-
Notifications
You must be signed in to change notification settings - Fork 1.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Latest version suffering from High transitive security vulnerabilities #1830
Comments
I fixed them in my project by manually editing the packages-lock.json file, updating the d3-dependencies versions to use the latest: "node_modules/@swimlane/ngx-charts": {
"version": "20.1.2",
"resolved": "https://registry.npmjs.org/@swimlane/ngx-charts/-/ngx-charts-20.1.2.tgz",
"integrity": "sha512-9uetDtBg++v96R9Nwgf8mvSu+6149FMQEm/jlpbcquUozfC5l+hO9i88tG3REOxnkGS10snGOCVUcPPY03nbxQ==",
"dependencies": {
"d3-array": "latest",
"d3-brush": "latest",
"d3-color": "latest",
"d3-format": "latest",
"d3-hierarchy": "latest",
"d3-interpolate": "latest",
"d3-scale": "latest",
"d3-selection": "latest",
"d3-shape": "latest",
"d3-time-format": "latest",
"d3-transition": "latest",
"rfdc": "^1.3.0",
"tslib": "^2.0.0"
}, After the edition, run This is a bad situation, as #1686, that is the reason why I intend to phase-out this package in favor of |
The above solution has too many changes. Was it working fine in all use cases. |
@marjan-georgiev can you please prioritize this? Plus also fixing any other problems reported by npm audit? |
#1836 should fix this |
Not sure how you did this... In idea this can not work, as It would be a dependency mismatch. Ex: For the others, they can only be minor or patch updated, they can't go up from Normally if you run Would you mind elaborating about the whole process in your case? |
was just about to post an issue regarding this. |
I'm getting a sense that this package is possibly no longer in active development, since fixes were posted in Feb but not merged? |
@surya-pabbineedi thanks for merging #1836 Unfortunately it does not fix the issue as the dependencies declared in the lib's individual package.json were not updated, so npm is still pulling in the old d3 deps: I've created #1874 to fix that. Can you please look to merge this ASAP? Thanks. |
Describe the bug
While a fix for the security vulnerability in
d3-color
was released - that same package is still causing transitive security vulnerabilities as the vulnerable version is pulled in by otherd3
packages (specificallyd3-brush
,d3-interpolate
,d3-scale
, andd3-transition
) which were not updated.Screenshots
ngx-charts version
20.1.2
Additional context
First reported on issue #1809 by @uap-universe after it was closed
The text was updated successfully, but these errors were encountered: