Skip to content

Update npm package echarts to v6 [SECURITY]#8927

Open
hash-worker[bot] wants to merge 1 commit into
mainfrom
deps/js/npm-echarts-vulnerability
Open

Update npm package echarts to v6 [SECURITY]#8927
hash-worker[bot] wants to merge 1 commit into
mainfrom
deps/js/npm-echarts-vulnerability

Conversation

@hash-worker

@hash-worker hash-worker Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
echarts (source) 5.6.06.1.0 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

CVE-2026-45249

A cross-site scripting (XSS) vulnerability exists in Apache ECharts in the Lines series tooltip rendering logic.

This issue affects Apache ECharts: from before 6.1.0.

In versions prior to 6.1.0, if both Lines series and tooltip are used, and no user-specified tooltip.formatter is provided, and series.data[i].name is specified, raw HTML string series.data[i].name can be rendered through innerHTML sink into tooltip content. Although tooltip is allowed to accept user-provided raw HTML via a custom tooltip.formatter, the built-in tooltip formatters conventionally perform HTML escaping automatically. This case breaks that convention and may unexpectedly lead to script execution when tooltips are displayed.

Users are recommended to upgrade to version 6.1.0 if using the Lines series in this way, which fixes the issue.


Release Notes

apache/echarts (echarts)

v6.1.0

Compare Source

  • [Feature] [axis] Support dataMin and dataMax option for calculating a nice axis extent. #​20838 (Justin-ZS, Ovilia)
  • [Feature] [axis] Comprehensively enable all types of axis (i.e., "value"/"time"/"category"/"log") to render series (typically "bar"/"pictorialBar"/"candlestick"/"boxplot") without overflow (including the case "category" axis with boundaryGap: false); provide containShape option; provide some corresponding clip option. dbfaf6a73 fe932a2aa 3973b21ee (100pah) #​21511 (Akash Sonune)
  • [Feature] [axis] Automatically exclude non-positive series data values on "log" axis. dedc5dc18 (100pah)
  • [Feature] [axis] Enable axisLabel.formatter to receive its index for working with customValues. #​21220 #​21432 (Szymon Pachucki, Ovilia, plainheart)
  • [Feature] [line] Add triggerEvent option for more control over mouse event. #​21001 (Steven Cobb, plainheart)
  • [Feature] [pie] Add tangential-noflip rotation mode to keep labels tangential without flipping. #​21258 (春秋半夏, Ovilia)
  • [Feature] [gauge] progress.color supports 'auto'. #​21224 (StNimmerlein, Ovilia)
  • [Feature] [radar] Add clockwise option. #​21143 (Dai Xuezhou, Ovilia)
  • [Feature] [candlestick] [dataZoom] Add cursor option for candlestick series and add cursorGrab option & cursorGrabbing for 'inside' dataZoom. #​21558 (zuming, Ovilia, 100pah)
  • [Feature] [scatter] [effectScatter] [geo] Enable clip option on "scatter"/"effectScatter" on geo. 417592289 (100pah)
  • [Feature] [visualMap] Add seriesTargets option for multiple series-dimension mappings. #​20703 (Justin-ZS, plainheart)
  • [Feature] [matrix] Support matrix.x/y.length for conveniently creating a headless matrix without composing an array. #​21191 (100pah, plainheart)
  • [Feature] [matrix] Add triggerEvent option to support triggering event on matrix cells. #​21390 (Natsuo Kawai, 100pah)
  • [Feature] [i18n] add Latvian(LV) translation. #​21546 (EPoikans)
  • [Fix] [axis] Change and clarify the rounding error and auto-precision utils and solutions. 479dcd454 (100pah)
  • [Fix] [axis] Fix chart does not work when using customValues with formatter in time axis (axis.type: 'time') label. #​21352 (Srajan Sanjay Saxena, plainheart)
  • [Fix] [axis] Fix and clarify alignTick strategy, and fix LogScale precision. a6ab2458f ffcc636fb (100pah)
  • [Fix] [axis] Fix duplicate ticks when using time axis (axis.type: 'time') or customValues, which causes jitter of splitArea; fix the showMin/MaxLabel handling of a category axis (axis.type: 'category'); enable a uniform bandWidth calculation in numeric axis (axis.type: 'value' | 'time' | 'log'). 8de2b64fa 15af0db02 8ddaa5c69 (100pah)
  • [Fix] [axis] Fix time axis (axis.type: 'time') bug when value scale is in millisecond. 40b77b464 (100pah)
  • [Fix] [bar] Fix wrong label position when bar series has a 0 width/height. #​21218 (Justin-ZS, Ovilia)
  • [Fix] [scatter] Fix jitter layout does not support progressive rendering and cause chart to be frozen and potential NPE. #​21436 (plainheart)
  • [Fix] [lines] Fix effect symbol flip on unidirectional loop end when roundTrip is not enabled. #​21320 (Mayank Mehta, plainheart)
  • [Fix] [candlestick] Fix candlestick render error with series.encode on horizontal layout. #​21325 (Purbayan Pramanik, 100pah)
  • [Fix] [parallel] Fix incorrect axis extent when any subsequent series has a larger value than the first. #​21387 (jackhickson, 100pah)
  • [Fix] [pie] Support axes extent union pie center automatically when pie is laid out on Cartesian (grid component). 18a23a875 (100pah)
  • [Fix] [treemap] Fix treemap can not be zoomed out after a zoom-in when scaleLimit is specified #​21427 (TateLiu, 100pah)
  • [Fix] [lines] Fix potential tooltip XSS vulnerability in lines series (series.type: 'lines'). #​21608 (plainheart)
  • [Fix] [map] [geo] Fix the failed synchronization and visual artifacts on geo roaming and animation. 417592289 (100pah)
  • [Fix] [tooltip] Fix tooltip content does not refresh when changing tooltip trigger from 'axis' to 'item'. #​20710 (Justin-ZS, plainheart)
  • [Fix] [tooltip] valueFormatter callback param dataIndex should be rawDataIndex rather than dataZoom filtered dataIndex. #​21479 (100pah, plainheart)
  • [Fix] [axisPointer] Fix axisPointer shadow and enable clipping - it is previously only applicable to "category" axis, but is buggy in numeric axis with "bar" series. 8de2b64fa (100pah)
  • [Fix] [axisPointer] Fix visual artifacts caused by failed axisPointer restoration. 56a32c0bb (100pah)
  • [Fix] [hoverLayer] Fix visual artifacts arisen on hover layer. zrender#1151 933585126 (100pah)
  • [Fix] [marker] Fix marker fails to render with dataset and encode. #​21439 (plainheart, 100pah).
  • [Fix] [dataZoom] Fix wrong position of the dataZoom when the series has only one data point. #​21196 (alesmit, Ovilia)
  • [Fix] [dataZoom] Fix dataZoom bug that data info disappears when dragging released; fix dataZoom dragging cursor style. 64305a4b8 (100pah)
  • [Fix] [dataZoom] Apply a better auto-precision method; fix unexpected behaviors when dataZoom controls axes with alignTicks: true. d168bf237 (100pah)
  • [Fix] [dataZoom] Fix AxisProxy can not be cleared when dataZoom option changed; fix related onZero behaviors. 52ceb924a 2e82d33c3 (100pah)
  • [Fix] [areaStyle] Fix areaStyle render error when dimension name is empty string. #​21219 (Justin-ZS, Ovilia)
  • [Fix] [sunburst] Fix root node label may not be centered. #​21306 (Akash Sonune, Ovilia)
  • [Fix] [matrix] Fix matrix label formatter does not work. #​21410 (Justin-ZS, Ovilia)
  • [Fix] [toolbox] Fix emphasis color is the same as the default color. #​21384 (Ovilia) b094f987d (100pah)
  • [Fix] [toolbox] Fix the dataView component does not fit the dark mode. #​21176 (notthistrain, Ovilia)
  • [Fix] [progressive] Fix progressive rendering issues. 91a60fc76 (100pah)
  • [Fix] [labelLine] Fix labelLine.smooth can not be reset. #​21425 (fanwww, plainheart)
  • [Fix] [graphic] Fix stroke corner gap due to not closing path in roundRect helper. zrender#1155 (plainheart)
  • [Fix] [svg] Enhance SVG encodeBase64 compatibility to make it available in more environments like Web Worker/NodeJS/Bun. zrender#1145 (plainheart)
  • [Fix] [core] Mark echarts instance object as raw in Vue. #​21293 (plainheart)
  • [Fix] [chord] Add the missing export entry for chord chart. #​21197 (plainheart, Ovilia)
  • [Fix] [i18n] Fix incorrect translation for custom series name in langDE. #​21571 (A-Loot, plainheart)
  • [Fix] [typescript]
  • [Chore] [refactor]
  • [Chore] [security] Add security checking hints in PR template. #​21327 (100pah, plainheart)
  • [Chore] Add unpkg entry to package.json. #​21177 (Yue JIN, plainheart)
  • [Chore] Fix example description for the each method of SeriesData. #​21294 (Yurun, plainheart)
  • [Chore] Fix the test/webkit-dep.htm test case. #​21508 (zuming, Ovilia)
  • [Break] Breaking changes against v6.0.0:
    • tooltip.valueFormatter: The 2nd parameter of tooltip.valueFormatter callback is changed from dataIndex (i.e., the index after series data filtered by dataZoom) to rawDataIndex (i.e., the index of the original input series data).
    • axis.startValue: Previously startValue was also used as axis.min if axis.min was not provided. The new version decouples them - explicitly setting them both (e.g., startValue: 111, min: 111) is equivalent to the previous behavior (startValue: 111 and min is not specified).
    • Previously, "bar"/"pictorialBar"/"candlestick"/"boxplot" series could overflow the Cartesian rectangle (grid) at the edge shapes. The new version eliminates that overflow. The previous behavior can be restored via axis.containShape: false.

New Contributors

v6.0.0

Compare Source

  • [Feature] [theme] New theme for ECharts 6.0. #​20865 #​21097 #​21114 (Ovilia)
  • [Feature] [chord] New chord series. #​20522 (Ovilia)
  • [Feature] [matrix&calendar] New matrix coordinate system. And all series and components (including other coordinate systems, such as grid(Cartesian), geo, polar, etc.) are supported to be declaratively laid out in the cells of matrix and calendar coordinate system. #​19807 #​21093 (Ovilia) #​21005 #​21108 (100pah)
  • [Feature] [custom] Support reusable custom series. #​20226 (Ovilia)
  • [Feature] [cartesian] Introduce new layout mechanism to avoid Cartesian (i.e., grid component) axis labels and axis names overflowing the canvas, prevent axis names from overlapping with axis labels, and make them the default. #​21059 (100pah) #​19534 (robin-gerling) #​16825 (konrad-amtenbrink)
  • [Feature] [scatter] Support jittering for scatter series. #​19941 #​21067 (Ovilia)
  • [Feature] [axis] Support break on the axis. #​19459 (Ovilia) #​20857 (100pah)
  • [Feature] [theme] Support dynamically registering and switching themes. #​20705 (Ovilia)
  • [Feature] [roam] Roaming infrastructure enhancement - support users specifying roaming area by roamTrigger; support clip on geo and series.map; support cursor style change when hovering on the roaming area; support preserveAspect on geo, series.map and series.graph; fix the percent base of center on geo, series.map, series.graph and series.tree; enhance the behavior for roaming area overlapping. #​19807#issuecomment-2974437299 (100pah)
  • [Feature] [thumbnail] Support thumbnail for the graph series. #​19807#issuecomment-3013454598 (100pah) #​17471 (Lruler)
  • [Feature] [marker] Support z option for markPoint/markLine/markArea. #​21117 (sz-p)
  • [Feature] [marker] Support z2 option for markPoint/markLine/markArea. #​20782 (sz-p)
  • [Feature] [stack] Support reversing the stack order. #​20998 (Justin-ZS)
  • [Feature] [sankey] Support roaming for sankey series. #​20321 (Ovilia)
  • [Feature] [custom] Support compoundPath in custom series renderItem. #​20402 #​21040 (Ovilia)
  • [Feature] [marker] Support relativeTo option for specifying the relative target of marker position. #​20166 #​21042 (Ovilia)
  • [Feature] [axis] Support tooltip for angleAxis label. #​20986 (plainheart)
  • [Feature] [tooltip] Support displayTransition option to control whether to enable the tooltip display transition. #​20966 (jqqin)
  • [Feature] [visualMap] Support unboundedRange option. #​21113 (100pah)
  • [Feature] [legend] Support triggerEvent option. #​18164 #​20907 (sz-p)
  • [Feature] [custom] Support tooltipDisabled for custom series. #​20447 (Ovilia)
  • [Feature] [i18n] Add Norwegian Bokmål (nb-NO) translation. #​20792 (joakimono)
  • [Feature] [i18n] Add Greek (EL) translation. #​21119 (tassosgeo)
  • [Fix] [label] Fix label rich style does not inherit the plain label style. #​20977 (plainheart) #​21016 (100pah)
  • [Fix] [label] Fix label layout margin. #​21103 (100pah)
  • [Fix] [dataZoom] Fix data shape distribution for time axis. #​16978 (andrearoota) #​21043 #​21039 (Ovilia)
  • [Fix] [tooltip] Fix null value item on category axis should be able to show tooltip. #​20777 (Justin-ZS)
  • [Fix] [visualMap] Fix some text style can't work on visualMap. #​20961 (plainheart)
  • [Fix] [dataZoom] Restrict range on brushEnd. #​20814 (mortalYoung)
  • [Fix] [heatmap] Fix labels not in calendar range are unexpectedly displayed. #​20699 (plainheart)
  • [Fix] [series] Fix mismatched dimension index. #​20682 (Justin-ZS)
  • [Fix] [bar] Fix polar bar should update roundCap when changes. #​20582 (Ovilia)
  • [Fix] [pie] Fix labelLine may be not removed and cause error when single label position is not in outside. #​20906 (plainheart)
  • [Fix] [sankey] Fix browser crash when emphasis.focus is 'trajectory' with large data. #​20959 (plainheart)
  • [Fix] [custom] Fix potential NPE when applying leave transition. #​20920 (plainheart)
  • [Fix] [tooltip] Fix potential memory leakage by explicitly unbinding event listeners. #​21087 (seaheart)
  • [Fix] [axis] [log] Fix incorrect rounding usage, and support data with big negative exponent. #​21107 (SihongShen) #​21120 (100pah)
  • [Fix] [axis] Fix extreme small numbers can not be displayed in Cartesian due to the inappropriate rounding precision. #​21120 (100pah) (SihongShen)
  • [Fix] [dataZoom] Change moveHandler cursor to default. #​20304 (ribeirompl)
  • [Fix] [tooltip] Fix style coord transform markers are not removed after the tooltip is disposed. #​20987 (plainheart)
  • [Fix] [bar] Remove unused startValue option from the BarSeriesOption interface. #​20901 (plainheart)
  • [Fix] [title] Fix title text style width type should not include string. #​20800 (sz-p)
  • [Fix] [radar] Fix blur.itemStyle not working. #​21081 (mustcanbedo) #​21124 (Ovilia)
  • [Fix] [roam] Fix RoamControllerHost importing path. #​20313 (Ovilia)
  • [Fix] [svg] Remove SVG support check in getSvgDataURL. #​20760 (plainheart)
  • [Break] Breaking changes against v5.6.0:
    • The default theme has been changed, including the visual style and the default location settings of components and series. For example, the default legend position is now at the bottom of the canvas. The new default settings are more reasonble, but if they affect the existing usage, use echarts/theme/v5.js to restore the old visual style and location settings. See #​20865.
    • The v5 echarts/src/theme/light.ts is now migrated to echarts/theme/rainbow.js.
    • The position of Cartesian axes might shift slightly if the axis names or labels previously overflowed the canvas or overlapped, as anti-overflow and anti-axisLabel-axisName-overlap mechanism are enabled by default. In most cases that changes will be indiscernible to the naked eye. But if any unreasonable change occurs, you can use option grid.outerBoundsMode: 'none' to disable the anti-overflow mechanism, and/or use option xAxis/yAxis.axisLabel.nameMoveOverlap: false to disable the anti-axisLabel-axisName-overlap mechanism. See #​21059.
    • The percent base of the option center (such as the base of '33%') on geo, series.map, series.graph and series.tree are changed. The previous percent base is incorrect. But if you need to restore, set legacyViewCoordSysCenterBase: true (on the root level of an echarts option). See #​19807#issuecomment-2974437299.
    • Now label rich styles (fontStyle, fontWeight, fontSize, fontFamily, textShadowColor, textShadowBlur, textShadowOffsetX, textShadowOffsetY) are changed to inherit the plain label styles. You can use richInheritPlainLabel: false (on the root level of an echarts option, or at the same level of the label style options) to restore it. See #​20977

