"d3-color": "^2.0.0" is causing high Dependency alert

[amanyzohair]

Describe the bug
Versions prior to 3.1.0 are vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0. There are no known workarounds .. and I can't update it because it's a dependency in ngx-charts@20.1.0

References

• avoid backtracking d3/d3-color#100
• https://github.com/d3/d3-color/releases/tag/v3.1.0
• https://security.snyk.io/vuln/SNYK-JS-D3COLOR-1076592

Screenshots

[drk-mtr]

I believe this is a duplicate of #1799

It would be great to see this fixed. d3-color is making my charts pretty, but as a side-effect it's also making my vulnerability check pipelines red and angry looking.

[anthonyattard]

Getting this message as well. Hopefully this will be resolved soon as there is already #1800

[uap-universe]

#1798 as well

[marjan-georgiev]

Fixed in 20.1.2

[uap-universe]

@marjan-georgiev It's already some progress that you changed your explicit dependency to d3-color to 3.1.0, but you also have transitive dependencies via the other d3-* packages. npm audit is still complaining.

By the way, for the project itself the situation regarding vulnerable dependencies is even more critical. I freshly checked out the repository and ran npm audit with the following result:

28 vulnerabilities (1 low, 8 moderate, 14 high, 5 critical)

[trickeyone]

@marjan-georgiev I'm still seeing this issue on 20.1.2

├─┬ @swimlane/ngx-charts@20.1.2
│ ├── d3-color@2.0.0 invalid: "^3.1.0" from node_modules/@swimlane/ngx-charts
│ ├─┬ d3-interpolate@2.0.1
│ │ └── d3-color@2.0.0 deduped invalid: "^3.1.0" from node_modules/@swimlane/ngx-charts
│ └─┬ d3-transition@2.0.0
│   └── d3-color@2.0.0 deduped invalid: "^3.1.0" from node_modules/@swimlane/ngx-charts
├── d3-color@3.1.0