Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security vulnerability fix for d3-color required in version 2.x #108

Open
AtishayMsft opened this issue Oct 7, 2022 · 7 comments · May be fixed by #110
Open

Security vulnerability fix for d3-color required in version 2.x #108

AtishayMsft opened this issue Oct 7, 2022 · 7 comments · May be fixed by #110

Comments

@AtishayMsft
Copy link 

We would like to get the fix https://github.com/d3/d3-color/pull/100 backported for version 2.x of d3-color library module as version 3.x switches to using ESM for d3 which is not supported by our project.

There are multiple folks interested in this backport.
@AtishayMsft AtishayMsft mentioned this issue Oct 7, 2022
Merged
@jayuen
Copy link

jayuen commented Oct 7, 2022

Thanks @AtishayMsft . I would also like the backport for version 1.4.x. Willing to help contribute to this.

@ndugger
Copy link

ndugger commented Oct 7, 2022

My team is blocked on this issue which is affecting the airbnb/visx package: airbnb/visx#1577

@mbostock
Copy link
Member

mbostock commented Oct 7, 2022

I’m not going to do this but you are welcome to fork this repository.

@timbset timbset linked a pull request Oct 11, 2022 that will close this issue
Open
@timbset
Copy link

timbset commented Oct 12, 2022
edited

@mbostock I created PR with cherry-pick to v2. Could you please merge it and publish new v2 version with vulnerability fix? It will simplify upgrade to more secure version of package for those who still use CommonJS

@G-Rath
Copy link

G-Rath commented Oct 18, 2022
edited

@mbostock I can understand not backporting for v1, but I ask you to reconsider for v2 because that's the highest major version supported by d3-interpolate and v3 of both packages switch to using ESM modules which we can't use in our applications and that libraries like recharts cannot use it either without switching to ESM themselves (which'd overall be very breaking)

I assume by forking you actually mean "fork + publish to npm", as that's the only way we could really try and address that ourselves, however it would be ideal if we could avoid having to do that since it just fragments the ecosystem further and then we'd need to convince libraries to move over to the new package (which wouldn't work because we'd need to either fork or backport for d3-interpolate as well)

I'm happy to help with this as much as possible, to reduce the burden on you.

Related recharts issue.

@G-Rath G-Rath mentioned this issue Oct 18, 2022
Closed
1 task
This was referenced Oct 19, 2022
Merged
Closed
Merged
@timbset
Copy link

timbset commented Nov 3, 2022

We understand the motivation of staying on ESM-only approach. But some libs, like nanoid, promised to support older version for developers who cannot upgrade to ESM-only version. Why can't you do the same in this project? It would be responsible and respectful for people who use this lib.

@JayWelsh
Copy link

For anyone that requires an immediate workaround for this, this method provided by haydn works wonders: airbnb/visx#1577 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Avoid backtracking in v2 timbset/d3-color
7 participants
@jayuen @mbostock @ndugger @G-Rath @JayWelsh @timbset @AtishayMsft