-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Security vulnerability fix for d3-color nice-to-have in version 1.x #109
Comments
I’m not going to do this but you are welcome to fork this repository. |
1.x fork here with fix cherry-picked: https://www.npmjs.com/package/d3-color-1-fix Install package and point to it with |
After I change to: {
"resolutions": {
"d3-color": "https://registry.npmmirror.com/d3-color-1-fix/-/d3-color-1-fix-1.4.2.tgz"
}
} It works. But audit always need 3.1.0 |
I'd recommend not using the tgz directly because it can't be audited like a package by automated tooling. You're also probably going to want to manually search your lockfile after adding the override to make sure vulnerable versions of d3-color are expunged; there are some versions of npm (<8.7, I believe) where lockfile generation for overrides was broken so it would not be properly expunged and you will trip automated vulnerability checkers even with the override added properly in package.json. |
Please, would it be possible to backport the fix made in #100 to d3-color 1.x ?
There are multiple people, who would be happy for this backport.
The text was updated successfully, but these errors were encountered: