chore(dependencies): update dependency vega to v5.32.0 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
vega	5.23.0 -> 5.32.0

GitHub Vulnerability Alerts

CVE-2025-25304

Summary

The vlSelectionTuples function can be used to call JavaScript functions, leading to XSS.

Details

vlSelectionTuples calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument.

Example call: vlSelectionTuples([{datum:<argument>}], {fields:[{getter:<function>}]})

This can be used to call Function() with arbitrary JavaScript and the resulting function can be called with vlSelectionTuples or using a type coercion to call toString or valueOf.

PoC

{"$schema":"https://vega.github.io/schema/vega/v5.json","signals":[{"name":"a","init":"+{valueOf:vlSelectionTuples([{datum:'alert(1)'}],{fields:[{getter:[].at.constructor}]})[0].values[0]}"}]}

CVE-2025-26619

Impact

In vega 5.30.0 and lower, vega-functions 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported.

Patches

Patched in vega 5.31.0 / vega-functions 5.16.0

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

• Run vega without vega.expressionInterpreter. This mode is not the default as it is slower.
• Using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability.

References

• Reported to Vega-Lite by @​kprevas Nov 8 20https://github.com/vega/vega-lite/issues/9469s/94https://github.com/vega/vega/issues/3984s/3984

Reproduction of the error in Vega by @​mattijn

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "signals": [
    {
      "name": "inject_alert",
      "on": [
        {
          "events": [
            {
              "type": "mousedown",
              "marktype": "rect",
              "filter": ["scale(event.view.setTimeout, 'alert(\"alert\")')"]
            }
          ],
          "update": "datum"
        }
      ]
    }
  ],
  "marks": [
    {
      "type": "rect",
      "encode": {
        "update": {
          "x": {"value": 0},
          "y": {"value": 0},
          "width": {"value": 100},
          "height": {"value": 100}
        }
      }
    }
  ]
}

CVE-2025-27793

Impact

Users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library is used with the vega-interpreter.

Workarounds

• Use vega with expression interpreter
• Upgrade to a newer Vega version (5.32.0)

POC Summary

Calling replace with a RegExp-like pattern calls RegExp.prototype[@​@​replace], which can then call an attacker-controlled exec function.

POC Details

Consider the function call replace('foo', {__proto__: /h/.constructor.prototype, global: false}). Since pattern has RegExp.prototype[@​@​replace], pattern.exec('foo') winds up being called.

The resulting malicious call looks like this:

replace(<string argument>, {__proto__: /h/.constructor.prototype, exec: <function>, global: false})

Since functions cannot be returned from this, an attacker that wishes to escalate to XSS must abuse event.view to gain access to eval.

Reproduction steps

{"$schema":"https://vega.github.io/schema/vega/v5.json","signals":[{"name":"a","on":[{"events":"body:mousemove{99999}","update":"replace('alert(1)',{__proto__:/h/.constructor.prototype,exec:event.view.eval,global:false})"}]}]}

---

Release Notes

vega/vega (vega)

v5.32.0

Compare Source

Changes since v5.31.0

vega-expression

• Add base64 string encoder/decoder to vega-expression and vega-interpreter (via #​4009). (Thanks @​hydrosquall!)

vega-typings

• Add Typescript Types for vega-loader (via #​4000). (Thanks @​hydrosquall!)

docs

• Correct data year citation in dorling-cartogram example (via #​4006). (Thanks @​dsmedia!)
• Update typo in vega.timeFloor description (via #​4010). (Thanks @​hydrosquall!)
• Add Security Advisory Policy for Vega (via #​4008). (Thanks @​hydrosquall!)
• Replace redirect url in expressions.md (via #​3996). (Thanks @​dangotbanned!)
• correct queries to query in crossfilter.md (via #​4005). (Thanks @​danmarshall!)

v5.31.0

Compare Source

changes since v5.30.0

vega-utils

• use Object.hasOwn instead of Object.prototype.hasOwnProperty (via #​3951). (Thanks @​domoritz!)

vega-parser

• Add discrete legend type (via #​3957). (Thanks @​hydrosquall!)

vega-functions

• Add sort function to vega-functions (and vega-interpreter) (via #​3973). (Thanks @​hydrosquall!)

vega-selections

• Add field predicate types to selectionTest (via #​3675). (Thanks @​jonathanzong!)

monorepo

• Replace flights-5k.json external reference (via #​3999). (Thanks @​dwootton!)

docs

• Update packed bubble example (via #​3955). (Thanks @​PBI-David!)
• Correct typo in production rules documentation (via #​3958). (Thanks @​shanebruggeman!)
• Update README.md to fix broken link to current roadmap (via #​3979). (Thanks @​cahogan & @​joelostblom!)

v5.30.0

Compare Source

Changes since v5.29.0

vega-functions

• make default vega format null as "null" (via #​3926). (Thanks @​kanitw & @​domoritz )!

docs

• Add 4 new examples (via #​3851). (Thanks @​avatorl & @​domoritz!)

monorepo

• Deploy editor preview (via #​3925, #​3931). (Thanks @​hydrosquall!)
• Bump all vega-* deps in topological order to eliminate version mismatches within the monorepo (via #​3932). (Thanks @​lsh!)

v5.29.0

Compare Source

docs

• remove Google Analytics. (via #​3894) (Thanks @​domoritz!)

monorepo

• switch to ESLint flat config file. (via #​3920) (Thanks @​lsh!)
• update node versions in ci. (via #​3915) (Thanks @​domoritz!)

vega-encode

• use domainMin and domainMax to set scale padding. (via #​3906) (Thanks @​jami159 & @​lsh!)

vega-scale

• Add observable10 palette. (via #​3843) (Thanks @​mcnuttandrew!)
• Respect tickMinStep for binned scale. (via #​3904) (Thanks @​alexxu-db!)

vega-scenegraph

• Revert TooltipHideEvent to MouseOutEvent to fix events on mobile. (via #​3909) (Thanks @​kadamwhite!)

vega-typings

• Add observable10 palette. (via #​3843) (Thanks @​mcnuttandrew!)

vega-view

• turn off all handlers in View.finalize() to fix memory leak. (via #​3896) (Thanks @​cmerrick!)

v5.28.0

Compare Source

changes from v5.27.0

docs

• addition of the serpentine timeline example (via #​3858). (Thanks @​Giammaria!)
• update to the zoomable circle packing example (via #​3857). (Thanks @​Giammaria and @​domoritz!)
• update vega datasets (via #​3863). (Thanks @​domoritz!)

vega-parser

• allow signals in scale nice (via #​3887). (Thanks @​lsh!)

vega-scenegraph

• convert some of the scenegraph types to classes (via #​3864). (Thanks @​lsh!)

vega-typings

• add missing aggregate_params to window transform type (#​3874). (Thanks @​julieg18!)
• bump typings to 1.2 (Thanks @​domoritz!)

v5.27.0

Compare Source

changes from v5.26.1:

docs

• Addition of an example: Zoomable Circle Packing (via #​3841 and #​3842). (Thanks @​Giammaria!)

monorepo

• add codeowners file. (Thanks @​domoritz!)
• replace indexOf with equivalent includes and startsWith (via #​3845). (Thanks @​domoritz!)

vega-scenegraph

• Fix blurry zoom from caching devicePixelRatio (via #​3844). (Thanks @​lsh!)

vega-transforms

• fix sum([invalid]) -> undefined (via #​3849). (Thanks @​nicolaskruchten!)
• fix: correct aggregate params types (via #​3846). (Thanks @​domoritz!)

vega-typings

• Add experimental 'hybrid' renderer to vega-typings (via #​3847). (Thanks @​jonmmease!)

vega-view

• Add option to resize on devicePixelRatio change (via #​3844). (Thanks @​lsh!)

v5.26.1

Compare Source

Changes from v5.26.1:

vega-scenegraph

• Fix CanvasHandler to emit mouse over/move/out events. (#​3825)

vega-typings

• Expose aggregate parameters in typings. (thanks @​Xitian9)

v5.26.0

Compare Source

Changes from v5.25.0:

vega-functions

• Add geoScale expression function. (thanks @​binste)

vega-scale

• Fix tickMinStep calculation. (thanks @​kanitw)

vega-scenegraph

• Add experimental hybrid canvas/SVG renderer (thanks @​jonmmease)
• Fall back to textMetrics.width for user defined width function (thanks @​jonmmease)

vega-selections

• Fix null handling in vlSelectionTest (thanks @​arvind, @​jonmmease)

vega-transforms

• Add aggregate parameters to vega-transform, and exponential moving average. (thanks @​Xitian9)

vega-typings

• Bump typings to a 1.0 release. (thanks @​domoritz)

vega-voronoi

• Fix reference for voronoi path point. (thanks @​suchanlee)

v5.25.0

Compare Source

Changes from v5.24.0:

monorepo

• Fix browser lists for IE support. (thanks @​domoritz!)
• Update dependencies.

vega-cli

• Add ppi resolution parameter for PNG output. (thanks @​davidanthoff!)
• Return error code on failure. (thanks @​davidanthoff!)

vega-expression

• Add hypot function. (thanks @​domoritz!)

vega-functions

• Update to use hypot.

vega-regression

• Allow zero-valued order for polynomial regression.

vega-statistics

• Add constant regression method.

vega-transforms

• Use robust (null proto) object for aggregate cell map. (#​3695)

vega-util

• Fix consecutive escapes in splitAccessPath #​3724 (thanks @​suchanlee!)

v5.24.0

Compare Source

Changes from v5.23.0:

monorepo

• Update dev dependencies.
• Fix duplicated code in bundle (#​3684).

vega-force

• Update Force transform schema to allow expression-valued nbody force strength.

vega-schema

• Update Force transform schema to allow expression-valued nbody force strength.

vega-typings

• Update Force transform schema to allow expression-valued nbody force strength.

---

Configuration

📅 Schedule: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.