Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore(deps): bump d3-color from 2.0.0 to 3.1.0 #2142

Merged
merged 2 commits into from
Mar 10, 2023

Conversation

dependabot[bot]
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Sep 30, 2022

Bumps d3-color from 2.0.0 to 3.1.0.

Release notes

Sourced from d3-color's releases.

v3.1.0

v3.0.1

  • Make build reproducible.

v3.0.0

  • Adopt type: module.

This package now requires Node.js 12 or higher. For more, please read Sindre Sorhus’s FAQ.

Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
  • @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
  • @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
  • @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot bot added the dependencies Pull requests that update a dependency file label Sep 30, 2022
@codesandbox-ci
Copy link

codesandbox-ci bot commented Sep 30, 2022

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

Latest deployment of this branch, based on commit 64790e6:

Sandbox Source
nivo Configuration

@shehi
Copy link

shehi commented Oct 1, 2022

I am getting high severity vulnerability report from npm:

# npm audit report

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install @nivo/line@0.55.0, which is a breaking change
node_modules/d3-color
  @nivo/colors  *
  Depends on vulnerable versions of @nivo/core
  Depends on vulnerable versions of d3-color
  node_modules/@nivo/colors
    @nivo/annotations  *
    Depends on vulnerable versions of @nivo/colors
    node_modules/@nivo/annotations
      @nivo/line  *
      Depends on vulnerable versions of @nivo/annotations
      Depends on vulnerable versions of @nivo/axes
      Depends on vulnerable versions of @nivo/colors
      Depends on vulnerable versions of @nivo/core
      Depends on vulnerable versions of @nivo/scales
      node_modules/@nivo/line
    @nivo/bar  *
    Depends on vulnerable versions of @nivo/axes
    Depends on vulnerable versions of @nivo/colors
    Depends on vulnerable versions of @nivo/core
    Depends on vulnerable versions of @nivo/scales
    Depends on vulnerable versions of @nivo/tooltip
    node_modules/@nivo/bar
  @nivo/core  *
  Depends on vulnerable versions of @nivo/tooltip
  Depends on vulnerable versions of d3-color
  Depends on vulnerable versions of d3-interpolate
  Depends on vulnerable versions of d3-scale-chromatic
  node_modules/@nivo/core
    @nivo/axes  *
    Depends on vulnerable versions of @nivo/core
    Depends on vulnerable versions of @nivo/scales
    node_modules/@nivo/axes
    @nivo/legends  >=0.56.0
    Depends on vulnerable versions of @nivo/core
    node_modules/@nivo/legends
    @nivo/tooltip  *
    Depends on vulnerable versions of @nivo/core
    node_modules/@nivo/tooltip
    @nivo/voronoi  *
    Depends on vulnerable versions of @nivo/core
    Depends on vulnerable versions of d3-scale
    node_modules/@nivo/voronoi
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/scales  *
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/scales
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale-chromatic

14 high severity vulnerabilities

Will this upgrade be coming anytime soon?

@ollwenjones
Copy link
Contributor

Might make more sense to upgrade all d3 pacakges, not just one.

@acherkashin
Copy link

We are getting a vulnerability report as well, so I'm interested in this fix too.

@RustyRaven621
Copy link

High vulnerability here

@RustyRaven621
Copy link

seems related to d3/d3-interpolate#96

@tylercrosse
Copy link

tylercrosse commented Nov 16, 2022

@jberney put up a pull request to resolve the test failures. Is that the last hurdle to getting this merged? I'm also on the hook to get the d3-color security vulnerability resolved.

@S30tt
Copy link

S30tt commented Dec 13, 2022

Hi,

Any chance of a status update on this PR?

@shehi
Copy link

shehi commented Jan 2, 2023

Can someone rerun this build for us to see the logs please? This issue is as important as React-18 upgrade right now, or even more.

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/d3-color-3.1.0 branch from 785cda8 to 9be1bd0 Compare January 23, 2023 13:35
Bumps [d3-color](https://github.com/d3/d3-color) from 2.0.0 to 3.1.0.
- [Release notes](https://github.com/d3/d3-color/releases)
- [Commits](d3/d3-color@v2.0.0...v3.1.0)

---
updated-dependencies:
- dependency-name: d3-color
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/d3-color-3.1.0 branch from 9be1bd0 to f8de625 Compare January 23, 2023 13:36
@plouc
Copy link
Owner

plouc commented Jan 23, 2023

@shehi
Copy link

shehi commented Jan 23, 2023

Oh man, good to hear from you :) Are you checking the existing PRs here and issues related to d3 and React-18 in general or too busy with RL?

Update: Just joined your Backers list in OpenCollective to support the project. You should really monetize your project as many open-source devs do (I love how electron-userland/electron-builder does it, calling for financial support for the features they build - the highest donation receiving features get built in no time).

@plouc
Copy link
Owner

plouc commented Jan 24, 2023

@shehi, quite busy with work, and personal life, just trying to review the "easy" PRs, merge dependabot ones... React 18 support is not an easy thing.

Thank you for joining the backers, unfortunately, the money I get/got for this project is far from being on par with the time/efforts I've put in it, I use open collective mainly because it was easy to setup and works for where I live, I don't want to have more things to manage 😅 It would also be hard for me to commit on specific features to be built, and I think if people wants some specific feature, they should pay for it, it should not be based on some kind of gamble on donations IMHO, it's work.

My main concern with updating d3 packages is that it could impact the build/test setup for users (it's already the case for jest in this repo), I understand that d3 wants to move forward and to create packages written in modern JS, but the reality is a bit different IMHO, we still have to support older browsers, platforms... This could really have a huge impact, that being said, I didn't have time to test what this impact is.

@shehi
Copy link

shehi commented Jan 26, 2023

I understand your concerns @plouc , but IMHO a project like this - with vastly limited resources, as you mentioned - should look forward, not back. Many projects (e.g. bundlers, compilers, component related ones like Shoelace etc) have already abandoned old browsers in their effort to move forward. Maybe you, as a developer yourself, are using old browsers, but again IMHO, for the longevity and sustainability of this great project it'd be better to move on. Release a new major version ditching old browsers (pre-Chromium Edge browsers and IE 11 primarily) completely. The world is progressing rapidly, so are almost everyone who are using this library: by the time you decide to leave legacy browsers behind it might be too late, because all of us need working solutions for our ever-growing development needs. As such, with all humility, I suggest you do that. No need to touch existing versions, let them stay at v0.80.x space with legacy stuff. Yes, d3's security implications will stay there until you upgrade, but since this project literally is bound to d3, your v0.80 version will have to remain within implicated d3 v2 space. Release v1.0 with old browsers abandoned, latest d3 and later on latest React 18 (the latter can come down the road, with a minor release) integrated. If you wish and have time for solving the old implicated version, then you can also work on that. But IMO it is critical to save the project before people hop off this ship.

As with the donations: as I mentioned, monetize it more effectively. Openly ask people - your userbase - to support the project so that you could spend real time to develop and release a new version. Cater towards them, and I am confident you will see the result. You have dozens, if not hundreds of users using this great tool. 5 EUR from ea can easily offset you for a fulltime month which in turn could boost this project. It's all you and all of us need, right? Just draw a roadmap, attach a timetable to it giving people some idea how long it'd take feature-X to appear, and start collecting donations. We are not naive, neither do we see you as a slave :) every dev needs to be compensated for their time. So get compensated, man!

@brammitch
Copy link
Contributor

brammitch commented Feb 7, 2023

It may be possible to do what recharts did in recharts/recharts#3167 and replace d3-color with https://www.npmjs.com/package/victory-vendor to bridge this gap. See https://formidable.com/blog/2022/victory-esm/.

If this is something you'd be interested in possibly merging, I would be open to working on a PR.

@heath-freenome
Copy link

heath-freenome commented Mar 9, 2023

I understand your concerns @plouc , but IMHO a project like this - with vastly limited resources, as you mentioned - should look forward, not back. Many projects (e.g. bundlers, compilers, component related ones like Shoelace etc) have already abandoned old browsers in their effort to move forward. Maybe you, as a developer yourself, are using old browsers, but again IMHO, for the longevity and sustainability of this great project it'd be better to move on. Release a new major version ditching old browsers (pre-Chromium Edge browsers and IE 11 primarily) completely. The world is progressing rapidly, so are almost everyone who are using this library: by the time you decide to leave legacy browsers behind it might be too late, because all of us need working solutions for our ever-growing development needs. As such, with all humility, I suggest you do that. No need to touch existing versions, let them stay at v0.80.x space with legacy stuff. Yes, d3's security implications will stay there until you upgrade, but since this project literally is bound to d3, your v0.80 version will have to remain within implicated d3 v2 space. Release v1.0 with old browsers abandoned, latest d3 and later on latest React 18 (the latter can come down the road, with a minor release) integrated. If you wish and have time for solving the old implicated version, then you can also work on that. But IMO it is critical to save the project before people hop off this ship.

@plouc I fully agree with this. Look forward, Release v1.0 on d3 latest and abandon old browsers. Most repos I've see have or will soon drop IE 11 (really the lame duck of all browsers left). Definitely save the project before it dies from lack of attention.

More over, you have a community of people attempting to improve the project with PRs. If you have limited time I suggest, putting your attention into getting them reviewed, approved and merged. Also, find a few trusted contributors who can help you, who have the ability to approve/merge PRs and cut releases. I've been doing the much of the fixing and releases for one of the projects that my company uses, with the support and blessing of the owner. And we have begun to use Nivo as well. Utilize the open source community to help you, please.

@plouc plouc merged commit 62ded37 into master Mar 10, 2023
@plouc plouc deleted the dependabot/npm_and_yarn/d3-color-3.1.0 branch March 10, 2023 06:52
@mattfelten
Copy link

@plouc Do you have an idea when the next Nivo release will be? We want to get rid of this vulnerability warning

@rodriguezjosetk
Copy link

@plouc Any ideas of when the next Nivo release will be? thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
dependencies Pull requests that update a dependency file
Projects
None yet
Development

Successfully merging this pull request may close these issues.