Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Latest version suffering from High transitive security vulnerabilities #1830

Closed
Blackbaud-TrevorBurch opened this issue Dec 20, 2022 · 10 comments
Labels

Comments

@Blackbaud-TrevorBurch
Copy link

Describe the bug
While a fix for the security vulnerability in d3-color was released - that same package is still causing transitive security vulnerabilities as the vulnerable version is pulled in by other d3 packages (specifically d3-brush, d3-interpolate, d3-scale, and d3-transition) which were not updated.

Screenshots
image

ngx-charts version
20.1.2

Additional context
First reported on issue #1809 by @uap-universe after it was closed

@jlquijada
Copy link

jlquijada commented Dec 23, 2022

I fixed them in my project by manually editing the packages-lock.json file, updating the d3-dependencies versions to use the latest:

        "node_modules/@swimlane/ngx-charts": {
            "version": "20.1.2",
            "resolved": "https://registry.npmjs.org/@swimlane/ngx-charts/-/ngx-charts-20.1.2.tgz",
            "integrity": "sha512-9uetDtBg++v96R9Nwgf8mvSu+6149FMQEm/jlpbcquUozfC5l+hO9i88tG3REOxnkGS10snGOCVUcPPY03nbxQ==",
            "dependencies": {
                "d3-array": "latest",
                "d3-brush": "latest",
                "d3-color": "latest",
                "d3-format": "latest",
                "d3-hierarchy": "latest",
                "d3-interpolate": "latest",
                "d3-scale": "latest",
                "d3-selection": "latest",
                "d3-shape": "latest",
                "d3-time-format": "latest",
                "d3-transition": "latest",
                "rfdc": "^1.3.0",
                "tslib": "^2.0.0"
            },

After the edition, run npm audit fix, and the messages are gone.

This is a bad situation, as #1686, that is the reason why I intend to phase-out this package in favor of "chart.js": "^4.0.1", ASAP (much simpler, no dependencies, and does the same job for my project without problems)

@surenlancer7
Copy link

The above solution has too many changes. Was it working fine in all use cases.

@uap-universe
Copy link

@marjan-georgiev can you please prioritize this? Plus also fixing any other problems reported by npm audit?

@daiscog
Copy link

daiscog commented Feb 28, 2023

#1836 should fix this

@3MR1T00
Copy link

3MR1T00 commented Mar 2, 2023

I fixed them in my project by manually editing the packages-lock.json file, updating the d3-dependencies versions to use the latest:

        "node_modules/@swimlane/ngx-charts": {
            "version": "20.1.2",
            "resolved": "https://registry.npmjs.org/@swimlane/ngx-charts/-/ngx-charts-20.1.2.tgz",
            "integrity": "sha512-9uetDtBg++v96R9Nwgf8mvSu+6149FMQEm/jlpbcquUozfC5l+hO9i88tG3REOxnkGS10snGOCVUcPPY03nbxQ==",
            "dependencies": {
                "d3-array": "latest",
                "d3-brush": "latest",
                "d3-color": "latest",
                "d3-format": "latest",
                "d3-hierarchy": "latest",
                "d3-interpolate": "latest",
                "d3-scale": "latest",
                "d3-selection": "latest",
                "d3-shape": "latest",
                "d3-time-format": "latest",
                "d3-transition": "latest",
                "rfdc": "^1.3.0",
                "tslib": "^2.0.0"
            },

After the edition, run npm audit fix, and the messages are gone.

This is a bad situation, as #1686, that is the reason why I intend to phase-out this package in favor of "chart.js": "^4.0.1", ASAP (much simpler, no dependencies, and does the same job for my project without problems)

Not sure how you did this...

In idea this can not work, as npm audit fix can not install latest for all the dependencies.

It would be a dependency mismatch. Ex: swimlane v.20.1.2 does not allow d3-brush v.3.0.0, nor many others. The only ones which are allowed to be major updated, are I think d3-color d3-scale and d3-time-format.

For the others, they can only be minor or patch updated, they can't go up from v.2.x.x to v.3.x.x, which is exactly why we are here. If we could update them to 3.x.x then most definitely nested dependencies would also be updated and issue would be fixed.

Normally if you run npm audit fix in this situation, what happens is that dependencies go back from latest to previous state, which would leave it just like it was.

Would you mind elaborating about the whole process in your case?

@sushmeex
Copy link

Facing similar issue in our project, we are the latest ngx charts and d3 versions

image

@ysk3a
Copy link

ysk3a commented Apr 16, 2023

was just about to post an issue regarding this.
been trying to use it in my angular 15 (will also upgrade to 16 when released too) project but came across those vulnerabilities.
am looking forward to the fix and update.

@queejie
Copy link

queejie commented Apr 24, 2023

I'm getting a sense that this package is possibly no longer in active development, since fixes were posted in Feb but not merged?

@daiscog
Copy link

daiscog commented Jun 14, 2023

@surya-pabbineedi thanks for merging #1836

Unfortunately it does not fix the issue as the dependencies declared in the lib's individual package.json were not updated, so npm is still pulling in the old d3 deps:

Screenshot 2023-06-14 at 10 41 42

I've created #1874 to fix that. Can you please look to merge this ASAP?

Thanks.

@surya-pabbineedi
Copy link
Contributor

v20.4.1 has been published to address the vulnerabilities. Thanks!

Screenshot 2023-06-14 at 6 34 11 PM

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

10 participants