Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can you update d3-scale, d3-interpolate and d3-color? #4507

Closed
bbimber opened this issue Aug 1, 2024 · 8 comments · Fixed by #4508
Closed

Can you update d3-scale, d3-interpolate and d3-color? #4507

bbimber opened this issue Aug 1, 2024 · 8 comments · Fixed by #4508
Labels
enhancement New feature or request

Comments

@bbimber
Copy link
Contributor

bbimber commented Aug 1, 2024

Hello,

Our package depends on jbrowse, and we're getting vulnerability alerts about d3-scale, d3-interpolate and d3-color. Is there a chance you could upgrade them in jbrowse?

Thanks,
Ben

@bbimber bbimber added the enhancement New feature or request label Aug 1, 2024
@cmdcolin
Copy link
Collaborator

cmdcolin commented Aug 1, 2024

there are a number of things that actually make this a little trickier than face value, specifically that d3 adopted "pure ESM" modules in the version that fixes the vulnerability, and pure ESM modules are sort of a can of worms. bundlers for the web often smooth over these issues, but they are often very obvious when you try to use any jbrowse stuff in a nodejs environment (@jbrowse/img does this, as well as jest tests that use jbrowse, etc).

specifically, even if jbrowse is able to adapt to the pure ESM via custom nodejs and jest configs, having these pure ESM modules can be an additional headache for consumers of jbrowse packages e.g. our embedded modules. therefore, we have not, to date, adopted any pure ESM modules. in some cases we have "vendored" (copied the entire codebase of) some modules into our system to avoid this, but with d3, that would require copying almost the entirety of d3 to make that work because there are many interdependent modules

that is why this hasn't been done yet. we could try to find some sort of solution though...

@bbimber
Copy link
Contributor Author

bbimber commented Aug 1, 2024

ok, got it.

@cmdcolin
Copy link
Collaborator

cmdcolin commented Aug 1, 2024

if it is any consolation, the vulnerability is very low impact with the maximum damage being "denial of service" (probably just client side in the browser, causing a 100%cpu) if a maliciously crafted regex gets into place (https://github.com/GMOD/jbrowse-components/security/dependabot/135)

@cmdcolin
Copy link
Collaborator

cmdcolin commented Aug 1, 2024

link seems private so image below

image

@cmdcolin
Copy link
Collaborator

cmdcolin commented Aug 1, 2024

random interesting note: the material-ui team went ahead and vendored d3 to solve basically this problem (see https://github.com/mui/mui-x/releases/tag/v7.12.0)

@cmdcolin
Copy link
Collaborator

cmdcolin commented Aug 1, 2024

my last comment (#4507 (comment)) actually was very serendipitous and allowed this to get a fix

@cmdcolin
Copy link
Collaborator

should be released now in v2.14.0!

@bbimber
Copy link
Contributor Author

bbimber commented Aug 28, 2024

thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
enhancement New feature or request
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants