NPM security vulnerabilities

[modelrailroader]

Hi,

I saw that I'm coming right the perfect time as it is recently possible to have just one HTML-file instead of a full folder. That's amazing!

Unfortunately, I've got a problem with building. I got the following error message in the cmd:

# npm audit report

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via npm audit fix
node_modules/topola/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/topola/node_modules/d3-interpolate
    d3-transition  0.0.7 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/topola/node_modules/d3-transition
      topola  >=3.1.0
      Depends on vulnerable versions of d3-transition
      node_modules/topola

4 high severity vulnerabilities

To address all issues, run:
  npm audit fix

I already fixed a few vulnerabilities with npm audit fix and npm audit fix --force; recently there were 9 reported. These ones couldn't be fixed automatically. Do you have a solution?

I'm looking forward for your response.

Bye, Jan

[develancer]

Those can’t be fixed at the moment (they should be fixed in topola rather than here), but the vulnerabilities don’t prevent the script from running. Simply run build.sh as outlined in the README and the HTML file should be generated.

Don’t use npm audit fix on that. It will introduce a breaking change and the script won’t work correctly anymore.

[modelrailroader]

I tried it in the Git Bash on Windows but the script seems to hang up after showing the error message about the vulnerabilities. I kept it running for about 20 minutes, but it wasn't successfull. Do you have an idea?

[develancer]

No idea, but you may want to try the previous release (0.1.0). I don’t think the vulnerabilities are the issue here.