ReDoS issue comes from d3-color version 1-2 indirect dependency!

[dkolosov-intel]

d3-flame-graph control has indirect dependency on d3-colors version 1 which has ReDoS issue(s)

The issue(s) has been fixed in d3-colors version 3

d3-selection@1.4.2 and d3-transition@1.3.2 modules have dependency on d3-color@1.4.1

+-- d3-flame-graph@4.0.6
| +-- d3-scale@3.3.0
| | +-- d3-array@2.12.1 deduped
| | +-- d3-format@1.4.5 deduped
| | +-- d3-interpolate@2.0.1
| | | -- d3-color@2.0.0 | +-- d3-selection@1.4.2 | -- d3-transition@1.3.2
| +-- d3-color@1.4.1
| +-- d3-dispatch@1.0.6 deduped
| +-- d3-ease@1.0.7 deduped
| +-- d3-interpolate@1.4.0
| | `-- d3-color@1.4.1 deduped

Please update package.json dependency block to start using d3-selection and d3-transition version 3 or next
(Ideally need to update d3 dependency modules to version 3 or next/last)

[dkolosov-intel]

The upstream fix for the vulnerability is not merged yet:
d3/d3-color#89

It seems there is wrong data on a fix in d3-color>3.0.0:
d3/d3-brush#90 (comment)

It makes sense to consider this as a FALSE positive since user input is NOT used to call d3-color.
So, I am closing the issue.

(Sorry for bothering...)