fix(deps): update dependency vega to v6 [security] #205
Conversation
|
📝 WalkthroughWalkthroughThe vega dependency in package.json was updated from ^5.33.0 to ^6.0.0. No source files, exported/public API signatures, or runtime control flow were changed in this commit. Review Vega v6 release notes for potential breaking changes or required integration updates. Pre-merge checks✅ Passed checks (3 passed)
Warning Review ran into problems🔥 ProblemsErrors were encountered while retrieving linked issues. Errors (1)
Comment |
|
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
Actionable comments posted: 2
Caution
Some comments are outside the diff and can’t be posted inline due to platform limitations.
⚠️ Outside diff range comments (1)
package.json (1)
2527-2527: Update mime type declaration to match Vega v6.VegaRenderer.tsx correctly uses Vega v6 APIs (
vega.expressionFunction(),vega.scheme()) and react-vega 7.7.1 supports Vega v6. However, line 2209-2215 in package.json declares the renderer mime type as"application/vnd.vega.v5+json"while the codebase depends onvega ^6.0.0. Update the mime type to"application/vnd.vega.v6+json"to reflect the actual version in use.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (1)
package.json(1 hunks)
🧰 Additional context used
🪛 GitHub Actions: CI
package.json
[error] 1-1: npm ci can only install packages when your package.json and lock file are in sync. Please update the lock file with 'npm install' before continuing.
🔇 Additional comments (1)
package.json (1)
2209-2213: Verify MIME type compatibility with Vega v6.The vega renderer (line 2209–2213) is registered for the v5 MIME type (
application/vnd.vega.v5+json). Confirm whether v6 uses the same MIME type for backward compatibility or if this registration should be updated toapplication/vnd.vega.v6+json.
renovate
bot
force-pushed
the
renovate/npm-vega-vulnerability
branch
from
64851ad to
e7883ba
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
♻️ Duplicate comments (1)
package.json (1)
1-1: Lock file out of sync—CI blocker remains unresolved.The pipeline is failing on
npm cidue to ERESOLVE conflicts between package.json and the lock file. You must runnpm installlocally and commit the updated lock file (package-lock.json or yarn.lock) for CI to pass.
📜 Review details
Configuration used: CodeRabbit UI
Review profile: ASSERTIVE
Plan: Pro
Disabled knowledge base sources:
- Linear integration is disabled by default for public repositories
You can enable these sources in your CodeRabbit configuration.
📒 Files selected for processing (1)
package.json(1 hunks)
🧰 Additional context used
🪛 GitHub Actions: CI
package.json
[error] 1-1: Command failed: npm ci --prefer-offline --no-audit. Dependency resolution errors and ERESOLVE overrides encountered during npm ci (peer dependency conflicts). Ensure package.json and package-lock.json are in sync by running 'npm install' to refresh the lockfile.
| "url-parse": "^1.5.10", | ||
| "uuid": "^13.0.0", | ||
| "vega": "^5.33.0", | ||
| "vega": "^6.0.0", |
There was a problem hiding this comment.
🧩 Analysis chain
Verify ESM-only compatibility with bundler and webview runtime.
Vega v6 is ESM-only (breaking change). Your webview bundle, runtime, and build tooling must support ESM. Inspect:
- Build config (esbuild, webpack, rollup in
build/esbuild/build.ts,webpack.config.js, etc.) - Webview entrypoints (e.g.,
src/webviews/webview-side/vegaRenderer/vegaRenderer.js) - Package.json module type and target ES versions
If your runtime or bundler does not support ESM, follow the security advisory's guidance for non-ESM environments.
🏁 Script executed:
#!/bin/bash
# Locate build configuration files
fd -e ts -e js -e json --path "*/build/*" -o --path "*/webpack*" -o --path "*/esbuild*" --maxdepth 3 | head -20Length of output: 233
🏁 Script executed:
#!/bin/bash
# Check package.json module type and exports
cat package.json | grep -A5 -B5 '"type"'Length of output: 25316
🏁 Script executed:
#!/bin/bash
# Find webview entrypoints
fd "vegaRenderer" -e js -e tsLength of output: 0
🏁 Script executed:
#!/bin/bash
# Check if build config files exist and inspect them
ls -la build/esbuild/build.ts webpack.config.js 2>/dev/null || echo "Files not found at expected paths"Length of output: 106
🌐 Web query:
Vega v6 ESM-only breaking change compatibility
💡 Result:
Short answer: Vega v6 is ESM-only (since v6.0.0), so code that expects a CommonJS/require() build will break. Use one of these options:
- Convert your project to ESM (use import, set "type": "module" or use .mjs files) and import from 'vega'. [1]
- From CommonJS, load Vega with dynamic import(): await import('vega') (or use an async wrapper). Node supports importing ESM from CJS only via import(). [2]
- Use a bundler (Webpack/Rollup/Vite) that understands ESM and will bundle Vega for your environment.
- Pin to the last v5 release if you cannot move to ESM. [1]
References: Vega v6 release notes (ESM-only). [1] Node ESM interoperability / dynamic import docs. [2]
Sources:
[1] Vega v6.0.0 release notes.
[2] Node.js ECMAScript Modules documentation (import() interoperability).
---
🏁 Script executed:
```shell
#!/bin/bash
# Inspect build configuration file
head -100 build/esbuild/build.ts | tail -80
Length of output: 2675
🏁 Script executed:
#!/bin/bash
# Check for webview files more broadly
find . -name "*webview*" -type f | grep -E "\.(js|ts)$" | head -20Length of output: 255
🏁 Script executed:
#!/bin/bash
# Extract package.json root level structure (first 50 lines)
head -50 package.jsonLength of output: 1235
🏁 Script executed:
#!/bin/bash
# Search for vega usage in the codebase
rg -n "import.*vega|require.*vega|from\s+['\"]vega" --type ts --type js | head -20Length of output: 641
🏁 Script executed:
#!/bin/bash
# Search for module/exports configuration in package.json
rg -n "\"main\"|\"module\"|\"exports\"|\"type\"" package.json | head -15Length of output: 662
---
🏁 Script executed:
```shell
#!/bin/bash
# Check if vega is in externals or bundled
rg -n "vega|externals" build/esbuild/build.ts | grep -E "(vega|External)" | head -20
Length of output: 222
🏁 Script executed:
#!/bin/bash
# Check esbuild target and platform settings
rg -n "target|platform|format" build/esbuild/build.ts | head -15Length of output: 1033
🏁 Script executed:
#!/bin/bash
# Check for vega in webview build config
rg -A5 -B5 "webview.*bundle\|webview.*config" build/esbuild/build.ts | head -40Length of output: 0
🏁 Script executed:
#!/bin/bash
# Check the deepnoteDataConverter imports more carefully
cat src/notebooks/deepnote/deepnoteDataConverter.ts | head -40Length of output: 2022
---
🏁 Script executed:
```shell
#!/bin/bash
# Check if vega-lite is in externals or bundled in build config
rg -B20 "commonExternals|webExternals|deskTopNodeModulesToExternalize" build/esbuild/build.ts | grep -E "vega|const.*Externals|ToExternalize"
Length of output: 343
🏁 Script executed:
#!/bin/bash
# Get the full externals configuration
rg -A30 "const deskTopNodeModulesToExternalize" build/esbuild/build.tsLength of output: 1114
🏁 Script executed:
#!/bin/bash
# Check how vega-renderer is actually built
rg -A20 "vega-renderer.*index.ts" build/esbuild/build.tsLength of output: 982
Vega v6 ESM-only concern applies specifically to extension code, not webview.
Vega v6 is ESM-only, and verification reveals this affects your extension runtime:
-
Webview (safe):
src/webviews/webview-side/vega-renderer/builds withtarget: 'web'→ ESM output in browser environment. No issue. -
Extension (at risk):
src/notebooks/deepnote/deepnoteDataConverter.tsimportsvega-litebut esbuild bundles it withformat: 'cjs'andtarget: 'node18'. ESM-only vega-lite bundled for CommonJS Node.js may fail at runtime.
Action needed: Verify esbuild can transpile ESM vega-lite to CJS or add vega/vega-lite to externals with runtime fallback. Check that Node.js 18+ in your extension host supports the bundled output format.
🤖 Prompt for AI Agents
In package.json around line 2544, the dependency entry for "vega": "^6.0.0"
introduces an ESM-only package that can break the extension runtime where
vega/vega-lite is bundled as CJS; update the build config for
src/notebooks/deepnote/deepnoteDataConverter.ts so esbuild either (A) transpiles
ESM vega/vega-lite to CJS correctly by enabling esbuild's esModuleInterop/format
settings and ensuring target/node settings align with Node 18+, or (B) marks
vega and vega-lite as externals and implement a runtime fallback that
dynamically imports the ESM package in the extension host (or uses a
CJS-compatible wrapper). Also validate the extension host Node version supports
the chosen output format and add a test run to confirm no runtime errors.
🧩 Analysis chain
Pin Vega to v6.2.0; version constraint allows unpatched releases.
CVE-2025-59840 is patched in Vega 6.2.0 and later. The constraint ^6.0.0 permits 6.0.x–6.1.x (unpatched). Change to ^6.2.0 (or >=6.2.0) to ensure the security fix is applied.
Additionally, per the security advisory, update related transitive/peer dependencies:
vega-expression→^6.1.0(or^5.2.1for non-ESM consumers)vega-interpreter→^2.2.1
Verify these are already satisfied or add them to dependencies as needed.
🏁 Script executed:
#!/bin/bash
# Extract vega-related dependencies from package.json
jq '.dependencies | with_entries(select(.key | contains("vega")))' package.json 2>/dev/null || echo "Could not read package.json"Length of output: 101
🌐 Web query:
CVE-2025-59840 Vega security vulnerability
💡 Result:
Summary — CVE-2025-59840
-
What it is: a high‑severity DOM XSS / arbitrary JavaScript execution in Vega (visualization grammar) when an app both (a) attaches the vega library and a vega.View instance to the global window and (b) accepts user‑supplied Vega JSON definitions. It can be triggered even when the “safe mode” expression interpreter is used. Published Nov 13, 2025. [1][2][3]
-
Affected versions: vega < 6.2.0; certain vega-expression and vega-interpreter version ranges noted in advisories. [1][2]
-
Impact: attacker-supplied Vega specs can execute arbitrary JavaScript in victims’ browsers (DOM XSS) under the conditions above; severe (CVSSv3 ~8.x). [1][2]
Remediation / mitigation
- Upgrade: vega → 6.2.0 or later. Also upgrade vega-expression / vega-interpreter per the advisories (e.g., vega-expression 6.1.0 / 5.2.1, vega-interpreter 2.2.1 or later where applicable). [1][2]
- Workarounds if you cannot upgrade immediately:
- Do NOT attach the vega library or vega.View instances to global variables (e.g., window). Avoid exposing them for debugging in production.
- Disable or restrict user-supplied Vega/Vega‑Lite JSON input or sanitize/validate all user-provided specs; limit Vega usage to trusted sources. [2][3]
References
- NVD / CVE entry for CVE-2025-59840. [1]
- Snyk vulnerability summary and recommended upgrade/workaround. [2]
- Elastic / public advisories reporting the issue and affected products (Kibana examples). [3]
🏁 Script executed:
#!/bin/bash
# Check if package-lock.json exists and search for vega-expression/vega-interpreter
if [ -f package-lock.json ]; then
echo "=== Checking package-lock.json for vega-expression and vega-interpreter ==="
jq '.packages | with_entries(select(.key | contains("vega-expression") or contains("vega-interpreter"))) | keys' package-lock.json 2>/dev/null || echo "Not in lock format"
else
echo "No package-lock.json found"
fi
# Also check if they're peer/optional deps listed in package.json
echo ""
echo "=== Checking peerDependencies and optionalDependencies ==="
jq '.peerDependencies // empty, .optionalDependencies // empty' package.json 2>/dev/null | grep -i vega || echo "No vega-related peer/optional deps"Length of output: 299
🏁 Script executed:
#!/bin/bash
# Extract current versions of vega-expression and vega-interpreter from lock
echo "=== Current resolved versions in lock file ==="
jq '.packages | with_entries(select(.key | test("node_modules/vega-(expression|interpreter)$"))) | map({key, version: .value.version})' package-lock.json 2>/dev/null
echo ""
echo "=== Check vega v6.2.0+ availability and its declared dependencies ==="
# Try to find what vega 6.2.0 lists as dependencies
npm view vega@6.2.0 dependencies 2>/dev/null || echo "Could not fetch npm registry data"Length of output: 897
Upgrade vega to ^6.2.0 and verify transitive dependencies.
CVE-2025-59840 is a high-severity DOM XSS in Vega versions before 6.2.0. Your current constraint ^6.0.0 permits vulnerable 6.0.x–6.1.x releases. Change to ^6.2.0.
Vega 6.2.0 declares vega-expression ~6.1.0 as a dependency, which satisfies the advisory. Verify vega-interpreter also resolves to 2.2.1+ per the advisory recommendations.
package.json, line 2544:
- Change
"vega": "^6.0.0"→"vega": "^6.2.0"
This PR contains the following updates:
^5.33.0->^6.0.0GitHub Vulnerability Alerts
CVE-2025-59840
Impact
Applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used.
vegain an application that attachesvegalibrary and avega.Viewinstance similar to the Vega Editor to the globalwindowJSONdefinitions (vs JSON that was is only provided through source code)Patches
vega6.2.0/vega-expression6.1.0/vega-interpreter2.2.1(if using AST evaluator mode)vega-expression5.2.1/1.2.1(if using AST evaluator mode)Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading
vegaView instances to global variables, as Vega editor used to do herevegato the global window as the editor used to do hereThese practices of attaching the vega library and View instances may be convenient for debugging, but should not be used in production or in any situation where vega/vega-lite definitions could be provided by untrusted parties.
POC Summary
Vega offers the evaluation of expressions in a secure context. Arbitrary function call is prohibited. When an event is exposed to an expression, member get of window objects is possible. Because of this exposure, in some applications, a crafted object that overrides its toString method with a function that results in calling
this.foo(this.bar), DOM XSS can be achieved.In practice, an accessible gadget like this exists in the global VEGA_DEBUG code.
POC Details
{ "$schema": "https://vega.github.io/schema/vega/v5.json", "width": 350, "height": 350, "autosize": "none", "description": "Toggle Button", "signals": [ { "name": "toggle", "value": true, "on": [ { "events": {"type": "click", "markname": "circle"}, "update": "toggle ? false : true" } ] }, { "name": "addFilter", "on": [ { "events": {"type": "mousemove", "source": "window"}, "update": "({toString:event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on, eventName:event.view.console.log,_handlers:{undefined:'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)'},_handlerIndex:event.view.eval})+1" } ] } ] }This payload creates a scenario where whenever the mouse is moved, the toString function of the provided object is implicitly called when trying to resolve adding it with 1. The toString function has been overridden to a "gadget function" (VEGA_DEBUG.vega.CanvasHandler.prototype.on) that does the following:
uto the result of callingthis.eventNamewith undefineddtothis._handlersthis._handlerIndexwith the result ofuindexed into thedobject as the first argument, and undefined as the second two._handlerIndexis set to window.eval, and when indexing undefined into the_handlers, a string to be evald containing the XSS payload is returned.This results in XSS by using a globally scoped gadget to get full blown eval.
PoC Link
Navigate to vega editor, move the mouse, and observe that the arbitrary JavaScript from the configuration reaches the eval sink and DOM XSS is achieved.
Future investigation
In cases where
VEGA_DEBUGis not enabled, there theoreticallycould be other gadgets on the global scope that allow for similar behavior. In cases where AST evaluator is used and there are blocks against getting references toeval, in theory there could be other gadgets on global scope (i.e. jQuery) that would allow for eval the same way (i.e.$.globalEval). As of this writing, no such globally scoped gadgets have been found.Impact
This vulnerability allows for DOM XSS, potentially stored, potentially reflected, depending on how the library is being used. The vulnerability requires user interaction with the page to trigger.
An attacker can exploit this issue by tricking a user into opening a malicious Vega specification. Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the application’s domain. This can lead to theft of sensitive information such as authentication tokens, manipulation of data displayed to the user, or execution of unauthorized actions on behalf of the victim. This exploit compromises confidentiality and integrity of impacted applications.
Release Notes
vega/vega (vega)
v6.2.0Compare Source
v6.1.2Compare Source
v6.1.1Compare Source
v6.1.0Compare Source
v6.0.0Compare Source
changes since v5.33.0
monorepo
vega-typings
docs
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.