search

spiermar / d3-flame-graph

A D3.js plugin that produces flame graphs from hierarchical data.
Apache License 2.0
891 stars 119 forks source link

ReDoS issue comes from d3-color version 1-2 indirect dependency! #193

Closed dkolosov-intel closed 3 years ago

dkolosov-intel commented 3 years ago

d3-flame-graph control has indirect dependency on d3-colors version 1 which has ReDoS issue(s)

The issue(s) has been fixed in d3-colors version 3

d3-selection@1.4.2 and d3-transition@1.3.2 modules have dependency on d3-color@1.4.1

+-- d3-flame-graph@4.0.6 | +-- d3-scale@3.3.0 | | +-- d3-array@2.12.1 deduped | | +-- d3-format@1.4.5 deduped | | +-- d3-interpolate@2.0.1 | | | -- d3-color@2.0.0 | +-- d3-selection@1.4.2 |-- d3-transition@1.3.2 | +-- d3-color@1.4.1 | +-- d3-dispatch@1.0.6 deduped | +-- d3-ease@1.0.7 deduped | +-- d3-interpolate@1.4.0 | | `-- d3-color@1.4.1 deduped

Please update package.json dependency block to start using d3-selection and d3-transition version 3 or next (Ideally need to update d3 dependency modules to version 3 or next/last)

dkolosov-intel commented 3 years ago

The upstream fix for the vulnerability is not merged yet: https://github.com/d3/d3-color/pull/89

It seems there is wrong data on a fix in d3-color>3.0.0: https://github.com/d3/d3-brush/issues/90#issuecomment-939496879

It makes sense to consider this as a FALSE positive since user input is NOT used to call d3-color. So, I am closing the issue.

(Sorry for bothering...)