Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Investigate high severity vulnerabilities #200

Closed
olayway opened this issue Oct 7, 2022 · 7 comments
Closed

Investigate high severity vulnerabilities #200

olayway opened this issue Oct 7, 2022 · 7 comments
Assignees
@PhilippeduPreez
Labels
bug Something isn't working good first issue Good for newcomers

Comments

@olayway
Copy link
Member

olayway commented Oct 7, 2022
edited

Investigate and fix 11 high severity vulnerabilities reported by npm.
@olayway olayway added bug Something isn't working good first issue Good for newcomers labels Oct 7, 2022
@PhilippeduPreez
Copy link
Contributor

npm audit fix:

image

@PhilippeduPreez
Copy link
Contributor

image

@PhilippeduPreez
Copy link
Contributor

Also tried removing package.json.lock and node modules and run npm i --legacy-peer-deps.

@PhilippeduPreez
Copy link
Contributor

It seems like d3-color not being 1.3.0 was causing the most problems, I tried following https://itnext.io/fixing-security-vulnerabilities-in-npm-dependencies-in-less-than-3-mins-a53af735261d to see whether it worked. It seemed like it worked with the project having 0 vulnerabilities. We will just have to check if forcing the update does not cause any problems as it is used in a couple of other packages

@PhilippeduPreez PhilippeduPreez mentioned this issue Nov 21, 2022
Closed
@olayway
Copy link
Member Author

olayway commented Nov 22, 2022
edited

@PhilippeduPreez it seems that mermaid developers have already been working on it. The package which was causing the issue was dagre-d3, which they have just replaced with dagre-d3-es. I've seen they merged the changes only yesterday and for now only to the development branch, so we may need to wait until the next release. I'm marking this issue as blocked for now.

For reference:
mermaid-js/mermaid#3712
mermaid-js/mermaid#3666
mermaid-js/mermaid#3809

@olayway olayway mentioned this issue Nov 29, 2022
Closed
@sidharthv96
Copy link

@olayway I guess this should be fixed now?

@rufuspollock
Copy link
Member

FIXED. We can close this as all resolved.

@sidharthv96 thanks for the prompt.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@PhilippeduPreez PhilippeduPreez

Labels
bug Something isn't working good first issue Good for newcomers
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[package.json][xs]: forcing update of d3-color datopian/flowershow
4 participants
@rufuspollock @sidharthv96 @PhilippeduPreez @olayway