Skip to content

Fix d3-color ReDoS vulnerability (GHSA-36jr-mh4h-2g58)#32

Open
willie wants to merge 1 commit into
elastic:mainfrom
vitalsource:fix-d3-color-cve
Open

Fix d3-color ReDoS vulnerability (GHSA-36jr-mh4h-2g58)#32
willie wants to merge 1 commit into
elastic:mainfrom
vitalsource:fix-d3-color-cve

Conversation

@willie

@willie willie commented Apr 6, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Adds npm overrides to force d3-color>=3.1.0 across all transitive deps
  • Fixes HIGH severity ReDoS vulnerability in d3-color@2.0.0
  • Root cause: @elastic/charts pins d3-scale@^3.3.0 which caps d3-interpolate at v2, pulling in vulnerable d3-color@2.0.0. No upstream fix available — latest @elastic/charts@71.4.1 still has this pinning.
  • The >=3.1.0 override is future-safe and becomes a no-op once upstream bumps to d3-scale@4

Test plan

  • npm ls d3-color confirms both copies resolve to 3.1.0
  • npm audit no longer flags d3-color
  • CI passes

🤖 Generated with Claude Code

Add npm override to force d3-color>=3.1.0. The vulnerable 2.0.0
comes via @elastic/charts -> d3-scale@3 -> d3-interpolate@2 and
upstream has no fix — they still pin d3-scale@^3.3.0.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant