fix(deps): bump echarts to 6.1.0 to patch XSS vulnerability by waleedlatif1 · Pull Request #5374 · simstudioai/sim · GitHub
Skip to content

fix(deps): bump echarts to 6.1.0 to patch XSS vulnerability#5374

Merged
waleedlatif1 merged 1 commit into
stagingfrom
worktree-fix-echarts-xss
Jul 2, 2026
Merged

fix(deps): bump echarts to 6.1.0 to patch XSS vulnerability#5374
waleedlatif1 merged 1 commit into
stagingfrom
worktree-fix-echarts-xss

Conversation

@waleedlatif1

Copy link
Copy Markdown
Collaborator

Summary

  • Bumps echarts from 6.0.0 to 6.1.0, patching a medium-severity XSS in the Lines series tooltip renderer (GHSA-fgmj-fm8m-jvvx / CVE-2026-45249)
  • Prior to 6.1.0, series.data[i].name could be rendered as raw HTML into the tooltip via innerHTML when no custom tooltip.formatter is set
  • Lockfile updated accordingly (pulls in zrender@6.1.0)

Type of Change

  • Bug fix (dependency security patch)

Testing

Ran bun run type-check and bun run lint — both clean, no code changes required beyond the version bump.

Checklist

  • Code follows project style guidelines
  • Self-reviewed my changes
  • Tests added/updated and passing
  • No new warnings introduced
  • I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

Fixes GHSA-fgmj-fm8m-jvvx / CVE-2026-45249 — Lines series tooltip
rendering could execute raw HTML from series.data[i].name when no
custom tooltip.formatter is set.
@waleedlatif1 waleedlatif1 requested a review from a team as a code owner July 2, 2026 17:40
@vercel

vercel Bot commented Jul 2, 2026

Copy link
Copy Markdown

@cursor

cursor Bot commented Jul 2, 2026

Copy link
Copy Markdown

PR Summary

Low Risk
Patch-level dependency upgrade with no logic changes; main residual risk is minor chart/tooltip behavior differences in the PPTX ECharts path.

Overview
Security dependency bump only — upgrades echarts from 6.0.0 to 6.1.0 in apps/sim/package.json and refreshes bun.lock, which also pulls zrender to 6.1.0.

This addresses a medium-severity XSS (GHSA-fgmj-fm8m-jvvx / CVE-2026-45249) where Lines-series tooltip rendering could inject HTML via series.data[i].name when no custom tooltip.formatter is set. No application source changes; charts still go through the existing PPTX chart-renderer ECharts integration.

Reviewed by Cursor Bugbot for commit e30da31. Configure here.

@greptile-apps

greptile-apps Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

Greptile Summary

This PR bumps echarts from 6.0.0 to 6.1.0 and updates zrender (its peer dependency) from 6.0.0 to 6.1.0 in the lockfile to patch CVE-2026-45249 (GHSA-fgmj-fm8m-jvvx), a medium-severity XSS in the Lines series tooltip renderer. No application code changes are required.

  • apps/sim/package.json: Exact version pin updated from 6.0.06.1.0, consistent with the existing pinning strategy used for this dependency.
  • bun.lock: Both echarts and its zrender peer are updated to 6.1.0 with refreshed integrity hashes.

Confidence Score: 5/5

Safe to merge — this is a minimal, targeted dependency bump with no application code changes.

The change is limited to two files: an exact version pin update in package.json and the corresponding lockfile refresh. CVE-2026-45249 is confirmed by NVD and Apache, and echarts@6.1.0 is the designated fix. Both echarts and its zrender peer are consistently updated to 6.1.0 with correct integrity hashes. The existing pinning strategy is preserved and no other dependencies are touched.

No files require special attention.

Important Files Changed

Filename Overview
apps/sim/package.json Exact version pin for echarts bumped from 6.0.0 to 6.1.0 to address CVE-2026-45249; no other changes.
bun.lock Lockfile entries for echarts@6.1.0 and its peer zrender@6.1.0 updated with correct new integrity hashes; dependency graph is consistent.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["User renders Lines series chart\nwith series.data[i].name"] --> B{echarts version?}
    B -- "< 6.1.0 (vulnerable)" --> C["name injected via innerHTML\ninto tooltip DOM"]
    C --> D["⚠️ XSS: arbitrary HTML/script\nexecuted in browser context"]
    B -- "≥ 6.1.0 (patched)" --> E["name safely escaped\nbefore tooltip rendering"]
    E --> F["✅ Tooltip rendered safely\nas text content"]
Loading
%%{init: {'theme': 'base', 'themeVariables': {"darkMode": true, "background": "#0d1117", "primaryColor": "#21262d", "primaryTextColor": "#e6edf3", "primaryBorderColor": "#8b949e", "lineColor": "#8b949e", "textColor": "#e6edf3", "edgeLabelBackground": "#161b22", "actorBkg": "#21262d", "actorBorder": "#8b949e", "actorTextColor": "#e6edf3", "actorLineColor": "#8b949e", "signalColor": "#8b949e", "signalTextColor": "#e6edf3", "noteBkgColor": "#373320", "noteBorderColor": "#d4a72c", "noteTextColor": "#f0e6c0", "labelBoxBkgColor": "#21262d", "labelBoxBorderColor": "#8b949e", "labelTextColor": "#e6edf3", "loopTextColor": "#e6edf3", "activationBkgColor": "#30363d", "activationBorderColor": "#8b949e"}}}%%
flowchart TD
    A["User renders Lines series chart\nwith series.data[i].name"] --> B{echarts version?}
    B -- "< 6.1.0 (vulnerable)" --> C["name injected via innerHTML\ninto tooltip DOM"]
    C --> D["⚠️ XSS: arbitrary HTML/script\nexecuted in browser context"]
    B -- "≥ 6.1.0 (patched)" --> E["name safely escaped\nbefore tooltip rendering"]
    E --> F["✅ Tooltip rendered safely\nas text content"]
Loading

Reviews (1): Last reviewed commit: "fix(deps): bump echarts to 6.1.0 to patc..." | Re-trigger Greptile

@waleedlatif1 waleedlatif1 merged commit f33d325 into staging Jul 2, 2026
13 checks passed
@waleedlatif1 waleedlatif1 deleted the worktree-fix-echarts-xss branch July 2, 2026 17:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant