Bump d3-color

[foreseeti-adam]

Hi,

d3-color version<3.0.0 that is used in some of your packages is vulnerable to ReDoS, hence it would be a good idea to bump this (if possible) in your next release.

Thank you for providing a great visualization tool!

[plouc]

Hi @foreseeti-adam, thank you for reporting this issue, as it's a major version change, we would have to investigate a little bit before migrating. If the only change is the adoption of modules, shouldn't be an issue though as we already use ESM.

[stale]

This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!

[huornlmj]

Bump, d3-color@2.0.0 has a Regular Express Denial of Service vulnerability via the rgb() and hrc() functions since August 2020. Popular composition analysis tools are thus flagging nivo as introducing a vulnerable 3rd party component.

[stale]

This issue has been automatically marked as stale. If this issue is still affecting you, please leave any comment (for example, "bump"), and we'll keep it open. We are sorry that we haven't been able to prioritize it yet. If you have any new additional information, please include it with your comment!

[stale]

Closing this issue after a prolonged period of inactivity. If this issue is still present in the latest release, please create a new issue with up-to-date information. Thank you!

[dnoji]

The d3-color package is still being flagged by security tools. Can this be upgraded to 3.1.0 in the next release?

[marcospassos]

Hey guys, any news on this?

[B0lemix]

still being flagged like vulnerable to ReDoS and no fix available

[IshfaqAhmedProg]

@plouc any fix for this?

[dnoji]

The d3-color package is still being flagged by security tools. Can this be upgraded to 3.1.0 in the next release?

I think it might have been fixed in this release by #2142

[jvu1]

The vulnerability still exists for me because two of nivo's dependencies: d3-interpolate@2.0.1 and d3-scale-chromatic@2.0.0 still use version 2.0.0 of d3-color.

Anybody still getting the flagged after updating to v0.82.0 or greater?

Update: Just saw this issue that was closed: #2348 , but it doesn't seem included in the latest release?

[RikuRuokonen]

This seems still be issue?

It seems that /d3-scale-chromatic@2.0.0 still uses v.2.0.0 of d3-color.

Subsequently, /@nivo/core@0.83.0 (latest one) seems to use said version in d3-scale-chromatic.

[adrian-meditect]

Unfortunately, I confirm what @RikuRuokonen is saying. After upgrading to latest release 0.83, I still have this issue.
Here is the yarn.lock dependencies proving the problem.

This issue should be re-opened please @plouc 🙏

"@nivo/colors@0.83.0":
  version "0.83.0"
  resolved "https://registry.yarnpkg.com/@nivo/colors/-/colors-0.83.0.tgz#e8afb2ec10ceb2c0d2b2407f01e11c197c57f78d"
  integrity sha512-n34LWYtE2hbd1fdCDP7TCHNZdbiO1PwcvXLo0VsKK5lNPY/FA5SXA7Z9Ubl/ChSwBwbzAsaAhjTy8KzKzSjDcA==
  dependencies:
    "@nivo/core" "0.83.0"
    "@types/d3-color" "^2.0.0"
    "@types/d3-scale" "^3.2.3"
    "@types/d3-scale-chromatic" "^2.0.0"
    "@types/prop-types" "^15.7.2"
    d3-color "^3.1.0"
    d3-scale "^3.2.3"
    d3-scale-chromatic "^2.0.0"
    lodash "^4.17.21"
    prop-types "^15.7.2"

"d3-interpolate@1 - 2", "d3-interpolate@1.2.0 - 2", d3-interpolate@^2.0.1:
  version "2.0.1"
  resolved "https://registry.yarnpkg.com/d3-interpolate/-/d3-interpolate-2.0.1.tgz#98be499cfb8a3b94d4ff616900501a64abc91163"
  integrity sha512-c5UhwwTs/yybcmTpAVqwSFl6vrQ8JZJoT5F7xNFK9pymv5C0Ymcc9/LIJHtYIggg/yS9YHw8i8O8tgb9pupjeQ==
  dependencies:
    d3-color "1 - 2"

d3-path@1:
  version "1.0.9"
  resolved "https://registry.yarnpkg.com/d3-path/-/d3-path-1.0.9.tgz#48c050bb1fe8c262493a8caf5524e3e9591701cf"
  integrity sha512-VLaYcn81dtHVTjEHd8B+pbe9yHWpXKZUC87PzoFmsFrJqgFwDe/qxfp5MlfsfM1V5E/iVt0MmEbWQ7FVIXh/bg==

d3-scale-chromatic@^2.0.0:
  version "2.0.0"
  resolved "https://registry.yarnpkg.com/d3-scale-chromatic/-/d3-scale-chromatic-2.0.0.tgz#c13f3af86685ff91323dc2f0ebd2dabbd72d8bab"
  integrity sha512-LLqy7dJSL8yDy7NRmf6xSlsFZ6zYvJ4BcWFE4zBrOPnQERv9zj24ohnXKRbyi9YHnYV+HN1oEO3iFK971/gkzA==
  dependencies:
    d3-color "1 - 2"
    d3-interpolate "1 - 2"

"d3-color@1 - 2":
  version "2.0.0"
  resolved "https://registry.yarnpkg.com/d3-color/-/d3-color-2.0.0.tgz#8d625cab42ed9b8f601a1760a389f7ea9189d62e"
  integrity sha512-SPXi0TSKPD4g9tw0NMZFnR95XVgUZiBH+uUTqQuDu1OsE2zomHU7ho0FISciaPvosimixwHFl3WHLGabv6dDgQ==

[tomyste]

The same for me

d3-color <3.1.0
Severity: high
d3-color vulnerable to ReDoS - GHSA-36jr-mh4h-2g58
No fix available
node_modules/d3-interpolate/node_modules/d3-color
node_modules/d3-scale-chromatic/node_modules/d3-color
d3-interpolate 0.1.3 - 2.0.1
Depends on vulnerable versions of d3-color
node_modules/d3-interpolate
@nivo/core *
Depends on vulnerable versions of @nivo/tooltip
Depends on vulnerable versions of d3-interpolate
Depends on vulnerable versions of d3-scale
Depends on vulnerable versions of d3-scale-chromatic
node_modules/@nivo/core
@nivo/annotations *
Depends on vulnerable versions of @nivo/colors
Depends on vulnerable versions of @nivo/core
node_modules/@nivo/annotations
@nivo/line *
Depends on vulnerable versions of @nivo/annotations
Depends on vulnerable versions of @nivo/axes
Depends on vulnerable versions of @nivo/colors
Depends on vulnerable versions of @nivo/core
Depends on vulnerable versions of @nivo/legends
Depends on vulnerable versions of @nivo/scales
Depends on vulnerable versions of @nivo/tooltip
Depends on vulnerable versions of @nivo/voronoi
node_modules/@nivo/line
@nivo/axes *
Depends on vulnerable versions of @nivo/core
Depends on vulnerable versions of @nivo/scales
node_modules/@nivo/axes
@nivo/colors *
Depends on vulnerable versions of @nivo/core
Depends on vulnerable versions of d3-scale
Depends on vulnerable versions of d3-scale-chromatic
node_modules/@nivo/colors
@nivo/legends 0.56.0 - 0.62.0 || >=0.63.1
Depends on vulnerable versions of @nivo/colors
Depends on vulnerable versions of @nivo/core
Depends on vulnerable versions of d3-scale
node_modules/@nivo/legends
@nivo/tooltip *
Depends on vulnerable versions of @nivo/core
node_modules/@nivo/tooltip
@nivo/voronoi *
Depends on vulnerable versions of @nivo/core
Depends on vulnerable versions of d3-scale
node_modules/@nivo/voronoi
d3-scale 0.1.5 - 3.3.0
Depends on vulnerable versions of d3-interpolate
node_modules/d3-scale
@nivo/scales *
Depends on vulnerable versions of d3-scale
node_modules/@nivo/scales
d3-scale-chromatic 0.1.0 - 2.0.0
Depends on vulnerable versions of d3-color
Depends on vulnerable versions of d3-interpolate
node_modules/d3-scale-chromatic

And, now I use
"@nivo/core": "^0.83.0",
"@nivo/line": "^0.83.0",

[plouc]

This should be fixed in 0.83.1.

[Dmo16]

Sunburst is still showing vulnerability, but maybe it needs a new issue for tracking?

# npm audit report

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install @nivo/sunburst@0.55.0, which is a breaking change
node_modules/d3-interpolate/node_modules/d3-color
node_modules/d3-scale-chromatic/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/core  *
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/core
        @nivo/colors  *
        Depends on vulnerable versions of @nivo/core
        Depends on vulnerable versions of d3-scale
        Depends on vulnerable versions of d3-scale-chromatic
        node_modules/@nivo/colors
          @nivo/arcs  *
          Depends on vulnerable versions of @nivo/colors
          Depends on vulnerable versions of @nivo/core
          node_modules/@nivo/arcs
            @nivo/sunburst  *
            Depends on vulnerable versions of @nivo/arcs
            Depends on vulnerable versions of @nivo/colors
            Depends on vulnerable versions of @nivo/core
            Depends on vulnerable versions of @nivo/tooltip
            node_modules/@nivo/sunburst
        @nivo/tooltip  *
        Depends on vulnerable versions of @nivo/core
        node_modules/@nivo/tooltip
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale-chromatic

[jvu1]

This should be fixed in 0.83.1.

@plouc Updating to v0.84.0 (below) did not address the issue fully.

"@nivo/bar": "^0.84.0",
"@nivo/core": "^0.84.0",
"@nivo/line": "^0.84.0",
"@nivo/pie": "^0.84.0",
"@nivo/radial-bar": "^0.84.0",

It looks like @nivo/bar has dependencies that still rely on d3-color@2.0.0. Dependency tree below:

├─┬ @nivo/bar@0.84.0 invalid: "^0.83.0" from the root project
│ ├─┬ @nivo/colors@0.84.0
│ │ ├── d3-color@3.1.0 deduped
│ │ └─┬ d3-scale-chromatic@2.0.0
│ │   └── d3-color@2.0.0
│ └─┬ d3-scale@3.3.0
│   └─┬ d3-interpolate@2.0.1
│     └── d3-color@2.0.0

[radikrisffnext]

@jvu1 +1 on this.
we have the same issue, any update on this?

[HitCodeCyber]

I think that unless d3-scale-chromatic is updated to higher version, it won't be fixed.

[Nestyko]

I think this is still an active issue, what I did to solve it was to use yarn and set the resolutions to force the usage of a safe version of d3-colors

package.json

{
  "resolutions": {
    "d3-color": "^3.1.0"
  },
}

npm ls d3-color
npm ERR! code ELSPROBLEMS
npm ERR! invalid: d3-color@3.1.0 /Users/reacted/company/project/node_modules/d3-color
company-proejct@0.1.0 /Users/redacted/company/project
├─┬ @nivo/core@0.84.0
│ ├── d3-color@3.1.0
│ ├─┬ d3-interpolate@3.0.1
│ │ └── d3-color@3.1.0 deduped
│ ├─┬ d3-scale-chromatic@3.0.0
│ │ └── d3-color@3.1.0 deduped
│ └─┬ d3-scale@3.3.0
│   └─┬ d3-interpolate@2.0.1
│     └── d3-color@3.1.0 deduped invalid: "1 - 2" from node_modules/d3-scale/node_modules/d3-interpolate
└─┬ @nivo/line@0.84.0
  └─┬ @nivo/colors@0.84.0
    ├── d3-color@3.1.0 deduped
    └─┬ d3-scale-chromatic@2.0.0
      ├── d3-color@3.1.0 deduped invalid: "1 - 2" from node_modules/d3-scale/node_modules/d3-interpolate, "1 - 2" from node_modules/@nivo/colors/node_modules/d3-scale-chromatic
      └─┬ d3-interpolate@2.0.1
        └── d3-color@3.1.0 deduped invalid: "1 - 2" from node_modules/d3-scale/node_modules/d3-interpolate, "1 - 2" from node_modules/@nivo/colors/node_modules/d3-scale-chromatic, "1 - 2" from node_modules/@nivo/colors/node_modules/d3-interpolate


npm ERR! A complete log of this run can be found in: /Users/redacted/.npm/_logs/2024-01-19T06_27_42_820Z-debug-0.log

And well, just hope it works.
My use case is very simple and is not breaking, but I cannot guarantee this will work 100%