This PR intends to manual upgrade of Vega third-party frontend dependencies, as some SAST issues were found, considering this Wikimedia SAST Audit Report. The functionality still needs to be tested.
assets/vega-embed.6.20.2.js
javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
RegExp() called with a `t` function argument, this might allow an attacker to cause a
Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the
main thread. For this reason, it is recommended to use hardcoded regexes instead. If your
regex is run on user-controlled input, consider performing input validation or use a regex
checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that
the regex does not appear vulnerable to ReDoS.
Details: https://sg.run/gr65
6┆ ... new RegExp(t,n?"g":void 0)};c("NUMERICIDENTIFIER","0|[1-9]\\d*"),c("NUMERICIDENTIFIERLOOSE","[0-9]+"),c("NONNUMERICIDENTIFIER","\\d*[a-zA-Z-][a-zA- ... [shortened a long line from output, adjust with --max-chars-per-line]
⋮┆----------------------------------------
javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
RegExp() called with a `e` function argument, this might allow an attacker to cause a
Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the
main thread. For this reason, it is recommended to use hardcoded regexes instead. If your
regex is run on user-controlled input, consider performing input validation or use a regex
checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that
the regex does not appear vulnerable to ReDoS.
Details: https://sg.run/gr65
6┆ ... RegExp(e).test(t)};const Dt=["view","item","group","xy","x","y"],Ct={Literal:(e,t)=>t.value,Identifier:(e,t)=>{const n=t.name;return e.memberDepth> ...
[shortened a long line from output, adjust with --max-chars-per-line]
⋮┆----------------------------------------
javascript.lang.security.audit.prototype-pollution.prototype-pollution-loop.prototype-pollution-loop
Possibility of prototype polluting function detected. By adding or modifying attributes of
an object prototype, it is possible to create attributes that exist on every object, or
replace critical attributes with malicious ones. This can be problematic if the software
depends on existence or non-existence of certain attributes, or uses pre-defined attributes
of object prototype (such as hasOwnProperty, toString or valueOf). Possible mitigations
might be: freezing the object prototype, using an object without prototypes (via
Object.create(null) ), blocking modifications of attributes that resolve to object
prototype, using Map instead of object.
Details: https://sg.run/w1DB
1┆ ... c=c[g],n&&l<u&&(!c||"object"!=typeof c))throw new m("Cannot perform operation at the
desired path","OPERATION_PATH_UNRESOLVABLE",i,t,e)}}function A ...
[shortened a long line from output, adjust with --max-chars-per-line]
assets/vega-lite.5.2.0.js
javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
RegExp() called with a `c` function argument, this might allow an attacker to cause a
Regular Expression Denial-of-Service (ReDoS) within your application as RegExP blocks the
main thread. For this reason, it is recommended to use hardcoded regexes instead. If your
regex is run on user-controlled input, consider performing input validation or use a regex
checking/sanitization library such as https://www.npmjs.com/package/recheck to verify that
the regex does not appear vulnerable to ReDoS.
Details: https://sg.run/gr65
1┆ ... new RegExp(c.source,a(c)),c.lastIndex&&(g.lastIndex=c.lastIndex);else if(o.__isDate(c))g=new Date(c.getTime());else{if(p&&Buffer.isBuffer(c))return ...
[shortened a long line from output, adjust with --max-chars-per-line]
⋮┆----------------------------------------
javascript.lang.security.audit.detect-non-literal-regexp.detect-non-literal-regexp
RegExp() called with a `t` function argument, this might allow an attacker to cause a
This PR intends to manual upgrade of Vega third-party frontend dependencies, as some SAST issues were found, considering this Wikimedia SAST Audit Report. The functionality still needs to be tested.