search

d3 / d3-color

Color spaces! RGB, HSL, Cubehelix, CIELAB, and more.
https://d3js.org/d3-color
ISC License
398 stars 91 forks source link

Security vulnerability fix for d3-color required in version 2.x #108

Open AtishayMsft opened 1 year ago

AtishayMsft commented 1 year ago 
We would like to get the fix https://github.com/d3/d3-color/pull/100 backported for version 2.x of d3-color library module as version 3.x switches to using ESM for d3 which is not supported by our project.

There are multiple folks interested in this backport.

jayuen commented 1 year ago

Thanks @AtishayMsft . I would also like the backport for version 1.4.x. Willing to help contribute to this.

ndugger commented 1 year ago

My team is blocked on this issue which is affecting the airbnb/visx package: https://github.com/airbnb/visx/issues/1577

mbostock commented 1 year ago

I’m not going to do this but you are welcome to fork this repository.

timbset commented 1 year ago

@mbostock I created PR with cherry-pick to v2. Could you please merge it and publish new v2 version with vulnerability fix? It will simplify upgrade to more secure version of package for those who still use CommonJS

G-Rath commented 1 year ago

@mbostock I can understand not backporting for v1, but I ask you to reconsider for v2 because that's the highest major version supported by d3-interpolate and v3 of both packages switch to using ESM modules which we can't use in our applications and that libraries like recharts cannot use it either without switching to ESM themselves (which'd overall be very breaking)

I assume by forking you actually mean "fork + publish to npm", as that's the only way we could really try and address that ourselves, however it would be ideal if we could avoid having to do that since it just fragments the ecosystem further and then we'd need to convince libraries to move over to the new package (which wouldn't work because we'd need to either fork or backport for d3-interpolate as well)

I'm happy to help with this as much as possible, to reduce the burden on you.

Related recharts issue.

timbset commented 1 year ago

We understand the motivation of staying on ESM-only approach. But some libs, like nanoid, promised to support older version for developers who cannot upgrade to ESM-only version. Why can't you do the same in this project? It would be responsible and respectful for people who use this lib.

JayWelsh commented 1 year ago

For anyone that requires an immediate workaround for this, this method provided by haydn works wonders: https://github.com/airbnb/visx/issues/1577#issuecomment-1354160981