Le 04/04/2026 à 16:40, Moritz Mühlenhoff a écrit :
On Sat, Apr 04, 2026 at 10:19:43AM +0200, Salvatore Bonaccorso wrote:
Hi Xavier,
On Sat, Apr 04, 2026 at 08:24:30AM +0200, Xavier wrote:
Hi,
CVE-2025-66648 is just for vega.js 6.1.0 and fixed in 6.1.1, so vega.js
isn't affected.
What is the fixing change so we can properly track it in the
security-tracker?
Things are not very clear to me with
https://github.com/vega/vega/commits/v6.1.1/ .
The advisory data appears to be incorrect, the changes between 6.1.0 and 6.1.1
only
bump the versions string:
--------------------------------------------------
$ diff -Naur vega-6.1.0 vega-6.1.1 | diffstat
docs/vega-core.js | 2 +-
docs/vega-core.min.js | 2 +-
docs/vega.js | 2 +-
docs/vega.min.js | 2 +-
packages/vega-cli/package.json | 4 ++--
packages/vega/package.json | 2 +-
6 files changed, 7 insertions(+), 7 deletions(-)
--------------------------------------------------
Cheers,
Moritz
Hi,
the fix may be in https://github.com/vega/vega/commit/47afa04f, included
in 6.1.1 but not 6.2.0... Difficult to find information in the repo...
