d3-interpolate depends on vulnerable d3-color

[alexvanacker]

Following the vulnerability revealed in https://security.snyk.io/vuln/SNYK-JS-D3COLOR-1076592

plotly.js uses d3-interpolate 1.4.1 which still depends on vulnerable d3-color 1.4.1

Given plotly currenlty depends on d3-color 3.8 (see https://github.com/plotly/d3/blob/master/package.js) which is not affected, could we update this dependency to 3.0.1?

[whittet]

Impacts angular 14

[krisstern]

The vulnerability in d3-color was patched for version >=3.1.0.

[peratik]

"plotly.js": "^2.15.1",

Hi, Same here, Please advice.

[archmoj]

The d3-interpolate module is an ES module.
To handle that we need to change our build processes quite a bit.
This may include migrating from browserify to webpack.
.AND. we are currently investigating that.

[saumzzz]

Hey guys any update on this? Any temporary workarounds?

[raulmarindev]

They started with the migration to webpack. #6355

[whittet]

Looks like now that webpack is merged to master the d3-interpolate package version can be updated to 3.0.1. I asked for same in a comment on this PR: #6344

[flying-sheep]

I did that in #6427, but I don’t know how to fix the build error.

If you want this fixed, feel free to help fix that PR.

[krisstern]

I found out if I use yarn I can add the following to package.json and then run yarn install (may need to delete the entire node_modules beforehand) to get rid of the vulnerability after upgrading plotly.js to version 2.17.1:

"resolutions": {
    "plotly.js/d3-interpolate/d3-color": "3.1.0"
}

[whittet]

@krisstern Thanks! I don't have yarn, so my alternative is to upgrade npm to ^8.3.0, upgrade node to ^16.13.0 (due to Angular 14.2) and add the following to package.json:

"overrides": {
"d3-color": "3.1.0",
}

I'm sure a few other overrides could work, but this was the first one I found.

Although, this completely rewrote the angular site's package-lock.json.

[archmoj]

Addressed in #6463.