yaph / d3-geomap

A library for creating geographical maps based on D3.js
https://d3-geomap.github.io/
MIT License
132 stars 45 forks source link

Update dependencies to resolve vulnerabilities in d3-color #61

Closed boidolr closed 2 weeks ago

boidolr commented 8 months ago

Right now a vulnerable package (d3-color@1) is pulled in via a transitive dependency. Is there any chance of getting an updated package with recent dependencies?

I'd like to help out, but can not run the tests, as there seem to be some files missing.

yaph commented 8 months ago

Sadly, the dependencies cannot be easily upgraded. There are deprecated dependencies and API changes in newer versions of D3. I just spent quite some time trying to get this to run with newer versions and cannot even built the package any more. Could you build it?

boidolr commented 8 months ago

I have a project with this dependency (and not much else) where I had success with using the following in package.json:

  "overrides": {
    "d3-array": "3",
    "d3-color": "3",
    "d3-fetch": "3",
    "d3-format": "3",
    "d3-geo": "3",
    "d3-selection": "3",
    "d3-transition": "3"
  }

Though I am also not doing more than showing a map, so there might be things not working.

``` "dependencies": { "d3": "^7.8.5", "d3-geomap": "^3.3.0", "d3-geo-projection": "^4.0.0", "world-atlas": "^2.0.2" }, "devDependencies": { "@babel/core": "^7.23.9", "@babel/preset-env": "^7.23.9", "@rollup/plugin-babel": "^6.0.4", "@rollup/plugin-node-resolve": "^15.2.3", "@rollup/plugin-terser": "^0.4.4", "node-sass": "^9.0.0", "rollup": "^4.12.0", "rollup-plugin-copy": "^3.5.0", "rollup-plugin-postcss": "^4.0.2", "rollup-plugin-serve": "^3.0.0" }, "overrides": { "d3-array": "3", "d3-color": "3", "d3-fetch": "3", "d3-format": "3", "d3-geo": "3", "d3-selection": "3", "d3-transition": "3" } ```
yaph commented 8 months ago

I upgraded the dependencies, but the code that is built after the upgrade doesn't work any more. I don't see a new release coming any time soon and you're probably better of replacing d3.geomap with a different mapping library.

boidolr commented 8 months ago

Ok, understood. Thanks for having a look and trying it out.