mbostock
commented
1 year ago I’m not going to do this but you are welcome to fork this repository.
Open danisluk opened 1 year ago
mbostock
commented
1 year ago I’m not going to do this but you are welcome to fork this repository.
mpopv
commented
1 year ago 1.x fork here with fix cherry-picked: https://www.npmjs.com/package/d3-color-1-fix
Install package and point to it with "d3-color": "npm:d3-color-1-fix" in "resolutions" (yarn) or "overrides" (npm).
uwang
commented
1 year ago After I change to:
{
"resolutions": {
"d3-color": "https://registry.npmmirror.com/d3-color-1-fix/-/d3-color-1-fix-1.4.2.tgz"
}
}It works. But audit always need 3.1.0
mpopv
commented
1 year ago I'd recommend not using the tgz directly because it can't be audited like a package by automated tooling.
You're also probably going to want to manually search your lockfile after adding the override to make sure vulnerable versions of d3-color are expunged; there are some versions of npm (<8.7, I believe) where lockfile generation for overrides was broken so it would not be properly expunged and you will trip automated vulnerability checkers even with the override added properly in package.json.
Please, would it be possible to backport the fix made in https://github.com/d3/d3-color/pull/100 to d3-color 1.x ?
There are multiple people, who would be happy for this backport.