Skip to content

🐛 [BUG] fmin 0.0.2 depends on vulnerable version of rollup < 2.79.2 #3847

New issue
New issue
Open
Open
🐛 [BUG] fmin 0.0.2 depends on vulnerable version of rollup < 2.79.2#3847
Labels
BugSomething isn't working
@elephantasticio

Description

@elephantasticio
elephantasticio
opened on Mar 21, 2025

g2plot 2.4.32 depends on fmin 0.0.2 which depends on rollup < 2.79.2 which has a high severity vulnerability.

rollup  <2.79.2
Severity: high
DOM Clobbering Gadget found in rollup bundled scripts that leads to XSS - https://github.com/advisories/GHSA-gcx4-mw62-g8wm
fix available via `npm audit fix`
node_modules/fmin/node_modules/rollup
  fmin  <=0.0.2
  Depends on vulnerable versions of rollup
  node_modules/fmin
    @antv/g2plot  2.3.33 - 2.4.32
    Depends on vulnerable versions of fmin
    node_modules/@antv/g2plot

Solution: bump fmin version to 0.0.4

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions