Is it possible to update d3-color ?

[evansrobert]

Hi, @mbostock @Fil, I stumbled upon a vulnerability introduced by package d3-color:

Issue Description

When I build my project, I notice that [email protected] transitively depends on [email protected]. However, the vulnerability SNYK-JS-D3COLOR-1076592 affects package d3-color<3.0.0.
As far as I aware, [email protected] is so popular that a large number of latest versions of active and popular downstream projects depend on it (350,655 downloads per week and about 604 downstream projects, e.g., mermaid 8.11.2, c3 0.7.20, bqplot 0.5.31, @mermaid-js/mermaid-cli 8.11.0, @swimlane/ngx-graph 7.2.0, etc.).
In this case, the vulnerability SNYK-JS-D3COLOR-1076592 can be propagated into these downstream projects and expose security threats to them.
As you can see, [email protected] is introduced into the above projects via the following package dependency paths:
(1)@dword-design/[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected]
(2)[email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected] ➔ [email protected]
......

I know that it's kind of you to have removed the vulnerability since [email protected]. But, in fact, the above large amount of downstream projects cannot easily upgrade d3-brush from version 1.1.* to (>=3.0.0):
The projects such as dagre-d3, which introduced [email protected], are not maintained anymore. These unmaintained packages can neither upgrade d3-brush nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package [email protected]?

Suggested Solution

Since these inactive projects set a version constaint 1.1.* for d3-brush on the above vulnerable dependency paths, if d3-brush removes the vulnerability from 1.1.6 and releases a new patched version [email protected], such a vulnerability patch can be automatically propagated into the downstream projects.

The simplest way to remove the vulnerability is to perform the following upgrade in [email protected]:
d3-interpolate 1 ➔ 3.0.0;
Note:
As you know, [email protected] directly depends on [email protected] which has fixed the vulnerability (SNYK-JS-D3COLOR-1076592)

Thank you for your help to the downstream users.^_^

[mbostock]

We haven’t fixed that vulnerability in d3-color yet. See d3/d3-color#89 for the initial effort. I’m not sure why SNYK thinks it was fixed in 3.0.0; it wasn’t as far as I know. As for back-porting the fix to earlier versions, I’m sorry but I’m not willing to do the work.

[leeyashalti]

We haven’t fixed that vulnerability in d3-color yet. See d3/d3-color#89 for the initial effort. I’m not sure why SNYK thinks it was fixed in 3.0.0; it wasn’t as far as I know. As for back-porting the fix to earlier versions, I’m sorry but I’m not willing to do the work.

Hi @mbostock,
I'm Leeya from Snyk 😄
I've been communicating with @Fil a while ago about this issue via emails and understood that it was fixed as part of release 3.0.0. It was probably a misunderstanding on our side. I'll update the Snyk advisory with the correct data.
Thanks for the clarification!