You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The dependency mermaid, which depends on d3-color, is used only in our webapp for exploring UI components based on Storybook, to generate some architecture diagrams. mermaid is not used in the actual web UI webapp, and it is only used with verified input. Hence the risk of running the vulnerable dependency can be considered very low.
We are tracking the progress of the upstream issue d3/d3-color#97 and will upgrade the according dependencies as soon as possible.
The text was updated successfully, but these errors were encountered:
d3 v7.4.0 has also been released with the updated version, though the main issue comes from the dagre-d3 dependency, which uses an older version of d3-color and is also deprecated.
@gusevda and I talked about this today and now I have a better understanding of our options and their implications. For this issue, the vulnerability is only applicable if we pass user input to d3-color. Seeing as we only use mermaid in Storybook for architectural diagrams, we are not currently doing that. We've decided the appropriate action is to dismiss this alert.
Vulnerability info: https://snyk.io/vuln/SNYK-JS-D3COLOR-1076592
Dependency paths:
The dependency
mermaid
, which depends ond3-color
, is used only in our webapp for exploring UI components based on Storybook, to generate some architecture diagrams. mermaid is not used in the actual web UI webapp, and it is only used with verified input. Hence the risk of running the vulnerable dependency can be considered very low.We are tracking the progress of the upstream issue d3/d3-color#97 and will upgrade the according dependencies as soon as possible.
The text was updated successfully, but these errors were encountered: