Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use of library with vulnerabilities #2133

Closed
pedrocastillob10 opened this issue Sep 23, 2022 · 30 comments
Closed

Use of library with vulnerabilities #2133

pedrocastillob10 opened this issue Sep 23, 2022 · 30 comments

Comments

@pedrocastillob10
Copy link

Is your feature request related to a problem? Please describe.
The d3-color library has vulnerabilities in version 1-2

Describe the solution you'd like
Update d3-color to version 3 or higher

Describe alternatives you've considered
A clear and concise description of any alternative solutions or features you've considered.

Additional context
Add any other context or screenshots about the feature request here.
@plouc
Copy link
Owner

plouc commented Sep 26, 2022

Upgrading d3-color is actually a lot of work, d3 packages are now released in modern JS, while nivo supports older browsers, we need to change the build/release workflow for that, and probably upgrade some other packages as well.

@taniarascia
Copy link

It seems like due to this recent update: GHSA-36jr-mh4h-2g58 this vulnerability is now being flagged in all audits.

@tony-scio
Copy link

This came up as a high severity vulnerability in our audit too and we need to act on it.

@plouc Given it's a lot of work, I'm wondering if you could guess at some rough timeframe. If days or weeks, we might be able to suppress the warning. If months, we might need to switch charting libraries.

@brendantdoyle
Copy link

Echoing @tony-scio comment/concern, would be great to get an idea on a timeframe for this. Thank you

@AdrianMrn
Copy link

It seems like setting a resolution in my package.json "just works". I don't get any errors, my graphs still render without problems (only bar and line charts).

"resolutions": {
    "d3-color": "^3.1.0"
}

Don't forget to run yarn/npm install after setting the resolution.

@plouc
Copy link
Owner

plouc commented Oct 7, 2022

That's weird, I remember having issues with it, I'll give it another try then (I tried to upgrade once in #1743), a bit hard to give a timeframe as it really depends on the time I can find to work on the project, but I'll try to have a look at it next week.

Repository owner deleted a comment from devchris Oct 7, 2022
Repository owner deleted a comment from julioxavierr Oct 7, 2022
@AdrianMrn
Copy link

@plouc It's probably not causing any issues for me because I think we're using an ESM ready bundler (not 100% sure tbh, setup was not done by me). I did have to add d3-color to my jest.transformIgnorePatterns for the tests to run. I haven't gone through the steps to get our Jest setup ready for ESM-only packages.

@danicase
Copy link

It seems like setting a resolution in my package.json "just works". I don't get any errors, my graphs still render without problems (only bar and line charts).

"resolutions": {
    "d3-color": "^3.1.0"
}

Don't forget to run yarn/npm install after setting the resolution.

This work with yarn only.
Npm equivalent to yarn resolutions is overrides.

"overrides": {
    "d3-color": "^3.1.0"
  }

It was released in npm v8.3.0
https://docs.npmjs.com/cli/v8/configuring-npm/package-json#overrides

@julioxavierr
Copy link

It seems like setting a resolution in my package.json "just works". I don't get any errors, my graphs still render without problems (only bar and line charts).

"resolutions": {
    "d3-color": "^3.1.0"
}

Don't forget to run yarn/npm install after setting the resolution.

@AdrianMrn Do you mind sharing what bundler you're using?

I get the following ESM error w/ Next.js

web:build: Error [ERR_REQUIRE_ESM]: require() of ES Module path/node_modules/d3-color/src/index.js from path/node_modules/d3-interpolate/dist/d3-interpolate.js not supported.
web:build: Instead change the require of index.js in path/node_modules/d3-interpolate/dist/d3-interpolate.js to a dynamic import() which is available in all CommonJS modules.

@AdrianMrn
Copy link

@julioxavierr We're using CRA which uses Webpack 4.

@hollinwakefield
Copy link

@plouc Thanks for this awesome library! Do you have an update on addressing the vulnerabilities?

@db-qc
Copy link

db-qc commented Oct 26, 2022

@plouc Also just wanted to say thanks for the library and adding my voice to those who are waiting patiently for an update :)

@ebk46
Copy link

ebk46 commented Nov 14, 2022

Echoing the others in this thread - we love nivo, but this pesky vulnerability is problematic. Any updates on when this might be addressed? Thanks!

@tylercrosse
Copy link

Here's the relevant pull request to get this updated. There's a linked request to resolve the test failures on it. #2142

@acherkashin
Copy link

@plouc Do we have any plans about solving this issue? The issue is opened for 3 months already, and I'm wondering whether I need to come up with plan b instead of waiting for vulnerability fix in Nivo.

@NeurAlch
Copy link

NeurAlch commented Jan 18, 2023
edited
Loading

Just installed nivo for a new project, loving the docs and code base, we're replacing FusionCharts and will probably be adding some sponsoring if used, but getting 14 high severity vulnerabilities so the lib use might get rejected, will try the #2133 (comment)

Update: seems to be a temporary solution

@shehi
Copy link

shehi commented Jan 20, 2023

npm overrides workaround mentioned above doesn't work. Next 13 with React 18 here.

@joaopedromatias
Copy link
Contributor

package.json overrides does not working here, I'm using Remix JS.

Is there any effort of yours in order to solve this vulnerability?

@AmirHmZz
Copy link

AmirHmZz commented Feb 5, 2023

Any updates on this?

@ghost
Copy link

ghost commented Mar 1, 2023

Hello, are there any plans to update the library to address these vulnerabilities?

High            d3-color vulnerable to ReDoS   
Package         d3-color   
Patched in      >=3.1.0

Thank you for your time.

@acherkashin
Copy link

@plouc I understand it is time-consuming to fix the issue and very disappointing that many people come and put pressure by asking to fix it, in the same way as I do.

Maybe you could explain your vision and what should be done, and we could help you get it done?

@AmirHmZz
Copy link

AmirHmZz commented Mar 1, 2023
edited
Loading

@acherkashin I think @plouc made it clear before #2142 (comment).

unfortunately, the money I get/got for this project is far from being on par with the time/efforts I've put in it, I use open collective mainly because it was easy to setup and works for where I live, I don't want to have more things to manage 😅 It would also be hard for me to commit on specific features to be built, and I think if people wants some specific feature, they should pay for it, it should not be based on some kind of gamble on donations IMHO, it's work.

@plouc
Copy link
Owner

plouc commented Apr 27, 2023

@AmirHmZz, it's out of context, and not a vision, I was simply replying to:

Update: Just joined your Backers list in OpenCollective to support the project. You should really monetize your project as many open-source devs do (I love how electron-userland/electron-builder does it, calling for financial support for the features they build - the highest donation receiving features get built in no time).

My main concern for upgrading D3 dependencies was more about this:

My main concern with updating d3 packages is that it could impact the build/test setup for users (it's already the case for jest in this repo), I understand that d3 wants to move forward and to create packages written in modern JS, but the reality is a bit different IMHO, we still have to support older browsers, platforms... This could really have a huge impact, that being said, I didn't have time to test what this impact is.

But I did upgrade d3-color in 0.81.0, which is unfortunately already breaking for several users, I'm not the only one facing this issue, I've added more context in the issue. And this will not be easy to address.

@stale
Copy link

stale bot commented Aug 7, 2023

This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!

@stale stale bot added the stale label Aug 7, 2023
@shehi
Copy link

shehi commented Aug 7, 2023 via email

@tatosjb
Copy link

tatosjb commented Aug 8, 2023

This is related to those dependencies.
Probably the owners stopped to support, so in order to fix the vulnerability, this lib needs to update to 3.1.0.

d3/d3-scale-chromatic#43

Also, this one, that uses 3.0.1
https://github.com/d3/d3-interpolate/blob/main/yarn.lock#L271

@stale stale bot removed the stale label Aug 8, 2023
@stale Stale
Copy link

stale bot commented Dec 15, 2023

This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!

@stale stale bot added the stale label Dec 15, 2023
@shehi
Copy link

shehi commented Dec 15, 2023 via email

@stale stale bot removed the stale label Dec 15, 2023
@hooch
Copy link

hooch commented Jan 22, 2024

Believe that this issue would be resolved by merging #2466

@plouc
Copy link
Owner

plouc commented Mar 8, 2024

Solved in 0.85.1.

@plouc plouc closed this as completed Mar 8, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests