Hi, On Sun, Apr 05, 2026 at 08:41:48AM +0200, Xavier wrote: > Le 05/04/2026 à 08:39, Xavier a écrit : > > Le 05/04/2026 à 08:28, Xavier a écrit : > > > Le 04/04/2026 à 16:40, Moritz Mühlenhoff a écrit : > > > > On Sat, Apr 04, 2026 at 10:19:43AM +0200, Salvatore Bonaccorso wrote: > > > > > Hi Xavier, > > > > > > > > > > On Sat, Apr 04, 2026 at 08:24:30AM +0200, Xavier wrote: > > > > > > Hi, > > > > > > > > > > > > CVE-2025-66648 is just for vega.js 6.1.0 and fixed in > > > > > > 6.1.1, so vega.js > > > > > > isn't affected. > > > > > > > > > > What is the fixing change so we can properly track it in the > > > > > security-tracker? > > > > > > > > > > Things are not very clear to me with > > > > > https://github.com/vega/vega/commits/v6.1.1/ . > > > > > > > > The advisory data appears to be incorrect, the changes between > > > > 6.1.0 and 6.1.1 only > > > > bump the versions string: > > > > > > > > -------------------------------------------------- > > > > $ diff -Naur vega-6.1.0 vega-6.1.1 | diffstat > > > > docs/vega-core.js | 2 +- > > > > docs/vega-core.min.js | 2 +- > > > > docs/vega.js | 2 +- > > > > docs/vega.min.js | 2 +- > > > > packages/vega-cli/package.json | 4 ++-- > > > > packages/vega/package.json | 2 +- > > > > 6 files changed, 7 insertions(+), 7 deletions(-) > > > > -------------------------------------------------- > > > > > > > > Cheers, > > > > Moritz > > > > > > Hi, > > > > > > the fix may be in https://github.com/vega/vega/commit/47afa04f, > > > included in 6.1.1 but not 6.2.0... Difficult to find information in > > > the repo... > > > > Oh, > > > > it seems to be a npm-only published fix! I can see this commit into a > > diff between "npm install [email protected]" and "npm install vega- > > [email protected]" > > > > $ diff -aburN 6.1.*/vega-functions/build/vega-functions.js > > --- 6.1.0/vega-functions/build/vega-functions.js 2026-04-05 > > 08:32:08.183581218 +0200 > > +++ 6.1.1/vega-functions/build/vega-functions.js 2026-04-05 > > 08:32:24.191086855 +0200 > > @@ -251,6 +251,16 @@ > > function removePredicate(props) { > > return _ => equalObject(props, _); > > } > > + > > +/** > > + * Modify data in a dataset. > > + * @param {string} name - Dataset name > > + * @param {Array|Object} insert - Data to insert > > + * @param {boolean|Array|Object} remove - true to remove all, array/ > > tuple to remove, or object to match > > + * @param {Object} toggle - Data to toggle > > + * @param {Object|Array} modify - Tuple or array of tuples to modify > > + * @param {Object} values - Field values to update > > + */ > > function modify (name, insert, remove, toggle, modify, values) { > > const df = this.context.dataflow, > > data = this.context.data[name], > > @@ -287,6 +297,9 @@ > > } > > } > > if (modify) { > > + if (isFunction(modify)) { > > + throw Error('modify parameter must be a data tuple, not a > > function'); > > + } > > for (key in values) { > > changes.modify(modify, key, values[key]); > > } > > And so current vega.js is really vulnerable
Thanks for the analysis and the fix via 5.33.1+ds+~cs5.3.0-2. Regards, Salvatore
