New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
upgrade d3-flamegraph to fix security vuln #748
Labels
Comments
@raidancampbell @aalexand #767 (comment) please check this |
FYI - we plan to get rid of the d3 dependency altogether, see #777. As a note, it is discouraged overall to expose the pprof web interface beyond any trusted network domains like local machine. And as a reminder, |
Louis-Ye
added
type: bug
Buganizer type - Bug
Priority: p3
Buganizer priority - P3
labels
May 12, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
What version of pprof are you using?
the latest from main
What is the issue
The d3flamegraph version used by pprof is using a vulnerable version of d3-color.
d3-color should be upgraded to 3.1.0
https://github.com/google/pprof/blob/main/third_party/d3flamegraph/package-lock.json#L325
The vuln report could be more detailed:
https://git.soma.salesforce.com/pages/Infrastructure-Security/ast.github.io/sonatype-2021-0795.html
The snyk report says that it's fixed in 3.1.0
The text was updated successfully, but these errors were encountered: