5 high severity vulnerabilities on npm install

[wSzki]

Hello

When installing the package I get 5 high severity vulnerabilities
Should I be concerned? Is there anything I can do about it?

/home/node/app # npm audit
# npm audit report

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
No fix available
node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      react-charts  >=0.0.2
      Depends on vulnerable versions of d3-scale
      node_modules/react-charts
        @nouance/payload-dashboard-analytics  *
        Depends on vulnerable versions of react-charts
        node_modules/@nouance/payload-dashboard-analytics

5 high severity vulnerabilities

Some issues need review, and may require choosing
a different dependency.

[paulpopus]

Hi @wSzki thanks for opening the report.

This vulnerability comes in via the react-charts package which should run only in the frontend for the react components and it only happens if a potentially malicious code would run/interact with your charts which shouldn't happen in the scope of this module.

Here's the full report https://security.snyk.io/vuln/SNYK-JS-D3COLOR-1076592

I don't think this is a big issue, but I've just released a fix for this https://github.com/NouanceLabs/payload-dashboard-analytics/releases/tag/v0.2.2

I recommend using yarn over npm on any project by the way, it has much better dependency resolution. I think pnpm is also better than npm

I'm thinking of migrating to another more mature charting library in a future version.