Debian Patches
Status for vega.js/5.33.1+ds+~cs5.3.0-4
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| reproducible.patch | make build reproducible | Yadd <yadd@debian.org> | not-needed | 2022-02-21 | ||
| use-old-terser-plugin.patch | use rollup-plugin-terser | Yadd <yadd@debian.org> | not-needed | 2023-09-10 | ||
| topojson-client-commander-14.patch | Port topojson-client CLI tools to commander 14 Commander 14 no longer exports a global program object. Options are accessed via program.opts() instead of being direct properties. |
Yadd <yadd@debian.org> | not-needed | 2026-04-03 | ||
| CVE-2025-66648.patch | Fix CVE-2025-66648: XSS via modify() function parameter Reject functions passed as the modify parameter in setdata, which could be used to run unintentional JavaScript (XSS). |
not-needed | debian | upstream, https://github.com/vega/vega/commit/47afa04f | ||
| CVE-2025-65110.patch | Fix CVE-2025-65110: XSS via selectionTuples parameter injection Validate arguments to selectionTuples to prevent arbitrary code execution through crafted Vega specifications. https://github.com/vega/vega/commit/e53a510d |
not-needed | debian | upstream, https://github.com/vega/vega/commit/c7f42403 | ||
| CVE-2025-59840.patch | Fix CVE-2025-59840: XSS via vega-interpreter object expression Fix error message to show property key name instead of value to avoid leaking information, and fix evaluation order. |
not-needed | debian | upstream, https://github.com/vega/vega/commit/259ac6e7 |
All known versions for source package 'vega.js'
- 5.33.1+ds+~cs5.3.0-4 (forky, sid)
- 5.28.0+ds+~cs5.3.0-1 (trixie)
- 5.22.1+ds+~3.1.0-4 (bookworm)