d3-color library security issue

Question

d3-color library security issue

AbeykoonOshan opened this issue 3 years ago · 5 comments

The latest version of c3 uses d3 (^5.8.0) as a dependency, and d3 has a dependency for d3-color.
This d3-color library is exposed to the following security issue,
https://snyk.io/vuln/SNYK-JS-D3COLOR-1076592

It would be great if we can get that issue fixed by updating the d3 dependency.

C3 version: 0.7.20
D3 version: 5.16.0

Answer 1 · 2022-10-13T19:46:55.000Z

c3 was last updated in August 2020, over two years ago.
c3 has a dependency on d3, version constraint ^5.8.0.
There has been two major releases of d3 since this dependency was last updated (current d3 version is 7.6.1).

Is the c3 package still under maintenance?

Packages with npm audit security vulnerabilities are not acceptable as dependencies for our products, so I really hope you'll invest in updating d3 to latest version.

Answer 2 · 2022-10-19T15:33:21.000Z

Same issue with d3-color vulnerability. Any update on when c3 will be updated with latest d3 version 7.6.1 to resolve d30color security vulnerability issue?

Answer 3 · 2022-12-21T11:04:29.000Z

Can we get any update on this. We are also using C3 library in our product and facing this issue. Please help us to resolve the issue.

Answer 4 · 2022-12-21T12:47:08.000Z

I recommend doing what I did: Replace c3 with billboard.js.
billboard.js is a fork of c3 that is under proper maintenance.
Migration is very simple, there's a guide describing the required few steps.

Answer 5 · 2023-03-22T12:09:21.000Z

I fixed this in my angular project by adding an override in package.json. It did not have any negative impact on my charts.

"overrides": {
"d3-color": "3.1.0"
}