IssueHunt
Bug Bounty (New!)
Browse
Sign in with GitHub
antvis/G6

Do you want to work on this issue?

You can request for a bounty in order to promote it!

[Bug]: hull.js Code Injection Vulnerability #6605

Rey-Wang posted onGitHub

Describe the bug / 问题描述

could we upgrade to the latest version? also, new version of hull.js is not hosted on npm

Since version 1.0.7 this library is not hosted on npmjs.com, but you can use GitHub URL as a dependency, e.g.:

"dependencies": {
        "hull.js": "andriiheonia/hull#semver:^1.0.10"
    }

<img width="1263" alt="image" src="https://github.com/user-attachments/assets/070ff1af-c76f-408e-b815-6842eea45ed6">

Reproduction link / 复现链接

No response

Steps to Reproduce the Bug or Issue / 重现步骤

No response

G6 Version / G6 版本

🆕 5.x

OS / 操作系统

  • macOS
  • Windows
  • Linux
  • Others / 其他

Browser / 浏览器

  • Chrome
  • Edge
  • Firefox
  • Safari (Limited support / 有限支持)
  • IE (Nonsupport / 不支持)
  • Others / 其他

Would you be willing to contribute to update the version of this dependency?

posted by Aarebecca 5 months ago

@Aarebecca https://github.com/antvis/G6/pull/6609

posted by Rey-Wang 5 months ago

@Aarebecca 既然我们不想引入 github link 的库,是否有其他的替代库能避免这个库注入漏洞的问题?

posted by Rey-Wang 4 months ago

@Rey-Wang 也许可以考虑将该库的源码拷贝至 G6 内部

posted by Aarebecca 4 months ago

Hello, this library was created more than 10 years ago. It is deprecated and not maintained, I would not recommend using it. I’d suggest to search for alternatives.

posted by andriiheonia 3 months ago

Some alternatives:

posted by Crystal-RainSlide 2 months ago

Hello! Could we re-open this issue? I see there is only one usage of this library. Trying to replace the current package by a maintained alternative sounds great! Is there anything we could do to help?

posted by YuLingCheng 2 months ago

@YuLingCheng : Trying to replace the current package by a maintained alternative sounds great! Is there anything we could do to help?

Should be just: gather alternatives, check them for robustness, compatibility, and performance, then replace hull.js with the best alternative

posted by Crystal-RainSlide 2 months ago

Trying to replace the current package by a maintained alternative sounds great! Is there anything we could do to help?

You can conduct research on the libraries that are closest in capabilities to hull.js. You can consider several factors:

  1. whether the functions meet the requirements
  2. the size of the package
  3. and whether the community is active.
posted by zhongyunWan 2 months ago

Any news on defining the hull.js replacement?

posted by eliziebluiz 2 months ago

@Rey-Wang 也许可以考虑将该库的源码拷贝至 G6 内部

It has already been in PR. For details, please refer to: https://github.com/antvis/G6/pull/6805

posted by zhongyunWan 2 months ago

A typed copy of hull.js is better. However, since the author don't recommend using it any more + potential security risks, an existing alternative can be an instant upgrade than hull.js, and would be much easier for future maintainace. (Unless you are going to fix & improve hull.js to your own liking)

posted by Crystal-RainSlide 2 months ago

@zhongyunWan may I ask when we will release the fix?

posted by Rey-Wang about 1 month ago

Fund this Issue

$0.00
Funded
Only logged in users can fund an issue

Pull requests

Company
AboutMission
Community
SpectrumEmbed
Support
FAQTerms of usePrivacy policyCode of conductCredits
Connect
FacebookTwitter

© 2019 BoostIO, Inc.