Skip to content

[Auto release] release 2.0.0#4026

Merged
xile611 merged 155 commits into
mainfrom
release/2.0.0
Jun 11, 2025
Merged

[Auto release] release 2.0.0#4026
xile611 merged 155 commits into
mainfrom
release/2.0.0

Conversation

@github-actions
Copy link
Copy Markdown
Contributor

@github-actions github-actions Bot commented Jun 10, 2025

🆕 feat

🐛 fix

🔨 refactor

  • @visactor/vchart: migrate mapLabel component into vchart-extension package

xiaoluoHe and others added 30 commits March 13, 2025 15:57
@xiaoluoHe @xile611
refactor: migrate mapLabel component into vchart-extension package
0f36a7a
@xiaoluoHe @xile611
feat: remove mapLabel in vchart
4d7a552
@xiaoluoHe @xile611
docs: add guide for mapLabel
eb2ec04
@xiaoluoHe @xile611
feat: remove map-label related code
44f61d8
@xiaoluoHe @xile611
docs: add changelog
ab9d4fa
@xile611 @xiaoluoHe
refactor: remove use vgrammar view and mark
eaaaa75
@xile611 @xiaoluoHe
refactor: refactor transforms of sampling and markoverlap
cb03ea0
@xile611 @xiaoluoHe
refactor: refactor mark state manager
bfcb3aa
@xile611 @xiaoluoHe
feat: removeState of graphic should support array or string
bf1e48d
@xile611 @xiaoluoHe
refactor: refactor interaction of sankey and fix test cases
b9e6317
@xile611 @xiaoluoHe
perf: remove some duplicated code
5d7282b
@xile611 @xiaoluoHe
fix: fix funnel and add loggers
321c996
@xile611 @xiaoluoHe
fix: fix error of ts
8c9524b
@xile611 @xiaoluoHe
feat: support progressive of mark
4a70a0b
@xile611 @xiaoluoHe
perf: reduce bundle size of pie-chart
90c23fc
@xile611 @xiaoluoHe
fix: add some temp code of animation
2c1355e
@xile611 @xiaoluoHe
fix: remove vgrammar-core in react-vchart,.etc
faa997f
@xile611 @xiaoluoHe
fix: fix bug of tooltip-processer and zindex of conversion-funnel
36eb6e9
@xiaoluoHe
refactor: remove animationManager
3df835c
@xiaoluoHe
fix: fix type error
e51fbf5
@xile611
Merge pull request #3823 from VisActor/refactor/graphic-animationState
39bd947 
refactor: graphic animation state
@xiaoluoHe
fix: update code about global animation judement & fix type error
f5ce318
@xile611 @xiaoluoHe
fix: fix event of zoomable
5a3a587
@xiaoluoHe
refactor: add mark api hasAnimationByState
f766302
@xile611
Merge pull request #3840 from VisActor/refactor/mark-hasAnimationByState
d46b0ac 
refactor: add mark api `hasAnimationByState`
@xile611 @xiaoluoHe
fix: merge 1.13.9 to 2.0.0
bea86dd
@xile611 @xiaoluoHe
fix: fix ts error
be86917
@xile611 @xiaoluoHe
fix: fix state error in brush
6e0a7de
@xile611 @xiaoluoHe
fix: fix setState of sankey
6871cd8
@xile611 @xiaoluoHe
fix: fix initial state of brush elements
dc52c5e
@github-actions github-actions Bot requested a review from kkxxkk2019 June 10, 2025 14:08
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 10, 2025
View reviewed changes
Comment thread packages/vchart/src/mark/base/base-mark.ts Dismissed
Comment thread packages/vchart/src/mark/base/base-mark.ts
// eslint-disable-next-line @typescript-eslint/ban-ts-comment
// @ts-ignore
stateStyle[state][attr] = {
this.stateStyle[state][attr] = {

Check warning

Code scanning / CodeQL

Prototype-polluting assignment Medium

This assignment may alter Object.prototype if a malicious '__proto__' string is injected from
library input
Loading
.

