Is it possible to update d3-color ?

[evansrobert]

Hi, @mbostock @Fil, I stumbled upon a vulnerability introduced by package d3-color:

Issue Description

When I build my project, I notice that d3-brush@1.1.6 transitively depends on d3-color@1.4.1. However, the vulnerability SNYK-JS-D3COLOR-1076592 affects package d3-color<3.0.0.
As far as I aware, d3-brush@1.1.6 is so popular that a large number of latest versions of active and popular downstream projects depend on it (350,655 downloads per week and about 604 downstream projects, e.g., mermaid 8.11.2, c3 0.7.20, bqplot 0.5.31, @mermaid-js/mermaid-cli 8.11.0, @swimlane/ngx-graph 7.2.0, etc.).
In this case, the vulnerability SNYK-JS-D3COLOR-1076592 can be propagated into these downstream projects and expose security threats to them.
As you can see, d3-brush@1.1.6 is introduced into the above projects via the following package dependency paths:
(1)@dword-design/depgraph@1.6.42 ➔ dagre-d3@0.6.4 ➔ d3@5.16.0 ➔ d3-brush@1.1.6 ➔ d3-interpolate@1.4.0 ➔ d3-color@1.4.1
(2)flexbiz-core@9.2.95 ➔ dagre-d3@0.6.4 ➔ d3@5.16.0 ➔ d3-brush@1.1.6 ➔ d3-interpolate@1.4.0 ➔ d3-color@1.4.1
......

I know that it's kind of you to have removed the vulnerability since d3-brush@3.0.0. But, in fact, the above large amount of downstream projects cannot easily upgrade d3-brush from version 1.1.* to (>=3.0.0):
The projects such as dagre-d3, which introduced d3-brush@1.1.6, are not maintained anymore. These unmaintained packages can neither upgrade d3-brush nor be easily migrated by the large amount of affected downstream projects.

Given the large number of downstream users, is it possible to release a new patched version with the updated dependency to remove the vulnerability from package d3-brush@1.1.6?

Suggested Solution

Since these inactive projects set a version constaint 1.1.* for d3-brush on the above vulnerable dependency paths, if d3-brush removes the vulnerability from 1.1.6 and releases a new patched version d3-brush@1.1.7, such a vulnerability patch can be automatically propagated into the downstream projects.

The simplest way to remove the vulnerability is to perform the following upgrade in d3-brush@1.1.7:
d3-interpolate 1 ➔ 3.0.0;
Note:
As you know, d3-interpolate@3.0.0 directly depends on d3-color@3.0.1 which has fixed the vulnerability (SNYK-JS-D3COLOR-1076592)

Thank you for your help to the downstream users.^_^

[mbostock]

We haven’t fixed that vulnerability in d3-color yet. See d3/d3-color#89 for the initial effort. I’m not sure why SNYK thinks it was fixed in 3.0.0; it wasn’t as far as I know. As for back-porting the fix to earlier versions, I’m sorry but I’m not willing to do the work.

[leeyashalti]

We haven’t fixed that vulnerability in d3-color yet. See d3/d3-color#89 for the initial effort. I’m not sure why SNYK thinks it was fixed in 3.0.0; it wasn’t as far as I know. As for back-porting the fix to earlier versions, I’m sorry but I’m not willing to do the work.

Hi @mbostock,
I'm Leeya from Snyk 😄
I've been communicating with @Fil a while ago about this issue via emails and understood that it was fixed as part of release 3.0.0. It was probably a misunderstanding on our side. I'll update the Snyk advisory with the correct data.
Thanks for the clarification!