Open AtishayMsft opened 1 year ago
Thanks @AtishayMsft . I would also like the backport for version 1.4.x
. Willing to help contribute to this.
My team is blocked on this issue which is affecting the airbnb/visx package: https://github.com/airbnb/visx/issues/1577
I’m not going to do this but you are welcome to fork this repository.
@mbostock I created PR with cherry-pick to v2. Could you please merge it and publish new v2 version with vulnerability fix? It will simplify upgrade to more secure version of package for those who still use CommonJS
@mbostock I can understand not backporting for v1, but I ask you to reconsider for v2 because that's the highest major version supported by d3-interpolate
and v3 of both packages switch to using ESM modules which we can't use in our applications and that libraries like recharts
cannot use it either without switching to ESM themselves (which'd overall be very breaking)
I assume by forking you actually mean "fork + publish to npm", as that's the only way we could really try and address that ourselves, however it would be ideal if we could avoid having to do that since it just fragments the ecosystem further and then we'd need to convince libraries to move over to the new package (which wouldn't work because we'd need to either fork or backport for d3-interpolate
as well)
I'm happy to help with this as much as possible, to reduce the burden on you.
Related recharts
issue.
We understand the motivation of staying on ESM-only approach. But some libs, like nanoid, promised to support older version for developers who cannot upgrade to ESM-only version. Why can't you do the same in this project? It would be responsible and respectful for people who use this lib.
For anyone that requires an immediate workaround for this, this method provided by haydn works wonders: https://github.com/airbnb/visx/issues/1577#issuecomment-1354160981
There are multiple folks interested in this backport.