-
Notifications
You must be signed in to change notification settings - Fork 92
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
avoid backtracking #100
avoid backtracking #100
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
elegant!
Is it possible to apply this change to v1.4.1 of d3-color as well? For those who still need to support ES5 it would be helpful to have the vulnerability fixed on the ES5 compatible version of d3-color as well. I am happy to submit a PR off of the v1.4.1 tag if bumping that lesser version to v1.4.2 is something you are willing to do. Please let me know? |
Would love to see a backport if possible; we would also appreciate if we could get a backport to the v2 tag as well because that's the highest major version supported by I'm happy to help with these if there's anything I can do, including getting the GitHub advisories updated. |
We would also like the dependencies of d3-color updated for v2 for d3-interpolate and d3-scale to support ES5 compatibility. |
@G-Rath and others who have 👍. I'm new to contributing to open source so would appreciate your help if possible. Since I don't have PR access on this repo, I forked it to |
All, I have logged an issue with d3 for backporting this fix to v2.x at #108. |
Fixes #97. Supersedes #89 and #99. The problem was that this expression is fundamentally ambiguous:
Since both the dot and the digits preceding the dot are optional, there’s a combinatorial explosion of possible valid matches. If we instead combine it into an optional group and make the dot required for that group, the explosion is avoided:
Demo: https://observablehq.com/d/4b1d645fe3da1226