Upgrade d3-color to >= 3.1.0 to avoid security vunerability

[captainamerican]

Describe/explain the bug

d3-color < v3.1.0 has a high-level security vunerability. The solution is to upgrade the version to 3.1.0 or above.

To Reproduce

1. Run npm audit with nivo installed.
2. See error (I'll post my logs in a comment)

Expected behavior
There should be no security error relating to nivo.

Additional context
Upgrading d3-color is the prescribed solution, but it might require upgrading other d3 libraries as well.

[captainamerican]

My npm audit demostrating this error:

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
fix available via `npm audit fix --force`
Will install @nivo/[email protected], which is a breaking change
node_modules/d3-color
  @nivo/colors  *
  Depends on vulnerable versions of @nivo/core
  Depends on vulnerable versions of d3-color
  Depends on vulnerable versions of d3-scale
  Depends on vulnerable versions of d3-scale-chromatic
  node_modules/@nivo/colors
    @nivo/annotations  *
    Depends on vulnerable versions of @nivo/colors
    Depends on vulnerable versions of @nivo/core
    node_modules/@nivo/annotations
      @nivo/line  *
      Depends on vulnerable versions of @nivo/annotations
      Depends on vulnerable versions of @nivo/axes
      Depends on vulnerable versions of @nivo/colors
      Depends on vulnerable versions of @nivo/core
      Depends on vulnerable versions of @nivo/legends
      Depends on vulnerable versions of @nivo/scales
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of @nivo/voronoi
      node_modules/@nivo/line
      @nivo/scatterplot  *
      Depends on vulnerable versions of @nivo/annotations
      Depends on vulnerable versions of @nivo/axes
      Depends on vulnerable versions of @nivo/colors
      Depends on vulnerable versions of @nivo/core
      Depends on vulnerable versions of @nivo/legends
      Depends on vulnerable versions of @nivo/scales
      Depends on vulnerable versions of @nivo/tooltip
      Depends on vulnerable versions of @nivo/voronoi
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/scatterplot
    @nivo/arcs  *
    Depends on vulnerable versions of @nivo/colors
    Depends on vulnerable versions of @nivo/core
    node_modules/@nivo/arcs
      @nivo/pie  *
      Depends on vulnerable versions of @nivo/arcs
      Depends on vulnerable versions of @nivo/colors
      Depends on vulnerable versions of @nivo/core
      Depends on vulnerable versions of @nivo/legends
      Depends on vulnerable versions of @nivo/tooltip
      node_modules/@nivo/pie
    @nivo/bar  *
    Depends on vulnerable versions of @nivo/annotations
    Depends on vulnerable versions of @nivo/axes
    Depends on vulnerable versions of @nivo/colors
    Depends on vulnerable versions of @nivo/core
    Depends on vulnerable versions of @nivo/legends
    Depends on vulnerable versions of @nivo/scales
    Depends on vulnerable versions of @nivo/tooltip
    Depends on vulnerable versions of d3-scale
    node_modules/@nivo/bar
  @nivo/core  *
  Depends on vulnerable versions of @nivo/tooltip
  Depends on vulnerable versions of d3-color
  Depends on vulnerable versions of d3-interpolate
  Depends on vulnerable versions of d3-scale
  Depends on vulnerable versions of d3-scale-chromatic
  node_modules/@nivo/core
    @nivo/axes  *
    Depends on vulnerable versions of @nivo/core
    Depends on vulnerable versions of @nivo/scales
    node_modules/@nivo/axes
    @nivo/legends  >=0.56.0
    Depends on vulnerable versions of @nivo/core
    node_modules/@nivo/legends
    @nivo/tooltip  *
    Depends on vulnerable versions of @nivo/core
    node_modules/@nivo/tooltip
    @nivo/voronoi  *
    Depends on vulnerable versions of @nivo/core
    Depends on vulnerable versions of d3-scale
    node_modules/@nivo/voronoi
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @nivo/scales  *
      Depends on vulnerable versions of d3-scale
      node_modules/@nivo/scales
    d3-scale-chromatic  0.1.0 - 2.0.0
    Depends on vulnerable versions of d3-color
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale-chromatic

[BruceHubbard]

There was a PR merged recently that addresses this (https://github.com/plouc/nivo/pull/2142/files) but I don't think there has been a release yet that contains the fix (I'm waiting on it as well)

[francescocretti]

Hu @plouc. I'm waiting for the release with the d3-color upgrade too.

[Cellule]

That PR is not sufficient because version 2 is still being installed by d3-scale-chromatic and d3-interpolate
https://github.com/plouc/nivo/blob/4240e36ce5ffa556470e40d20ec57cc6ec243a23/yarn.lock#L9620-L9628

[sebasegura97]

Hi @plouc! I'm waiting for the release too

[StijnKlarenbeek]

Any update on this?

[plouc]

d3-color has been updated (in @nivo/*@0.81.0), but this can lead to issues.