search

d3 / d3-scale

Encodings that map abstract data to visual representation.
https://d3js.org/d3-scale
ISC License
1.59k stars 286 forks source link

Update d3-interpolate dependency to v3 #277

Closed fresheneesz closed 1 year ago

fresheneesz commented 1 year ago

d3-interpolate depends on d3-color v2, which has a high CEV vulnerability according to npm audit. Updating would solve this.

mbostock commented 1 year ago

It depends on 1.2.0 – 3, so you can upgrade.

https://github.com/d3/d3-scale/blob/83555bd759c7314420bd4240642beda5e258db9e/package.json#L38

fresheneesz commented 1 year ago

On second look, I can't update. I need to update to d3-interpolate v3, however "d3-interpolate": "1.2.0 - 3", does not allow this. That semvar means only versions below 3 (and 1.2.0 or above) are supported. Please reopen @mbostock

mbostock commented 1 year ago

That’s not how semver ranges work, @fresheneesz. The upper bound of the range is inclusive.

fresheneesz commented 1 year ago

@mbostock This cheatsheet as well as node-semvar say otherwise. Also pnpm refuses to update these dependencies. I don't think I'm wrong here.

mbostock commented 1 year ago

From the link you posted:

Screenshot 2023-05-24 at 1 29 11 PM

In other words, 1.2.3 - 2 means all 2.x.y, but less than 3.0.0.