Skip to content

fix(deps): update dependency vega to v6 [security] #205

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

fix(deps): update dependency vega to v6 [security] #205

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion package.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2541,7 +2541,7 @@
"tmp": "^0.2.4",
"url-parse": "^1.5.10",
"uuid": "^13.0.0",
"vega": "^5.33.0",
"vega": "^6.0.0",
Copy link
Contributor

@coderabbitai coderabbitai bot Nov 17, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Verify ESM-only compatibility with bundler and webview runtime.

Vega v6 is ESM-only (breaking change). Your webview bundle, runtime, and build tooling must support ESM. Inspect:

  • Build config (esbuild, webpack, rollup in build/esbuild/build.ts, webpack.config.js, etc.)
  • Webview entrypoints (e.g., src/webviews/webview-side/vegaRenderer/vegaRenderer.js)
  • Package.json module type and target ES versions

If your runtime or bundler does not support ESM, follow the security advisory's guidance for non-ESM environments.

🏁 Script executed:

#!/bin/bash
# Locate build configuration files
fd -e ts -e js -e json --path "*/build/*" -o --path "*/webpack*" -o --path "*/esbuild*" --maxdepth 3 | head -20

Length of output: 233

🏁 Script executed:

#!/bin/bash
# Check package.json module type and exports
cat package.json | grep -A5 -B5 '"type"'

Length of output: 25316

🏁 Script executed:

#!/bin/bash
# Find webview entrypoints
fd "vegaRenderer" -e js -e ts

Length of output: 0

🏁 Script executed:

#!/bin/bash
# Check if build config files exist and inspect them
ls -la build/esbuild/build.ts webpack.config.js 2>/dev/null || echo "Files not found at expected paths"

Length of output: 106

🌐 Web query:

Vega v6 ESM-only breaking change compatibility

💡 Result:

Short answer: Vega v6 is ESM-only (since v6.0.0), so code that expects a CommonJS/require() build will break. Use one of these options:

  • Convert your project to ESM (use import, set "type": "module" or use .mjs files) and import from 'vega'. [1]
  • From CommonJS, load Vega with dynamic import(): await import('vega') (or use an async wrapper). Node supports importing ESM from CJS only via import(). [2]
  • Use a bundler (Webpack/Rollup/Vite) that understands ESM and will bundle Vega for your environment.
  • Pin to the last v5 release if you cannot move to ESM. [1]

References: Vega v6 release notes (ESM-only). [1] Node ESM interoperability / dynamic import docs. [2]

Sources:
[1] Vega v6.0.0 release notes.
[2] Node.js ECMAScript Modules documentation (import() interoperability).


---

🏁 Script executed:

```shell
#!/bin/bash
# Inspect build configuration file
head -100 build/esbuild/build.ts | tail -80

Length of output: 2675

🏁 Script executed:

#!/bin/bash
# Check for webview files more broadly
find . -name "*webview*" -type f | grep -E "\.(js|ts)$" | head -20

Length of output: 255

🏁 Script executed:

#!/bin/bash
# Extract package.json root level structure (first 50 lines)
head -50 package.json

Length of output: 1235

🏁 Script executed:

#!/bin/bash
# Search for vega usage in the codebase
rg -n "import.*vega|require.*vega|from\s+['\"]vega" --type ts --type js | head -20

Length of output: 641

🏁 Script executed:

#!/bin/bash
# Search for module/exports configuration in package.json
rg -n "\"main\"|\"module\"|\"exports\"|\"type\"" package.json | head -15

Length of output: 662


---

🏁 Script executed:

```shell
#!/bin/bash
# Check if vega is in externals or bundled
rg -n "vega|externals" build/esbuild/build.ts | grep -E "(vega|External)" | head -20

Length of output: 222

🏁 Script executed:

#!/bin/bash
# Check esbuild target and platform settings
rg -n "target|platform|format" build/esbuild/build.ts | head -15

Length of output: 1033

🏁 Script executed:

#!/bin/bash
# Check for vega in webview build config
rg -A5 -B5 "webview.*bundle\|webview.*config" build/esbuild/build.ts | head -40

Length of output: 0

🏁 Script executed:

#!/bin/bash
# Check the deepnoteDataConverter imports more carefully
cat src/notebooks/deepnote/deepnoteDataConverter.ts | head -40

Length of output: 2022


---

🏁 Script executed:

```shell
#!/bin/bash
# Check if vega-lite is in externals or bundled in build config
rg -B20 "commonExternals|webExternals|deskTopNodeModulesToExternalize" build/esbuild/build.ts | grep -E "vega|const.*Externals|ToExternalize"

Length of output: 343

🏁 Script executed:

#!/bin/bash
# Get the full externals configuration
rg -A30 "const deskTopNodeModulesToExternalize" build/esbuild/build.ts

Length of output: 1114

🏁 Script executed:

#!/bin/bash
# Check how vega-renderer is actually built
rg -A20 "vega-renderer.*index.ts" build/esbuild/build.ts

Length of output: 982

Vega v6 ESM-only concern applies specifically to extension code, not webview.

Vega v6 is ESM-only, and verification reveals this affects your extension runtime:

  • Webview (safe): src/webviews/webview-side/vega-renderer/ builds with target: 'web' → ESM output in browser environment. No issue.

  • Extension (at risk): src/notebooks/deepnote/deepnoteDataConverter.ts imports vega-lite but esbuild bundles it with format: 'cjs' and target: 'node18'. ESM-only vega-lite bundled for CommonJS Node.js may fail at runtime.

Action needed: Verify esbuild can transpile ESM vega-lite to CJS or add vega/vega-lite to externals with runtime fallback. Check that Node.js 18+ in your extension host supports the bundled output format.

🤖 Prompt for AI Agents 
In package.json around line 2544, the dependency entry for "vega": "^6.0.0"
introduces an ESM-only package that can break the extension runtime where
vega/vega-lite is bundled as CJS; update the build config for
src/notebooks/deepnote/deepnoteDataConverter.ts so esbuild either (A) transpiles
ESM vega/vega-lite to CJS correctly by enabling esbuild's esModuleInterop/format
settings and ensuring target/node settings align with Node 18+, or (B) marks
vega and vega-lite as externals and implement a runtime fallback that
dynamically imports the ESM package in the extension host (or uses a
CJS-compatible wrapper). Also validate the extension host Node version supports
the chosen output format and add a test run to confirm no runtime errors.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

Pin Vega to v6.2.0; version constraint allows unpatched releases.

CVE-2025-59840 is patched in Vega 6.2.0 and later. The constraint ^6.0.0 permits 6.0.x–6.1.x (unpatched). Change to ^6.2.0 (or >=6.2.0) to ensure the security fix is applied.

Additionally, per the security advisory, update related transitive/peer dependencies:

  • vega-expression^6.1.0 (or ^5.2.1 for non-ESM consumers)
  • vega-interpreter^2.2.1

Verify these are already satisfied or add them to dependencies as needed.

🏁 Script executed:

#!/bin/bash
# Extract vega-related dependencies from package.json
jq '.dependencies | with_entries(select(.key | contains("vega")))' package.json 2>/dev/null || echo "Could not read package.json"

Length of output: 101

🌐 Web query:

CVE-2025-59840 Vega security vulnerability

💡 Result:

Summary — CVE-2025-59840

  • What it is: a high‑severity DOM XSS / arbitrary JavaScript execution in Vega (visualization grammar) when an app both (a) attaches the vega library and a vega.View instance to the global window and (b) accepts user‑supplied Vega JSON definitions. It can be triggered even when the “safe mode” expression interpreter is used. Published Nov 13, 2025. [1][2][3]

  • Affected versions: vega < 6.2.0; certain vega-expression and vega-interpreter version ranges noted in advisories. [1][2]

  • Impact: attacker-supplied Vega specs can execute arbitrary JavaScript in victims’ browsers (DOM XSS) under the conditions above; severe (CVSSv3 ~8.x). [1][2]

Remediation / mitigation

  1. Upgrade: vega → 6.2.0 or later. Also upgrade vega-expression / vega-interpreter per the advisories (e.g., vega-expression 6.1.0 / 5.2.1, vega-interpreter 2.2.1 or later where applicable). [1][2]
  2. Workarounds if you cannot upgrade immediately:
    • Do NOT attach the vega library or vega.View instances to global variables (e.g., window). Avoid exposing them for debugging in production.
    • Disable or restrict user-supplied Vega/Vega‑Lite JSON input or sanitize/validate all user-provided specs; limit Vega usage to trusted sources. [2][3]

References

  • NVD / CVE entry for CVE-2025-59840. [1]
  • Snyk vulnerability summary and recommended upgrade/workaround. [2]
  • Elastic / public advisories reporting the issue and affected products (Kibana examples). [3]

🏁 Script executed:

#!/bin/bash
# Check if package-lock.json exists and search for vega-expression/vega-interpreter
if [ -f package-lock.json ]; then
  echo "=== Checking package-lock.json for vega-expression and vega-interpreter ==="
  jq '.packages | with_entries(select(.key | contains("vega-expression") or contains("vega-interpreter"))) | keys' package-lock.json 2>/dev/null || echo "Not in lock format"
else
  echo "No package-lock.json found"
fi

# Also check if they're peer/optional deps listed in package.json
echo ""
echo "=== Checking peerDependencies and optionalDependencies ==="
jq '.peerDependencies // empty, .optionalDependencies // empty' package.json 2>/dev/null | grep -i vega || echo "No vega-related peer/optional deps"

Length of output: 299

🏁 Script executed:

#!/bin/bash
# Extract current versions of vega-expression and vega-interpreter from lock
echo "=== Current resolved versions in lock file ==="
jq '.packages | with_entries(select(.key | test("node_modules/vega-(expression|interpreter)$"))) | map({key, version: .value.version})' package-lock.json 2>/dev/null

echo ""
echo "=== Check vega v6.2.0+ availability and its declared dependencies ==="
# Try to find what vega 6.2.0 lists as dependencies
npm view vega@6.2.0 dependencies 2>/dev/null || echo "Could not fetch npm registry data"

Length of output: 897

Upgrade vega to ^6.2.0 and verify transitive dependencies.

CVE-2025-59840 is a high-severity DOM XSS in Vega versions before 6.2.0. Your current constraint ^6.0.0 permits vulnerable 6.0.x–6.1.x releases. Change to ^6.2.0.

Vega 6.2.0 declares vega-expression ~6.1.0 as a dependency, which satisfies the advisory. Verify vega-interpreter also resolves to 2.2.1+ per the advisory recommendations.

package.json, line 2544:

  • Change "vega": "^6.0.0""vega": "^6.2.0"

"vega-embed": "^6.25.0",
"vega-lite": "^5.21.0",
"vscode-debugprotocol": "^1.41.0",
Expand Down
Loading