The latest versions of node-clinic 13.0.0 uses @clinic/bubbleprof@10.0.0 which uses version 1 of d3-color
Versions prior to 3.1.0 of d3-color are vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0.
details: GHSA-36jr-mh4h-2g58
└─┬ clinic@13.0.0
└─┬ @clinic/bubbleprof@10.0.0
├── d3-color@1.4.1
├─┬ d3-interpolate@1.4.0
│ └── d3-color@1.4.1 deduped
└─┬ d3-transition@1.3.2
└── d3-color@1.4.1
# npm audit report
d3-color <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
The latest versions of
node-clinic13.0.0 uses@clinic/bubbleprof@10.0.0which uses version 1 of d3-colorVersions prior to 3.1.0 of
d3-colorare vulnerable to a Regular expression Denial of Service. This issue has been patched in version 3.1.0.details: GHSA-36jr-mh4h-2g58