Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Security] d3-color is vulnerable to ReDoS (Regular Expression Denial of Service) #5744

Closed
marvingreeven opened this issue Jul 10, 2024 · 4 comments
Closed

[Security] d3-color is vulnerable to ReDoS (Regular Expression Denial of Service) #5744

marvingreeven opened this issue Jul 10, 2024 · 4 comments
Labels
bug Something isn't working elsa 2

Comments

@marvingreeven
Copy link

Description

"@elsa-workflows/elsa-workflows-studio" depends on "dagre-d3": "^0.6.4", which depends on "d3": "^5.14", which depends on "d3-color": "1". Which is vulnerable to Remote DoS: GHSA-36jr-mh4h-2g58

dagre-d3 is not maintained anymore (dagrejs/dagre-d3#434):
There is a fork to this project were this security issue got fixed: https://github.com/tbo47/dagre-es

Should we switch from dagre-d3 v0.6 to dagre-d3-es v7

Version

@elsa-workflows/elsa-workflows-studio v2.14.1

Logs

"vulnerabilities":` {
    "@elsa-workflows/elsa-workflows-studio": {
      "name": "@elsa-workflows/elsa-workflows-studio",
      "severity": "high",
      "isDirect": true,
      "via": [
        "dagre-d3"
      ],
      "effects": [],
      "range": "*",
      "nodes": [
        "node_modules/@elsa-workflows/elsa-workflows-studio"
      ],
      "fixAvailable": false
    },
@marvingreeven marvingreeven added the bug Something isn't working label Jul 10, 2024
@glime-ai Glime AI
Copy link

glime-ai bot commented Jul 10, 2024

Based on the information provided, it seems that the @elsa-workflows/elsa-workflows-studio package has a dependency on dagre-d3, which in turn depends on a version of d3-color that has a known vulnerability. Since dagre-d3 is not maintained anymore, and there is a fork of the project (dagre-d3-es) that has fixed the security issue, it would be reasonable to consider switching to dagre-d3-es to mitigate the vulnerability.

However, before making such a switch, it is important to ensure that dagre-d3-es is compatible with @elsa-workflows/elsa-workflows-studio and that it does not introduce any breaking changes or new issues. It would be advisable to test the integration of dagre-d3-es with @elsa-workflows/elsa-workflows-studio in a development environment before deploying it to production.

If you are a maintainer or contributor to the @elsa-workflows/elsa-workflows-studio project, you should consider opening an issue or pull request in the project's repository to discuss this change with the project maintainers. If you are a user of the package, you may want to reach out to the maintainers to bring this issue to their attention and ask about their plans for addressing the vulnerability.

Please note that I do not have access to the latest information beyond my knowledge cutoff date, so it is possible that there have been updates or changes since then. Always refer to the official documentation and communication channels of the project for the most current information.

This comment was generated by Glime.

@marvingreeven marvingreeven mentioned this issue Jul 10, 2024
Merged
@sfmskywalker
Copy link
Member

That would be good. Perhaps you want to propose a PR?

@marvingreeven
Copy link
Author

Already created one :)
#5745

@sfmskywalker
Copy link
Member

Ah, perfect. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working elsa 2
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sfmskywalker @marvingreeven