Register | Log in

vega.js

Choose email to subscribe with

general

source: vega.js (main)
version: 5.33.1+ds+~cs5.3.0-4
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Yadd [DMD]
arch: all
std-ver: 4.7.4
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 5.22.1+ds+~3.1.0-4
stable: 5.28.0+ds+~cs5.3.0-1
testing: 5.33.1+ds+~cs5.3.0-4
unstable: 5.33.1+ds+~cs5.3.0-4

versioned links

5.22.1+ds+~3.1.0-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.28.0+ds+~cs5.3.0-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.33.1+ds+~cs5.3.0-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libjs-vega
node-vega

action needed

A new upstream version is available: 6.2.0+~cs6.1.2 high

A new upstream version 6.2.0+~cs6.1.2 is available, you should consider packaging it.

Created: 2025-11-27 Last update: 2026-06-29 19:03

Fails to build during reproducibility testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2023-04-01 Last update: 2026-06-29 21:00

lintian reports 10 warnings normal

Lintian reports 10 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2026-04-06 Last update: 2026-04-10 09:01

5 low-priority security issues in trixie low

There are 5 open security issues in trixie.

5 issues left for the package maintainer to handle:

CVE-2025-26619: (needs triaging) Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In `vega` 5.30.0 and lower and in `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported. The issue is patched in `vega` `5.31.0` and `vega-functions` `5.16.0`. Some workarounds are available. Run `vega` without `vega.expressionInterpreter`. This mode is not the default as it is slower. Alternatively, using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability.
CVE-2025-27793: (needs triaging) Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library was used with the `vega-interpreter`. Vega version 5.32.0 and vega-functions version 5.17.0 fix the issue. As a workaround, use `vega` with expression interpreter.
CVE-2025-59840: (needs triaging) Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0, applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. They are vulnerable if they use `vega` in an application that attaches `vega` library and a `vega.View` instance similar to the Vega Editor to the global `window` and if they allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code). Patches are available in the following Vega applications. If using the latest Vega line (6.x), upgrade to `vega` `6.2.0` / `vega-expression` `6.1.0` / `vega-interpreter` `2.2.1` (if using AST evaluator mode). If using Vega in a non-ESM environment, upgrade to `vega-expression` `5.2.1` / `1.2.1` (if using AST evaluator mode). Some workarounds are available. Do not attach `vega` View instances to global variables, and do not attach `vega` to the global window. These practices of attaching the vega library and View instances may be convenient for debugging, but should not be used in production or in any situation where vega/vega-lite definitions could be provided by untrusted parties.
CVE-2025-65110: (needs triaging) Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. First, they use `vega` in an application that attaches both `vega` library and a `vega.View` instance similar to the Vega Editor to the global `window`, or has any other satisfactory function gadgets in the global scope. Second, they allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code). This vulnerability allows for DOM XSS, potentially stored, potentially reflected, depending on how the library is being used. The vulnerability requires user interaction with the page to trigger. An attacker can exploit this issue by tricking a user into opening a malicious Vega specification. Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the application’s domain. This can lead to theft of sensitive information such as authentication tokens, manipulation of data displayed to the user, or execution of unauthorized actions on behalf of the victim. This exploit compromises confidentiality and integrity of impacted applications.Patched versions are available in `vega-selections@6.1.2` (requires ESM) for Vega v6 and `vega-selections@5.6.3` (no ESM needed) for Vega v5. As a workaround, do not attach `vega` or `vega.View` instances to global variables or the window as the editor used to do. This is a development-only debugging practice that should not be used in any situation where Vega/Vega-lite definitions can come from untrusted parties.
CVE-2025-66648: (needs triaging) vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions `6.1.1`. There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in CSP safe mode does not prevent this issue.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-01-09 Last update: 2026-05-07 14:03

8 low-priority security issues in bookworm low

There are 8 open security issues in bookworm.

8 issues left for the package maintainer to handle:

CVE-2023-26486: (needs triaging) Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. The Vega `scale` expression function has the ability to call arbitrary functions with a single controlled argument. The scale expression function passes a user supplied argument group to getScale, which is then used as if it were an internal context. The context.scales[name].value is accessed from group and called as a function back in scale. This can be exploited to escape the Vega expression sandbox in order to execute arbitrary JavaScript. This issue has been fixed in version 5.13.1.
CVE-2023-26487: (needs triaging) Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs.`lassoAppend' function accepts 3 arguments and internally invokes `push` function on the 1st argument specifying array consisting of 2nd and 3rd arguments as `push` call argument. The type of the 1st argument is supposed to be an array, but it's not enforced. This makes it possible to specify any object with a `push` function as the 1st argument, `push` function can be set to any function that can be access via `event.view` (no all such functions can be exploited due to invalid context or signature, but some can, e.g. `console.log`). The issue is that`lassoAppend` doesn't enforce proper types of its arguments. This issue opens various XSS vectors, but exact impact and severity depends on the environment (e.g. Core JS `setImmediate` polyfill basically allows `eval`-like functionality). This issue was patched in 5.23.0.
CVE-2025-25304: (needs triaging) Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to version 5.26.0 of vega and 5.4.2 of vega-selections, the `vlSelectionTuples` function can be used to call JavaScript functions, leading to cross-site scripting.`vlSelectionTuples` calls multiple functions that can be controlled by an attacker, including one call with an attacker-controlled argument. This can be used to call `Function()` with arbitrary JavaScript and the resulting function can be called with `vlSelectionTuples` or using a type coercion to call `toString` or `valueOf`. Version 5.26.0 of vega and 5.4.2 of vega-selections fix this issue.
CVE-2025-26619: (needs triaging) Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In `vega` 5.30.0 and lower and in `vega-functions` 5.15.0 and lower , it was possible to call JavaScript functions from the Vega expression language that were not meant to be supported. The issue is patched in `vega` `5.31.0` and `vega-functions` `5.16.0`. Some workarounds are available. Run `vega` without `vega.expressionInterpreter`. This mode is not the default as it is slower. Alternatively, using the interpreter described in CSP safe mode (Content Security Policy) prevents arbitrary Javascript from running, so users of this mode are not affected by this vulnerability.
CVE-2025-27793: (needs triaging) Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 5.32.0, corresponding to vega-functions prior to version 5.17.0, users running Vega/Vega-lite JSON definitions could run unexpected JavaScript code when drawing graphs, unless the library was used with the `vega-interpreter`. Vega version 5.32.0 and vega-functions version 5.17.0 fix the issue. As a workaround, use `vega` with expression interpreter.
CVE-2025-59840: (needs triaging) Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0, applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. They are vulnerable if they use `vega` in an application that attaches `vega` library and a `vega.View` instance similar to the Vega Editor to the global `window` and if they allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code). Patches are available in the following Vega applications. If using the latest Vega line (6.x), upgrade to `vega` `6.2.0` / `vega-expression` `6.1.0` / `vega-interpreter` `2.2.1` (if using AST evaluator mode). If using Vega in a non-ESM environment, upgrade to `vega-expression` `5.2.1` / `1.2.1` (if using AST evaluator mode). Some workarounds are available. Do not attach `vega` View instances to global variables, and do not attach `vega` to the global window. These practices of attaching the vega library and View instances may be convenient for debugging, but should not be used in production or in any situation where vega/vega-lite definitions could be provided by untrusted parties.
CVE-2025-65110: (needs triaging) Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to versions 6.1.2 and 5.6.3, applications meeting two conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. First, they use `vega` in an application that attaches both `vega` library and a `vega.View` instance similar to the Vega Editor to the global `window`, or has any other satisfactory function gadgets in the global scope. Second, they allow user-defined Vega `JSON` definitions (vs JSON that was is only provided through source code). This vulnerability allows for DOM XSS, potentially stored, potentially reflected, depending on how the library is being used. The vulnerability requires user interaction with the page to trigger. An attacker can exploit this issue by tricking a user into opening a malicious Vega specification. Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the application’s domain. This can lead to theft of sensitive information such as authentication tokens, manipulation of data displayed to the user, or execution of unauthorized actions on behalf of the victim. This exploit compromises confidentiality and integrity of impacted applications.Patched versions are available in `vega-selections@6.1.2` (requires ESM) for Vega v6 and `vega-selections@5.6.3` (no ESM needed) for Vega v5. As a workaround, do not attach `vega` or `vega.View` instances to global variables or the window as the editor used to do. This is a development-only debugging practice that should not be used in any situation where Vega/Vega-lite definitions can come from untrusted parties.
CVE-2025-66648: (needs triaging) vega-functions provides function implementations for the Vega expression language. Prior to version 6.1.1, for sites that allow users to supply untrusted user input, malicious use of an internal function (not part of the public API) could be used to run unintentional javascript (XSS). This issue is fixed in vega-functions `6.1.1`. There is no workaround besides upgrading. Using `vega.expressionInterpreter` as described in CSP safe mode does not prevent this issue.

You can find information about how to handle these issues in the security team's documentation.

Created: 2026-01-09 Last update: 2026-05-07 14:03

news

[2026-04-11] vega.js 5.33.1+ds+~cs5.3.0-4 MIGRATED to testing (Debian testing watch)
[2026-04-05] Accepted vega.js 5.33.1+ds+~cs5.3.0-4 (source) into unstable (Xavier Guimard)
[2026-04-05] Accepted vega.js 5.33.1+ds+~cs5.3.0-3 (source) into unstable (Xavier Guimard)
[2026-04-05] Accepted vega.js 5.33.1+ds+~cs5.3.0-2 (source) into unstable (Xavier Guimard)
[2026-04-04] Accepted vega.js 5.33.1+ds+~cs5.3.0-1 (source) into unstable (Xavier Guimard)
[2026-04-03] Accepted vega.js 5.28.0+ds+~cs5.3.0-3 (source) into unstable (Xavier Guimard)
[2026-01-15] vega.js 5.28.0+ds+~cs5.3.0-2 MIGRATED to testing (Debian testing watch)
[2026-01-09] Accepted vega.js 5.28.0+ds+~cs5.3.0-2 (source) into unstable (Santiago Vila)
[2024-05-14] vega.js 5.28.0+ds+~cs5.3.0-1 MIGRATED to testing (Debian testing watch)
[2024-05-09] Accepted vega.js 5.28.0+ds+~cs5.3.0-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-10-27] vega.js 5.25.0+ds+~cs5.3.0-5 MIGRATED to testing (Debian testing watch)
[2023-10-22] Accepted vega.js 5.25.0+ds+~cs5.3.0-5 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-10-15] vega.js 5.25.0+ds+~cs5.3.0-4 MIGRATED to testing (Debian testing watch)
[2023-10-10] Accepted vega.js 5.25.0+ds+~cs5.3.0-4 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-09-15] vega.js 5.25.0+ds+~cs5.3.0-2 MIGRATED to testing (Debian testing watch)
[2023-09-11] Accepted vega.js 5.25.0+ds+~cs5.3.0-3 (source all) into experimental (Yadd) (signed by: Xavier Guimard)
[2023-09-10] Accepted vega.js 5.25.0+ds+~cs5.3.0-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2023-09-10] Accepted vega.js 5.25.0+ds+~cs5.3.0-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-11-05] vega.js 5.22.1+ds+~3.1.0-4 MIGRATED to testing (Debian testing watch)
[2022-10-31] Accepted vega.js 5.22.1+ds+~3.1.0-4 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-10-28] Accepted vega.js 5.22.1+ds+~3.1.0-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-06-01] vega.js 5.22.1+ds+~3.1.0-2 MIGRATED to testing (Debian testing watch)
[2022-06-01] vega.js 5.22.1+ds+~3.1.0-2 MIGRATED to testing (Debian testing watch)
[2022-05-27] Accepted vega.js 5.22.1+ds+~3.1.0-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-04-11] vega.js 5.22.1+ds+~3.1.0-1 MIGRATED to testing (Debian testing watch)
[2022-04-06] Accepted vega.js 5.22.1+ds+~3.1.0-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-03-28] vega.js 5.22.0+ds+~3.1.0-1 MIGRATED to testing (Debian testing watch)
[2022-03-23] Accepted vega.js 5.22.0+ds+~3.1.0-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-03-22] Accepted vega.js 5.21.0+ds+~3.1.0-1 (source all) into unstable, unstable (Debian FTP Masters) (signed by: Xavier Guimard)

bugs [bug history graph]

all: 0

links

homepage
lintian (0, 10)
buildd: logs, reproducibility
popcon
browse source code
other distros
security tracker
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 5.28.0+ds+~cs5.3.0-2

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing