Address high vulnerability issue

zcreativelabs / react-simple-maps

Beautiful React SVG maps with d3-geo and topojson using a declarative api.

https://www.react-simple-maps.io/

MIT License

3.12k stars 426 forks source link

Address high vulnerability issue #321

Closed wmhartl closed 1 year ago

wmhartl commented 1 year ago

Address issue #302

push package updates for d3
fix a couple of dev dependencies so tests and builds work again

wmhartl commented 1 year ago

Hi @zimrick - any feedback or thoughts about getting this merged?

wmhartl commented 1 year ago

Hi @zimrick thoughts on this? This hanging vulnerability is problematic.

vikdiesel commented 1 year ago

Hi @zimrick, Do you think this problem is fixable somehow? Thank you

jvannistelrooy commented 1 year ago

It's been a while since @wmhartl pushed this pull request. Since @zimrick maintains this open-source package in his own time, there are no guarantees of a speedy merge of pull requests.

Here's an intermediate solution to install this specific fix with npm: npm install git+https://github.com/zcreativelabs/react-simple-maps.git#pull/321/head

Be aware that this fix has not been reviewed by @zimrick, and you'll need to manually install the official update of react-simple-maps when it arrives.

wmhartl commented 1 year ago

It's been nearly three months - any thoughts here @zimrick?

gbanis commented 1 year ago

It would be great to merge this so we don't have to start forking to address the vulnerability 🙏

ivan-penchev commented 1 year ago

Hi @zimrick this starts to be flagged by snyk and other dependancy platforms. If the fix is so easy, can we get it in?

jbouhier commented 1 year ago

@zimrick Can we merge this PR, please?

jbouhier commented 1 year ago

Workaround with your package manager of choice

npm / yarn v1: patch-package
yarn v2+: yarn patch
pnpm: pnpm patch

Yarn v2+:

Run yarn patch react-simple-maps
It will extract the dependency in a separate folder
Apply the changes contained in this PR
Run yarn patch-commit -s </path/to/temp/folder>

Et voila!

wmhartl commented 1 year ago

hi @zimrick - thanks so much for merging this! I hope you'll cut a new minor release (e.g. 3.0.1) so npm, snyk, etc, all pick up the changes you've merged. Really appreciate the package!

zimrick commented 1 year ago

Hi @wmhartl, The changes are already public in 4.0.0 (npm install react-simple-maps@beta). The reason this is a bit tricky is because the updated versions of the d3 modules caused some issues when using react-simple-maps in next.js.

joey-ma-steelgem commented 1 year ago

Next.js user here and am patiently waiting for stable 4.0 😅