Taxonium React Component Feedback

[daniel-ji]

Hi,

I was the student under @niemasd that was working to get the React component working on a web app (I've been a bit busy over the past month, apologies that it took so long for me to get around to). I've gotten it working and it's great, awesome tool! Setting it up was really easy and intuitive! I thought I'd leave some feedback on some things I encountered when setting up taxonium-component (actual development / coding was a smooth-sailing process):

The project (https://github.com/niema-lab/ViralWasm-Epi/) currently using React 18 and Taxonium was expecting React 17, so I had to run npm i taxonium-component --legacy-peer-deps. When running this command, I also got the following warnings:

npm WARN reify invalid or damaged lockfile detected
npm WARN reify please re-try this operation once it completes
npm WARN reify so that the damage can be corrected, or perform
npm WARN reify a fresh install with no lockfile if the problem persists.

It also seems like it has a security vulnerability and I thought that I'd just add that in here too:

# npm audit report

d3-color  <3.1.0
Severity: high
d3-color vulnerable to ReDoS - https://github.com/advisories/GHSA-36jr-mh4h-2g58
No fix available
node_modules/d3-interpolate/node_modules/d3-color
  d3-interpolate  0.1.3 - 2.0.1
  Depends on vulnerable versions of d3-color
  node_modules/d3-interpolate
    d3-scale  0.1.5 - 3.3.0
    Depends on vulnerable versions of d3-interpolate
    node_modules/d3-scale
      @deck.gl/carto  8.4.0-alpha.1 - 8.8.17 || 8.9.0-alpha.2 - 8.9.0-beta.6
      Depends on vulnerable versions of d3-scale
      node_modules/@deck.gl/carto
        deck.gl  8.4.0-alpha.1 - 8.8.17 || 8.9.0-alpha.2 - 8.9.0-beta.6
        Depends on vulnerable versions of @deck.gl/carto
        node_modules/deck.gl
      @jbrowse/plugin-wiggle  *
      Depends on vulnerable versions of d3-scale
      node_modules/@jbrowse/plugin-wiggle
        @jbrowse/plugin-alignments  *
        Depends on vulnerable versions of @jbrowse/plugin-wiggle
        node_modules/@jbrowse/plugin-alignments
          @jbrowse/plugin-variants  *
          Depends on vulnerable versions of @jbrowse/plugin-alignments
          node_modules/@jbrowse/plugin-variants
        @jbrowse/plugin-gccontent  *
        Depends on vulnerable versions of @jbrowse/plugin-sequence
        Depends on vulnerable versions of @jbrowse/plugin-wiggle
        node_modules/@jbrowse/plugin-gccontent
          @jbrowse/react-linear-genome-view  *
          Depends on vulnerable versions of @jbrowse/plugin-alignments
          Depends on vulnerable versions of @jbrowse/plugin-gccontent
          Depends on vulnerable versions of @jbrowse/plugin-sequence
          Depends on vulnerable versions of @jbrowse/plugin-variants
          Depends on vulnerable versions of @jbrowse/plugin-wiggle
          node_modules/@jbrowse/react-linear-genome-view
            taxonium-component  *
            Depends on vulnerable versions of @jbrowse/react-linear-genome-view
            Depends on vulnerable versions of deck.gl
            node_modules/taxonium-component
        @jbrowse/plugin-sequence  >=1.0.4
        Depends on vulnerable versions of @jbrowse/plugin-wiggle
        node_modules/@jbrowse/plugin-sequence

12 high severity vulnerabilities

Thank you!

Daniel

[theosanderson]

Thank you very much for this feedback which is super useful.

On security vulnerabilities: in general I don't tend to worry too much about security vulnerabilities for client-side apps. Looking quickly into that d3-color issue, it's basically that if you deploy on a server someone can create malicious input that could cause your server to use tons of CPU. But in this case users can just create malicious input that does that to their own computers :) However in fact the way Taxonium is built I think there are a lot of dependencies that aren't really needed (they are already packaged) so I should be able to remove these messages.

Thanks for flagging the warnings, will see what I can do there, and yes I should upgrade to react 18. Thank you for noting that workaround - will try to at minimum document that.

Thanks again!