[go: up one dir, main page]

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

d3-color library security issue #2846

Open
AbeykoonOshan opened this issue Aug 9, 2021 · 5 comments
Open

d3-color library security issue #2846

AbeykoonOshan opened this issue Aug 9, 2021 · 5 comments

Comments

@AbeykoonOshan
Copy link

The latest version of c3 uses d3 (^5.8.0) as a dependency, and d3 has a dependency for d3-color.
This d3-color library is exposed to the following security issue,
https://snyk.io/vuln/SNYK-JS-D3COLOR-1076592

It would be great if we can get that issue fixed by updating the d3 dependency.

  • C3 version: 0.7.20
  • D3 version: 5.16.0
@josundt
Copy link
josundt commented Oct 13, 2022

c3 was last updated in August 2020, over two years ago.
c3 has a dependency on d3, version constraint ^5.8.0.
There has been two major releases of d3 since this dependency was last updated (current d3 version is 7.6.1).

Is the c3 package still under maintenance?

Packages with npm audit security vulnerabilities are not acceptable as dependencies for our products, so I really hope you'll invest in updating d3 to latest version.

@siripurs
Copy link

Same issue with d3-color vulnerability. Any update on when c3 will be updated with latest d3 version 7.6.1 to resolve d30color security vulnerability issue?

@Ratandeep13
Copy link

Can we get any update on this. We are also using C3 library in our product and facing this issue. Please help us to resolve the issue.

@josundt
Copy link
josundt commented Dec 21, 2022

I recommend doing what I did: Replace c3 with billboard.js.
billboard.js is a fork of c3 that is under proper maintenance.
Migration is very simple, there's a guide describing the required few steps.

@ilinb
Copy link
ilinb commented Mar 22, 2023

I fixed this in my angular project by adding an override in package.json. It did not have any negative impact on my charts.

"overrides": {
"d3-color": "3.1.0"
}

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

5 participants