swimlane / ngx-graph

Graph visualization library for angular
https://swimlane.github.io/ngx-graph
MIT License
941 stars 288 forks source link

d3-color vulnerable to ReDoS #469

Closed krusche closed 1 year ago

krusche commented 2 years ago

Dependabot cannot update d3-color to a non-vulnerable version

The latest possible version that can be installed is 1.4.1 because of the following conflicting dependencies:

@swimlane/ngx-graph@8.0.2 requires d3-color@1 via a transitive dependency on d3-interpolate@1.4.0
@swimlane/ngx-graph@8.0.2 requires d3-color@1 via d3-transition@1.3.2
@swimlane/ngx-charts@20.1.0 requires d3-color@^2.0.0
@swimlane/ngx-charts@20.1.0 requires d3-color@1 - 2 via d3-interpolate@2.0.1
@swimlane/ngx-charts@20.1.0 requires d3-color@1 - 2 via d3-transition@2.0.0

No patched version available for d3-color The earliest fixed version is 3.1.0.

The d3-color module provides representations for various color spaces in the browser. Versions prior to 3.1.0 are vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0. There are no known workarounds.

Severity: High Weaknesses: CWE-400 CVE ID: No CVE

https://github.com/advisories/GHSA-36jr-mh4h-2g58

krusche commented 2 years ago

Note: this is a repost of a dependabot issue in our repository https://github.com/ls1intum/Artemis/security/dependabot/25

ashmeetk commented 2 years ago

Please take a look into this issue urgently and update transitive dependency d3-color to 3.1.0

aradys commented 2 years ago

I also wait for this update, please look into this issue.

hmirsky commented 2 years ago

Chiming in that this impacts my project as well. Thanks in advance for resolving.

sweeneki commented 2 years ago

Is there anything we can do to help progress this update?

assafsun commented 2 years ago

Created a PR - https://github.com/swimlane/ngx-graph/pull/477

krusche commented 2 years ago

The PR was merged, thanks! @marjan-georgiev can you please create a new npm release?

github-ronk commented 1 year ago

@krusche Perhaps someone else could do that (is it legal?). This project seems to be on very low maintenance, or maybe abandoned.

DaSchTour commented 1 year ago

It's open source and MIT license. So probably we should create a fork. Best would be to do it with an organization so that multiple people can contribute.

marjan-georgiev commented 1 year ago

Apologies for the delay, gentlemen. Released 8.0.3.

Preethamnavex commented 1 year ago

@marjan-georgiev

Issue still exist, we checked in 8.0.3 release image