New Contributors


Configuration

📅 Schedule: (UTC)

  • Branch creation
    • ""
  • Automerge
    • "before 4am every weekday,every weekend"

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@vercel vercel Bot temporarily deployed to Preview – petrinaut July 1, 2026 18:18 Inactive
@vercel

vercel Bot commented Jul 1, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
hash Error Error Jul 1, 2026 6:20pm
2 Skipped Deployments
Project Deployment Actions Updated (UTC)
hashdotdesign-tokens Ignored Ignored Preview Jul 1, 2026 6:20pm
petrinaut Skipped Skipped Jul 1, 2026 6:20pm

@hash-worker hash-worker Bot enabled auto-merge July 1, 2026 18:18
@hash-worker

hash-worker Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
error This project's package.json defines "packageManager": "yarn@4.16.0". However the current global version of Yarn is 1.22.22.

Presence of the "packageManager" field indicates that the project is meant to be used with Corepack, a tool included by default with all official Node.js distributions starting from 16.9 and 14.19.
Corepack must currently be enabled by running corepack enable in your terminal. For more information, check out https://yarnpkg.com/corepack.

@cursor

cursor Bot commented Jul 1, 2026

Copy link
Copy Markdown

PR Summary

Medium Risk
Major-version chart library upgrade with default theme/axis breaking changes and no code migration in the diff; security fix is low-touch but chart rendering regressions are possible.

Overview
Bumps the echarts dependency in @hashintel/design-system from 5.6.0 to 6.1.0. There are no application code changes in this PR—only the version pin in package.json.

The upgrade addresses CVE-2026-45249 (XSS in Lines-series default tooltips when series.data[i].name is rendered without escaping). Charts in this package are wired through e-chart.tsx (bar, line, scatter, graph + tooltip); moving to 6.1.0 pulls in the upstream fix and the broader v6 release line.

Reviewers should treat this as a major dependency jump: ECharts 6 changes defaults (theme, axis layout/overflow) and has documented breaking option semantics (tooltip.valueFormatter index, startValue vs min, bar overflow clipping). Smoke-test any UI that uses the design-system chart component for visual or behavioral regressions.

Reviewed by Cursor Bugbot for commit a055440. Bugbot is set up for automated code reviews on this repo. Configure here.

@github-actions github-actions Bot added area/deps Relates to third-party dependencies (area) area/libs Relates to first-party libraries/crates/packages (area) type/eng > frontend Owned by the @frontend team labels Jul 1, 2026

@cursor cursor Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Fix All in Cursor

❌ Bugbot Autofix is OFF. To automatically fix reported issues with cloud agents, enable autofix in the Cursor dashboard.

Reviewed by Cursor Bugbot for commit a055440. Configure here.

"@fortawesome/free-solid-svg-icons": "6.7.2",
"clsx": "2.1.1",
"echarts": "5.6.0",
"echarts": "6.1.0",

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Lockfile out of sync

Medium Severity

This commit bumps echarts to 6.1.0 in @hashintel/design-system but leaves yarn.lock resolving echarts@npm:5.6.0 for that workspace. CI uses yarn install --immutable, so the manifest and lockfile mismatch fails installs and the intended upgrade (including the CVE fix) is not applied until the lockfile is regenerated.

Fix in Cursor Fix in Web

Reviewed by Cursor Bugbot for commit a055440. Configure here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

area/deps Relates to third-party dependencies (area) area/libs Relates to first-party libraries/crates/packages (area) type/eng > frontend Owned by the @frontend team

Development

Successfully merging this pull request may close these issues.

1 participant