Closed krusche closed 1 year ago
Note: this is a repost of a dependabot issue in our repository https://github.com/ls1intum/Artemis/security/dependabot/25
Please take a look into this issue urgently and update transitive dependency d3-color to 3.1.0
I also wait for this update, please look into this issue.
Chiming in that this impacts my project as well. Thanks in advance for resolving.
Is there anything we can do to help progress this update?
Created a PR - https://github.com/swimlane/ngx-graph/pull/477
The PR was merged, thanks! @marjan-georgiev can you please create a new npm release?
@krusche Perhaps someone else could do that (is it legal?). This project seems to be on very low maintenance, or maybe abandoned.
It's open source and MIT license. So probably we should create a fork. Best would be to do it with an organization so that multiple people can contribute.
Apologies for the delay, gentlemen. Released 8.0.3.
@marjan-georgiev
Issue still exist, we checked in 8.0.3 release
Dependabot cannot update d3-color to a non-vulnerable version
The latest possible version that can be installed is 1.4.1 because of the following conflicting dependencies:
No patched version available for d3-color The earliest fixed version is 3.1.0.
The d3-color module provides representations for various color spaces in the browser. Versions prior to 3.1.0 are vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0. There are no known workarounds.
Severity: High Weaknesses: CWE-400 CVE ID: No CVE
https://github.com/advisories/GHSA-36jr-mh4h-2g58