Le 05/04/2026 à 08:28, Xavier a écrit :
Le 04/04/2026 à 16:40, Moritz Mühlenhoff a écrit :
On Sat, Apr 04, 2026 at 10:19:43AM +0200, Salvatore Bonaccorso wrote:
Hi Xavier,
On Sat, Apr 04, 2026 at 08:24:30AM +0200, Xavier wrote:
Hi,
CVE-2025-66648 is just for vega.js 6.1.0 and fixed in 6.1.1, so vega.js
isn't affected.
What is the fixing change so we can properly track it in the
security-tracker?
Things are not very clear to me with
https://github.com/vega/vega/commits/v6.1.1/ .
The advisory data appears to be incorrect, the changes between 6.1.0
and 6.1.1 only
bump the versions string:
--------------------------------------------------
$ diff -Naur vega-6.1.0 vega-6.1.1 | diffstat
docs/vega-core.js | 2 +-
docs/vega-core.min.js | 2 +-
docs/vega.js | 2 +-
docs/vega.min.js | 2 +-
packages/vega-cli/package.json | 4 ++--
packages/vega/package.json | 2 +-
6 files changed, 7 insertions(+), 7 deletions(-)
--------------------------------------------------
Cheers,
Moritz
Hi,
the fix may be in https://github.com/vega/vega/commit/47afa04f, included
in 6.1.1 but not 6.2.0... Difficult to find information in the repo...
Oh,
it seems to be a npm-only published fix! I can see this commit into a
diff between "npm install [email protected]" and "npm install
[email protected]"
$ diff -aburN 6.1.*/vega-functions/build/vega-functions.js
--- 6.1.0/vega-functions/build/vega-functions.js 2026-04-05
08:32:08.183581218 +0200
+++ 6.1.1/vega-functions/build/vega-functions.js 2026-04-05
08:32:24.191086855 +0200
@@ -251,6 +251,16 @@
function removePredicate(props) {
return _ => equalObject(props, _);
}
+
+/**
+ * Modify data in a dataset.
+ * @param {string} name - Dataset name
+ * @param {Array|Object} insert - Data to insert
+ * @param {boolean|Array|Object} remove - true to remove all,
array/tuple to remove, or object to match
+ * @param {Object} toggle - Data to toggle
+ * @param {Object|Array} modify - Tuple or array of tuples to modify
+ * @param {Object} values - Field values to update
+ */
function modify (name, insert, remove, toggle, modify, values) {
const df = this.context.dataflow,
data = this.context.data[name],
@@ -287,6 +297,9 @@
}
}
if (modify) {
+ if (isFunction(modify)) {
+ throw Error('modify parameter must be a data tuple, not a function');
+ }
for (key in values) {
changes.modify(modify, key, values[key]);
}diff -aburN 6.1.0/vega-functions/build/vega-functions.js 6.1.1/vega-functions/build/vega-functions.js
--- 6.1.0/vega-functions/build/vega-functions.js 2026-04-05 08:32:08.183581218 +0200
+++ 6.1.1/vega-functions/build/vega-functions.js 2026-04-05 08:32:24.191086855 +0200
@@ -251,6 +251,16 @@
function removePredicate(props) {
return _ => equalObject(props, _);
}
+
+/**
+ * Modify data in a dataset.
+ * @param {string} name - Dataset name
+ * @param {Array|Object} insert - Data to insert
+ * @param {boolean|Array|Object} remove - true to remove all, array/tuple to remove, or object to match
+ * @param {Object} toggle - Data to toggle
+ * @param {Object|Array} modify - Tuple or array of tuples to modify
+ * @param {Object} values - Field values to update
+ */
function modify (name, insert, remove, toggle, modify, values) {
const df = this.context.dataflow,
data = this.context.data[name],
@@ -287,6 +297,9 @@
}
}
if (modify) {
+ if (isFunction(modify)) {
+ throw Error('modify parameter must be a data tuple, not a function');
+ }
for (key in values) {
changes.modify(modify, key, values[key]);
}
diff -aburN 6.1.0/vega-functions/package.json 6.1.1/vega-functions/package.json
--- 6.1.0/vega-functions/package.json 2026-04-05 08:32:08.199580712 +0200
+++ 6.1.1/vega-functions/package.json 2026-04-05 08:32:24.199086614 +0200
@@ -1,6 +1,6 @@
{
"name": "vega-functions",
- "version": "6.1.0",
+ "version": "6.1.1",
"description": "Custom functions for the Vega expression language.",
"keywords": [
"vega",
@@ -42,6 +42,5 @@
},
"devDependencies": {
"vega-format": "^2.1.0"
- },
- "gitHead": "4dea72921d25bf6ff6636a9f9cb6c63ff696932c"
+ }
}
diff -aburN 6.1.0/vega-functions/src/functions/modify.js 6.1.1/vega-functions/src/functions/modify.js
--- 6.1.0/vega-functions/src/functions/modify.js 2026-04-05 08:32:08.107583618 +0200
+++ 6.1.1/vega-functions/src/functions/modify.js 2026-04-05 08:32:24.155087939 +0200
@@ -1,5 +1,5 @@
import {isTuple} from 'vega-dataflow';
-import {isArray, isObject, truthy} from 'vega-util';
+import {isArray, isFunction, isObject, truthy} from 'vega-util';
function equal(a, b) {
return a === b || a !== a && b !== b ? true
@@ -28,6 +28,15 @@
return _ => equalObject(props, _);
}
+/**
+ * Modify data in a dataset.
+ * @param {string} name - Dataset name
+ * @param {Array|Object} insert - Data to insert
+ * @param {boolean|Array|Object} remove - true to remove all, array/tuple to remove, or object to match
+ * @param {Object} toggle - Data to toggle
+ * @param {Object|Array} modify - Tuple or array of tuples to modify
+ * @param {Object} values - Field values to update
+ */
export default function(name, insert, remove, toggle, modify, values) {
const df = this.context.dataflow,
data = this.context.data[name],
@@ -72,6 +81,9 @@
}
if (modify) {
+ if (isFunction(modify)) {
+ throw Error('modify parameter must be a data tuple, not a function');
+ }
for (key in values) {
changes.modify(modify, key, values[key]);
}
