hill-chart depends on insecure upstream packages

Question

hill-chart depends on insecure upstream packages

Opened this issue 7 months ago · 4 comments

hill-chart depends on an older version of d3-color which can only be fixed by switching to a newer version

is there any plan to upgrade the hill-chart package to update all the dependencies to their latest versions (or at least the ones having critical security issues like d3-color)?

Answer 1 · 2024-04-19T10:08:37.000Z

Please feel free to submit a PR and make the tests pass and will merge it instantly.

…

On Fri, Apr 19, 2024 at 11:36 AM Simon Effenberg ***@***.***> wrote: hill-chart depends on an older version of d3-color which can only be fixed by switching to a newer version is there any plan to upgrade the hill-chart package to update all the dependencies to their latest versions (or at least the ones having critical security issues like d3-color <https://github.com/advisories/GHSA-36jr-mh4h-2g58>)? — Reply to this email directly, view it on GitHub <#41>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AD6Q4HHULS5JYJWKPR4DS2LY6DQQLAVCNFSM6AAAAABGO23XS6VHI2DSMVQWIX3LMV43ASLTON2WKOZSGI2TENJTGI4DMMY> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.***>

Answer 2 · 2024-04-20T21:54:20.000Z

I tried that, but see my comments there.

Answer 3 · 2024-05-24T09:32:09.000Z

@nagi1 do you have time to check the PR?

Answer 4 · 2024-08-07T16:00:25.000Z

I wanted to follow up on this PR as it's been a few months since the last update. Is there anything I can assist with to help move things forward?