d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58

[huineng]

There's a vulnerability reported on packages that dagre-d3 uses

Unfortunately that repo is no longer supported https://github.com/dagrejs/dagre-d3

Are there any plans to mitigate this ..
This is reported by npm audit , but npm install will also display

This will cause serious issues for mermaid going forward as these are reported as high

Thanks

# npm audit report

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install mermaid@8.4.3, which is a breaking change
node_modules/dagre-d3/node_modules/d3-color
  d3  4.0.0-alpha.1 - 6.7.0
  Depends on vulnerable versions of d3-brush
  Depends on vulnerable versions of d3-color
  Depends on vulnerable versions of d3-interpolate
  Depends on vulnerable versions of d3-scale
  Depends on vulnerable versions of d3-transition
  Depends on vulnerable versions of d3-zoom
  node_modules/dagre-d3/node_modules/d3
    dagre-d3  >=0.5.0
    Depends on vulnerable versions of d3
    node_modules/dagre-d3
      mermaid  8.4.1 - 8.4.2 || >=8.4.4
      Depends on vulnerable versions of dagre-d3
      node_modules/mermaid
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/dagre-d3/node_modules/d3-interpolate
    d3-brush  0.1.0 - 2.1.0
    Depends on vulnerable versions of d3-interpolate
    Depends on vulnerable versions of d3-transition
    node_modules/dagre-d3/node_modules/d3-brush
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/dagre-d3/node_modules/d3-scale
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/dagre-d3/node_modules/d3-scale-chromatic
    d3-transition  0.0.7 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/dagre-d3/node_modules/d3-transition
    d3-zoom  0.0.2 - 2.0.0
    Depends on vulnerable versions of d3-interpolate
    Depends on vulnerable versions of d3-transition
    node_modules/dagre-d3/node_modules/d3-zoom

[mishugana]

Would love to take this on

[MgenGlder]

👋🏾 As a dedicated of MermaidJS user, I would also love for this to looked into as well🙇🏾 . It's tripping our security alerts with as a high priority security issue and seems like an important vulnerability to address. Would love to assist in any way if possible.

[huineng]

#3712

[huineng]

It's all great work we solve these vulnerabilities. But it can only be really closed once a package is published.
Is there an outlook or process when something get's published ?

[rinchik]

Is there an ETA for the release? Same issue as @MgenGlder with security alerts preventing the use of Mermaid 😞

[huineng]

can we expect a release this week ? we have corporate freeze for year end developer and would like to close off high severity vulnerabilities
thanks

[benjmac]

Do we have an ETA for this release? Hoping to be able to use mermaid once the security concern has been addressed.