Problem
components/Visualization/Graphvisualization.js depends on graphviz-react, which:
- Last published: October 2022 (nearly 3 years ago)
- 6 open PRs, unmerged — repo is effectively abandoned
- Vendors its own ancient
d3-graphviz@^2.6.1 internally, ignoring the d3-graphviz version in our own package.json
This causes a cascade of high-severity vulnerabilities from graphviz-react's pinned-old transitive deps:
| Package |
Vulnerable range |
Severity |
graphviz-react |
* |
high |
d3-graphviz |
<=4.5.0 |
high |
d3-color |
<3.1.0 |
high (ReDoS) |
d3-interpolate |
0.1.3 - 2.0.1 |
high |
d3-transition |
0.0.7 - 2.0.0 |
high |
d3-zoom |
0.0.2 - 2.0.0 |
high |
Proposed fix
We already have d3-graphviz@^5.6.0 (the current maintained version) in package.json. The fix is to:
- Write a thin React wrapper around
d3-graphviz directly (~30 lines, useEffect + a <div ref>)
- Drop
graphviz-react from package.json
The API surface in Graphvisualization.js is minimal — it only uses <Graphviz dot={...} options={...} /> — so the replacement would be a drop-in with no call-site changes.
Related
See also #91 (cleanup of other unused files). testAutoProb.js (proposed for deletion there) is the only other user of graphviz-react.
Problem
components/Visualization/Graphvisualization.jsdepends ongraphviz-react, which:d3-graphviz@^2.6.1internally, ignoring thed3-graphvizversion in our ownpackage.jsonThis causes a cascade of high-severity vulnerabilities from
graphviz-react's pinned-old transitive deps:graphviz-react*d3-graphviz<=4.5.0d3-color<3.1.0d3-interpolate0.1.3 - 2.0.1d3-transition0.0.7 - 2.0.0d3-zoom0.0.2 - 2.0.0Proposed fix
We already have
d3-graphviz@^5.6.0(the current maintained version) inpackage.json. The fix is to:d3-graphvizdirectly (~30 lines,useEffect+ a<div ref>)graphviz-reactfrompackage.jsonThe API surface in
Graphvisualization.jsis minimal — it only uses<Graphviz dot={...} options={...} />— so the replacement would be a drop-in with no call-site changes.Related
See also #91 (cleanup of other unused files).
testAutoProb.js(proposed for deletion there) is the only other user ofgraphviz-react.