Copilot Autofix

AI 11 months ago

To fix the issue, we need to prevent the state parameter from being used as a key if it contains a value that could lead to prototype pollution. This can be achieved by validating the state parameter before using it. Specifically:

  1. Reject keys such as __proto__, constructor, and prototype that could lead to prototype pollution.
  2. Add a check at the beginning of the setAttribute method to ensure state is valid.

This fix ensures that malicious input cannot exploit the vulnerability while preserving the existing functionality of the code.

Suggested changeset 1
packages/vchart/src/mark/base/base-mark.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/vchart/src/mark/base/base-mark.ts b/packages/vchart/src/mark/base/base-mark.ts
--- a/packages/vchart/src/mark/base/base-mark.ts
+++ b/packages/vchart/src/mark/base/base-mark.ts
@@ -724,2 +724,7 @@
   ) {
+    // Validate the state parameter to prevent prototype pollution
+    if (state === '__proto__' || state === 'constructor' || state === 'prototype') {
+      throw new Error(`Invalid state key: ${state}`);
+    }
+
     if (this.stateStyle[state] === undefined) {
EOF
@@ -724,2 +724,7 @@
) {
// Validate the state parameter to prevent prototype pollution
if (state === '__proto__' || state === 'constructor' || state === 'prototype') {
throw new Error(`Invalid state key: ${state}`);
}

if (this.stateStyle[state] === undefined) {
Copilot is powered by AI and may make mistakes. Always verify output.
Comment thread packages/vchart/src/mark/base/base-mark.ts
// eslint-disable-next-line @typescript-eslint/ban-ts-comment
// @ts-ignore
stateStyle[state][key as keyof T] = stateStyle.normal[key];
this.stateStyle[state][key as keyof T] = this.stateStyle.normal[key];

Check warning

Code scanning / CodeQL

Prototype-polluting assignment Medium

This assignment may alter Object.prototype if a malicious '__proto__' string is injected from
library input
Loading
.

Copilot Autofix

AI 11 months ago

To fix the issue, we need to ensure that the state parameter cannot be used to modify Object.prototype. This can be achieved by validating the state parameter before using it as a key in the this.stateStyle object. Specifically, we can check if state is one of the expected values and reject any unexpected or malicious values such as __proto__, constructor, or prototype.

The best way to fix this issue is to add a validation step for the state parameter at the beginning of the setAttribute method. If state contains a disallowed value, the method should throw an error or return early.

Suggested changeset 1
packages/vchart/src/mark/base/base-mark.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/vchart/src/mark/base/base-mark.ts b/packages/vchart/src/mark/base/base-mark.ts
--- a/packages/vchart/src/mark/base/base-mark.ts
+++ b/packages/vchart/src/mark/base/base-mark.ts
@@ -724,2 +724,7 @@
   ) {
+    // Validate the state parameter to prevent prototype pollution
+    if (state === '__proto__' || state === 'constructor' || state === 'prototype') {
+      throw new Error(`Invalid state value: ${state}`);
+    }
+
     if (this.stateStyle[state] === undefined) {
EOF
@@ -724,2 +724,7 @@
) {
// Validate the state parameter to prevent prototype pollution
if (state === '__proto__' || state === 'constructor' || state === 'prototype') {
throw new Error(`Invalid state value: ${state}`);
}

if (this.stateStyle[state] === undefined) {
Copilot is powered by AI and may make mistakes. Always verify output.
@xile611 xile611 merged commit 6aa6787 into main Jun 11, 2025
6 of 9 checks passed
@xile611 xile611 deleted the release/2.0.0 branch June 11, 2025 02:17
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@xile611 xile611 xile611 approved these changes

@kkxxkk2019 kkxxkk2019 Awaiting requested review from kkxxkk2019

Assignees

No one assigned

Labels

block-vchart bundler chore docs eslint lark-vchart openinula-vchart react-vchart release taro-vchart tt-vchart typescript vchart vchart-schema vchart-types

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

8 participants

@xile611 @github-advanced-security @xiaoluoHe @neuqzxy @xuefei1313 @skie1997 @kkxxkk2019 @LonelySnowman