ReDoS issue in d3-color modules used in Vega #3321
Labels
bug
For bugs or other software errors
Comments
ghost
added
the
|
Any update on it? |
|
Thanks for checking in. No update yet, but I plan to look more closely very soon! |
|
I took a look, and the issue on d3-color (d3/d3-color#97) has not yet been resolved. Once that is fixed, we should be able to update Vega as well. |
|
sorry to say but i have the impression it will never be fixed by the owner. it's present since the very first release of that module and many more people have enquired, to no avail. |
|
I just want to ask when the fix for the ReDoS would be fixed? |
|
I think you need to bump to 3.1, there is a dependabot here: #3460 Can you merge this and release please? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This issue is related to #3285, but the request is to update d3-color dependency in all vega modules.
We already use the latest vega@5.21.0 and it many submodules (vega-scale, vega-geo, vega-functions, vega-encode) show d3-color@2.0.0 in their dependency trees. d3-color@2.0.0 has.the following issue https://snyk.io/vuln/SNYK-JS-D3COLOR-1076592 which is fixed in 3.0.0.
Could you please make sure the mentioned dependency is updated in the incoming vega release?
The text was updated successfully, but these errors were encountered: