New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
ReDoS issue in d3-color modules used in Vega #3321
Comments
Any update on it? |
Thanks for checking in. No update yet, but I plan to look more closely very soon! |
I took a look, and the issue on d3-color (d3/d3-color#97) has not yet been resolved. Once that is fixed, we should be able to update Vega as well. |
sorry to say but i have the impression it will never be fixed by the owner. it's present since the very first release of that module and many more people have enquired, to no avail. |
I just want to ask when the fix for the ReDoS would be fixed? |
I think you need to bump to 3.1, there is a dependabot here: #3460 Can you merge this and release please? |
This issue is related to #3285, but the request is to update d3-color dependency in all vega modules.
We already use the latest vega@5.21.0 and it many submodules (vega-scale, vega-geo, vega-functions, vega-encode) show d3-color@2.0.0 in their dependency trees. d3-color@2.0.0 has.the following issue https://snyk.io/vuln/SNYK-JS-D3COLOR-1076592 which is fixed in 3.0.0.
Could you please make sure the mentioned dependency is updated in the incoming vega release?
The text was updated successfully, but these errors were encountered: