this latest version, we have a medium vulnerability (CVE-2021-29060) of score 5.3, is there any way to resolve this vulnerability?

Current behavior

Vulnerability in chartjs-color-string package

Reproducible sample

Not required

Optional extra steps/info to reproduce

No response

Possible solution

No response

Context

No response

chart.js version

v2.9.0

Browser name and version

No response

Link to your project

No response

mukham12 commented 1 year ago

Hi @joelrichardvitrana,

Are we discussing this project: https://github.com/chartjs/chartjs-color-string?

If that is the case, I believe the project it was forked from can be found here: https://github.com/Qix-/color-string, and it seems to already have a patch addressing the CVE you mentioned in this commit: https://github.com/Qix-/color-string/commit/0789e21284c33d89ebc4ab4ca6f759b9375ac9d3.

Hello, @simonbrunel and @etimberg, I would greatly appreciate your insights on the matter. Could you kindly share your thoughts on the best course of action?

Thanks.