d3-color vulnerability #3590
hardysabs2
started this conversation in
General
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I am using d3 and there is a high vulnerability on a dependency d3-color. The recommended fix is to upgrade to d3@7.6.1 to resolve, but they are still present with recommendation to npm audit fix, following this present with recommendation for npm update d3-color --depth 5 but the vulnerabilities are still present.
What is the real world risk given how this package dependency is used by d3 if I (temporarily) stay at version 5.0.1? How do I resolve when I have time to regression test 7.6.1 and how do upgrade to 7.6.1 without still getting the vulnerabilities?
My usage is this kind of thing:
import * as d3 from "d3";
...
this.scaleMins = d3
.scaleLinear()
.domain([0, 59 + 59 / 60])
.range([0, 2 * Math.PI]);
this.scaleHours = d3
.scaleLinear()
.domain([0, 11 + 59 / 60])
.range([0, 2 * Math.PI]);
this.minuteArc = d3
.arc()
.innerRadius(0)
.outerRadius(35)
.startAngle(function(d) {
return this.scaleMins(d.numeric);
})
.endAngle(function(d) {
return this.scaleMins(d.numeric);
});
...
const svg = d3
.select(this.clockRef.current)
.append("svg:svg")
.attr("width", width)
.attr("height", height);
...
Beta Was this translation helpful? Give feedback.
All reactions