Security vulnerability fix for d3-color nice-to-have in version 1.x

[danisluk]

Please, would it be possible to backport the fix made in #100 to d3-color 1.x ?

There are multiple people, who would be happy for this backport.

[mbostock]

I’m not going to do this but you are welcome to fork this repository.

[mpopv]

1.x fork here with fix cherry-picked: https://www.npmjs.com/package/d3-color-1-fix

Install package and point to it with "d3-color": "npm:d3-color-1-fix" in "resolutions" (yarn) or "overrides" (npm).

[uwang]

After I change to:

{
    "resolutions": {
        "d3-color": "https://registry.npmmirror.com/d3-color-1-fix/-/d3-color-1-fix-1.4.2.tgz"
    }
}

It works. But audit always need 3.1.0

[mpopv]

I'd recommend not using the tgz directly because it can't be audited like a package by automated tooling.

You're also probably going to want to manually search your lockfile after adding the override to make sure vulnerable versions of d3-color are expunged; there are some versions of npm (<8.7, I believe) where lockfile generation for overrides was broken so it would not be properly expunged and you will trip automated vulnerability checkers even with the override added properly in package.json.