Web UI code has vulnerable dependency d3-color v3.0.1 and older

[marians]

Vulnerability info: https://snyk.io/vuln/SNYK-JS-D3COLOR-1076592

Dependency paths:

    mermaid@8.13.8 > d3@7.0.3 > d3-color@3.0.1
    mermaid@8.13.8 > d3@7.0.3 > d3-interpolate@3.0.1 > d3-color@3.0.1
    mermaid@8.13.8 > d3@7.0.3 > d3-transition@3.0.1 > d3-color@3.0.1
    mermaid@8.13.8 > d3@7.0.3 > d3-scale-chromatic@3.0.0 > d3-color@3.0.1
    mermaid@8.13.8 > d3@7.0.3 > d3-transition@3.0.1 > d3-interpolate@3.0.1 > d3-color@3.0.1
    mermaid@8.13.8 > d3@7.0.3 > d3-brush@3.0.0 > d3-interpolate@3.0.1 > d3-color@3.0.1
    mermaid@8.13.8 > d3@7.0.3 > d3-scale@4.0.1 > d3-interpolate@3.0.1 > d3-color@3.0.1
    mermaid@8.13.8 > d3@7.0.3 > d3-scale-chromatic@3.0.0 > d3-interpolate@3.0.1 > d3-color@3.0.1
    mermaid@8.13.8 > d3@7.0.3 > d3-zoom@3.0.0 > d3-interpolate@3.0.1 > d3-color@3.0.1
    mermaid@8.13.8 > d3@7.0.3 > d3-brush@3.0.0 > d3-transition@3.0.1 > d3-color@3.0.1
    mermaid@8.13.8 > d3@7.0.3 > d3-zoom@3.0.0 > d3-transition@3.0.1 > d3-color@3.0.1
    mermaid@8.13.8 > d3@7.0.3 > d3-brush@3.0.0 > d3-transition@3.0.1 > d3-interpolate@3.0.1 > d3-color@3.0.1
    mermaid@8.13.8 > d3@7.0.3 > d3-zoom@3.0.0 > d3-transition@3.0.1 > d3-interpolate@3.0.1 > d3-color@3.0.1
    mermaid@8.13.8 > dagre-d3@0.6.4 > d3@5.16.0 > d3-color@1.4.1
    mermaid@8.13.8 > dagre-d3@0.6.4 > d3@5.16.0 > d3-interpolate@1.4.0 > d3-color@1.4.1
    mermaid@8.13.8 > dagre-d3@0.6.4 > d3@5.16.0 > d3-transition@1.3.2 > d3-color@1.4.1
    mermaid@8.13.8 > dagre-d3@0.6.4 > d3@5.16.0 > d3-scale-chromatic@1.5.0 > d3-color@1.4.1
    mermaid@8.13.8 > dagre-d3@0.6.4 > d3@5.16.0 > d3-transition@1.3.2 > d3-interpolate@1.4.0 > d3-color@1.4.1
    mermaid@8.13.8 > dagre-d3@0.6.4 > d3@5.16.0 > d3-brush@1.1.6 > d3-interpolate@1.4.0 > d3-color@1.4.1
    mermaid@8.13.8 > dagre-d3@0.6.4 > d3@5.16.0 > d3-scale@2.2.2 > d3-interpolate@1.4.0 > d3-color@1.4.1
    mermaid@8.13.8 > dagre-d3@0.6.4 > d3@5.16.0 > d3-scale-chromatic@1.5.0 > d3-interpolate@1.4.0 > d3-color@1.4.1
    mermaid@8.13.8 > dagre-d3@0.6.4 > d3@5.16.0 > d3-zoom@1.8.3 > d3-interpolate@1.4.0 > d3-color@1.4.1
    mermaid@8.13.8 > dagre-d3@0.6.4 > d3@5.16.0 > d3-brush@1.1.6 > d3-transition@1.3.2 > d3-color@1.4.1
    mermaid@8.13.8 > dagre-d3@0.6.4 > d3@5.16.0 > d3-zoom@1.8.3 > d3-transition@1.3.2 > d3-color@1.4.1
    mermaid@8.13.8 > dagre-d3@0.6.4 > d3@5.16.0 > d3-brush@1.1.6 > d3-transition@1.3.2 > d3-interpolate@1.4.0 > d3-color@1.4.1
    mermaid@8.13.8 > dagre-d3@0.6.4 > d3@5.16.0 > d3-zoom@1.8.3 > d3-transition@1.3.2 > d3-interpolate@1.4.0 > d3-color@1.4.1

The dependency mermaid, which depends on d3-color, is used only in our webapp for exploring UI components based on Storybook, to generate some architecture diagrams. mermaid is not used in the actual web UI webapp, and it is only used with verified input. Hence the risk of running the vulnerable dependency can be considered very low.

We are tracking the progress of the upstream issue d3/d3-color#97 and will upgrade the according dependencies as soon as possible.

[marians]

There is activity in d3-color on this topic

[marians]

@kuosandys @gusevda d3-color v3.1.0 just came out https://github.com/d3/d3-color/releases/tag/v3.1.0

[kuosandys]

d3 v7.4.0 has also been released with the updated version, though the main issue comes from the dagre-d3 dependency, which uses an older version of d3-color and is also deprecated.

[kuosandys]

@gusevda and I talked about this today and now I have a better understanding of our options and their implications. For this issue, the vulnerability is only applicable if we pass user input to d3-color. Seeing as we only use mermaid in Storybook for architectural diagrams, we are not currently doing that. We've decided the appropriate action is to dismiss this alert.