High Vulnerability in d3-color < v3.1.0 #1799
Comments
|
Any update on this? |
|
As far as I can see there is an open PR about this by dependabot - #1800. Any reasons not to merge? |
|
Additionally packages such as
should also be updated as they also have dependencies on d3-color |
|
Getting this message as well. Hopefully this will be resolved soon as there is already #1800 |
|
I am also getting this as well and as mentioned above the dependencies also depend on the affected |
|
Fixed in |
|
Maybe I'm missing something here about the solution applied: In package.json I have this: "dependencies": {
"@angular/cdk": "^15.0.2",
"@angular/cli": "^15.0.3",
"@angular/common": "^15.0.3",
"@angular/compiler": "^15.0.3",
"@angular/core": "^15.0.3",
"@angular/forms": "^15.0.3",
...
"@swimlane/ngx-charts": "^20.1.2",
...
},
"devDependencies": {
...
"@types/d3": "^7.4.0",
...
}And I still get the 6 high severity vulnerabilities when running When I run the audit fix, it reports them again, and does not fix anything. Obviously the proposed --force solution would install a very old version of ngx-charts, so it would be not desirable.
up to date, audited 1288 packages in 6s 166 packages are looking for funding npm audit reportd3-color <3.1.0 6 high severity vulnerabilities To address issues that do not require attention, run: To address all issues (including breaking changes), run: |
|
This is because they updated But even in as @moritz89 stated, nested dependencies must be updated too |
@marjan-georgiev Can this be reopened? The issue is not fixed in 20.1.2. Installing 20.1.2 will still result in d3-color version 2.0.0 also being installed as it's a transitive dependency of other As described by @3MR1T00 above, the other d3 dependencies also need to be bumped to versions that depend on the fixed version of d3-color to completely fix the issue. |
|
The problem is still present in the version 20.1.2 |
|
It's Baaaaaack! Please update v20.1.2 as this is still an issue |
|
The continuing problem has been reported as #1830 |
|
Facing similar issue in our project, we are the latest ngx charts and d3 versions
|
|
same issue getting the same messages |
|
Still finding vulnerabilities issues (d3 dependency) in 20.1.2 |
@marjan-georgiev, could you please reopen this task, so it can be visible and fixed? |
|
Unfortunately, it is still an issue with 20.3.0, despite some tweaks to it: |
|
This problem persists on latest version 20.3.1 === npm audit security report === ┌──────────────────────────────────────────────────────────────────────────────┐ |
Describe the bug
A clear and concise description of what the bug is.
d3-color has a high vulnerability prior to v3.1.0. Ngx-charts should upgrade d3-color to v3.1.0 to resolve the issue. GHSA-36jr-mh4h-2g58.
To Reproduce
Steps to reproduce the behavior:
Run
npm audit. d3-color will get the high vulnerability.Expected behavior
A clear and concise description of what you expected to happen.
npm audit.Screenshots
If applicable, add screenshots to help explain your problem.
Demo
Provide an online demo (stackblitz, codesandbox, or similar) where the issue can be reproduced
ngx-charts version
Specify the version of ngx-charts where this bug is present
All versions below v20.1.0 or any new versions that have d3-color below v3.1.0.
Additional context
Add any other context about the problem here.
Github advisory GHSA-36jr-mh4h-2g58
The text was updated successfully, but these errors were encountered: