upgrade d3-flamegraph to fix security vuln #748
Labels
Comments
|
@raidancampbell @aalexand #767 (comment) please check this |
|
FYI - we plan to get rid of the d3 dependency altogether, see #777. As a note, it is discouraged overall to expose the pprof web interface beyond any trusted network domains like local machine. And as a reminder, |
Louis-Ye
added
type: bug
|
#777 removed the d3 dep so this is not relevant anymore. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What version of pprof are you using?
the latest from main
What is the issue
The d3flamegraph version used by pprof is using a vulnerable version of d3-color.
d3-color should be upgraded to 3.1.0
https://github.com/google/pprof/blob/main/third_party/d3flamegraph/package-lock.json#L325
The vuln report could be more detailed:
https://git.soma.salesforce.com/pages/Infrastructure-Security/ast.github.io/sonatype-2021-0795.html
The snyk report says that it's fixed in 3.1.0
The text was updated successfully, but these errors were encountered: