fix(deps): update dependency plotly.js to v2 [security] #219

Add "Equal Earth" projection to geo subplots [#6670],
with thanks to @apparebit for the contribution!
Add options to include legends for shapes and newshape [#6653]
Add Plotly.deleteActiveShape command [#6679]

Fixed

Fix contour plot colorscale domain (take account of zmin, zmax, cmin and cmax) [#6625],
with thanks to @lvlte for the contribution!
Fix text markers on non-mapbox styled maps [#6652],
with thanks to @baurt for the contribution!
Fix unhide isolated traces in multi legend cases (regression introduced in 2.24.3) [#6684]

Fixed

Fix minimal copying of arrays in minExtend function
(regression introduced in 2.24.0)(https://redirect.github.com/plotly/plotly.js/issues/6632)y.js/issues/6632\))

`v2.24.0`

Compare Source

Fixed

Fix minimal copying of arrays in minExtend function
(regression introduced in 2.24.0)(https://redirect.github.com/plotly/plotly.js/issues/6632)y.js/issues/6632\))

`v2.23.2`

Compare Source

Fixed

Fix text rendering while drawing new shapes [#6608],
with thanks to the Volkswagen Center of Excellence for Battery Systems for sponsoring development!

`v2.23.1`

Compare Source

Fixed

Fix heatmap rendering on iOS and Safari when zsmooth is set to false [#6605], with thanks to @lvlte for the contribution!

`v2.23.0`

Compare Source

Added

Add legend.xref and legend.yref to enable container-referenced positioning of legends [#6589], with thanks to Gamma Technologies for sponsoring the related development.
Add colorbar.xref and colorbar.yref to enable container-referenced positioning of colorbars [#6593], with thanks to Gamma Technologies for sponsoring the related development.

Changed

Improve heatmap rendering performance when zsmooth is set to false [#6574], with thanks to @lvlte for the contribution!

`v2.22.0`

Compare Source

Fixed

Fix legend groups toggle (regression introduced in 2.22.0)(https://redirect.github.com/plotly/plotly.js/issues/6639)y.js/issues/6639\))
Fix waterfall hovertemplate not showing delta on totals similar(https://redirect.github.com/plotly/plotly.js/issues/6635)y.js/issues/6635\))

`v2.21.0`

Compare Source

Added

Add texttemplate to shape.label for parametric shapes i.e. line, rect and circle [#6527],
with thanks to the Volkswagen Center of Excellence for Battery Systems for sponsoring development!
Add strict option to custom bundle command [#6557],
with thanks to @CallumNZ for the contribution!

Fixed

Fix dragging of legend when xanchor is not 'left' or yanchor is not 'top' [#6528],
with thanks to @bmaranville for the contribution!
Fix heatmap rendering bug and improve performance when zsmooth is set to "fast" [#6565],
with thanks to @lvlte for the contribution!

`v2.20.0`

Compare Source

Added

Add title.automargin to enable automatic top and bottom margining for both container and paper referenced titles [#6428],
with thanks to Gamma Technologies for sponsoring the related development.

`v2.19.1`

Compare Source

Fixed

Ensure slider range stays in bounds during the drag [#4448],
with thanks to @jay-bis for the contribution!

`v2.19.0`

Compare Source

Added

Add label attribute to shapes [#6454],
with thanks to the Volkswagen Center of Excellence for Battery Systems for sponsoring development!
Add labelalias to various axes namely cartesian, gl3d, polar, smith, ternary, carpet,
indicator and colorbar [#6481],
this feature was anonymously sponsored: thank you to our sponsor!

Changed

Upgrade is-mobile dependency [#6517]

Fixed

Avoid overlap of point and axis hover labels for hovermode: 'x'|'y' [#6442],
with thanks to @dagroe for the contribution!

`v2.18.2`

Compare Source

Fixed

Avoid attaching internal d3 object to the window (regression introduced in 2.17.0) [#6487]
Correct the order of lower fence and upper fence in the French locale (fr) [#6476],
with thanks to @Gagaro for the contribution!
Correct formats in the Peruvian locale (es-pe) [#6451],
with thanks to @andresrcs for the contribution!

`v2.18.1`

Compare Source

Changed

Bump d3-interpolate and d3-color to v3 to address audit warnings [#6463]

Fixed

Fix scaling of exports e.g. the SVG format by not adding vector-effect CSS to static plots [#6445]
Fix hover on IE (regression introduced in 2.5.0) [#6466]

`v2.18.0`

Compare Source

Added

Add sync tickmode option [#6356, #6443],
with thanks to @filipesantiagoAM and @VictorBezak for the contribution!

Changed

Improve detection of mobile & tablet devices for WebGL rendering by upgrading is-mobile [#6432]

Fixed

Fix library's imported name using requirejs AMD loader (regression introduced in 2.17.0) [#6440]

`v2.17.1`

Compare Source

Fixed

Fix line redraw (regression introduced in 2.15.0) [#6429]

`v2.17.0`

Compare Source

Fixed

Avoid attaching internal d3 object to the window (regression introduced in 2.17.0) [#6487]
Correct the order of lower fence and upper fence in the French locale (fr) [#6476],
with thanks to @Gagaro for the contribution!
Correct formats in the Peruvian locale (es-pe) [#6451],
with thanks to @andresrcs for the contribution!

`v2.16.5`

Compare Source

Fixed

Disable slider interactions when staticPlot is set to true [#6393]

`v2.16.4`

Compare Source

Fixed

Fix scattermapbox redraw (regression introduced in 2.16.0) [#6387]

`v2.16.3`

Compare Source

Fixed

Fix hover on multicategory axes [#6360],
with thanks to @filipesantiagoAM for the contribution!

`v2.16.2`

Compare Source

Fixed

Fix mapbox clearOutline calls (regression introduced in 2.13.0) [#6367]

`v2.16.1`

Compare Source

Fixed

Fix choroplethmapbox selection when adding new traces on top [#6345]

`v2.16.0`

Compare Source

Fixed

Fix scattermapbox redraw (regression introduced in 2.16.0) [#6387]

`v2.15.1`

Compare Source

Fixed

Fix latest version of plotly.js main module on npm

`v2.15.0`

Compare Source

Fixed

Fix line redraw (regression introduced in 2.15.0) [#6429]

`v2.14.0`

Compare Source

Added

Add support for sankey links with arrows [#6276],
with thanks to @Andy2003 for the contribution!
Add editSelection option to config [#6285]

Changed

Update dutch translations and fix dateMonth format for nl locale to confirm with expected nl format [#6261],
with thanks to @eirvandelden for the contribution!

`v2.13.3`

Compare Source

Fixed

Emit plotly_selected event on plot API calls and GUI edits [#6277]

`v2.13.2`

Compare Source

Fixed

Fix sankey select error (regression introduced in 2.13.0) [#6265]
Handle missing drag layer of invisible sankey traces to fix select error [#6267]
Emit selection event in shape drawing dragmodes when an existing selection is modified [#6262]

`v2.13.1`

Compare Source

Fixed

Avoid attaching selections to undefined eventData (regression introduced in 2.13.0) [#6260]

`v2.13.0`

Compare Source

Fixed

Fix mapbox clearOutline calls (regression introduced in 2.13.0) [#6367]

`v2.12.1`

Compare Source

Fixed

Fix for disabling polar rotation when dragmode is set to false [#6147],
with thanks to @jonfunkhouser for the contribution!
Fix custom modebar buttons mutate the input [#6177]
Fix various missing and duplicate spaces in plot schema descriptions [#6183]

`v2.12.0`

Compare Source

Added

Add griddash axis property to cartesian, polar, smith, ternary and geo subplots and add griddash and minorgriddash to carpet trace [6144], with thanks to @njwhite for the contribution!
Implement various options to position and style minor ticks and grid lines on cartesian axis types including
minor.tickmode, minor.tickvals, minor.tickcolor, minor.ticklen, minor.tickwidth, minor.dtick, minor.tick0, minor.nticks, minor.ticks,
minor.showgrid, minor.gridcolor, minor.griddash and minor.gridwidth [6166]

Changed

Use the "willReadFrequently" 2d context creation attribute to optimize readback performance [#6084],
with thanks to @junov for the contribution!

Fixed

avoid drawing blank tick labels on cartesian axes [#6163]

`v2.11.1`

Compare Source

Fixed

Regenerate functions of regl-based traces in the "strict" bundle [#6141]

`v2.11.0`

Compare Source

Added

Add a CSP complaint variation of regl-based traces i.e. parcoords, splom, scattergl, scatterpolargl to the "strict" bundle [#6083]
Add scattersmith trace to the "strict" bundle [#6135]

`v2.10.1`

Compare Source

Fixed

Fix mesh3d generation when alphahull is a positive number (regression introduced in 2.5.1) [#6133]

`v2.10.0`

Compare Source

Added

Add support to use version 3 of MathJax and add typesetMath attribute to config [#6073],
with thanks to Equinor for sponsoring the related development!
Add fillpattern options to scatter trace [#6101],
with thanks to @s417-lama for the contribution!

`v2.9.0`

Compare Source

Added

Implement ticklabelstep to reduce labels on 2D axes and colorbars [#6088],
this feature was anonymously sponsored: thank you to our sponsor!

Changed

Display the version of plotly.js when hovering over the modebar [#6077]
Various dependency updates as listed under the v2.9.0 milestone

Fixed

Fix vertical spacing of legend items in horizontal mode [#6094]

`v2.8.3`

Compare Source

Fixed

Correct formatted x/y texttempate for histogram trace [#6070]

`v2.8.2`

Compare Source

Fixed

Fix missing x/y texttemplate for histogram, bar, funnel and waterfall traces [#6069]

`v2.8.1`

Compare Source

Fixed

Do not exceed layout font size when textfont is set to "auto" for heatmap, histogram2d, contour and
histogram2dcontour traces [#6061]

`v2.8.0`

Compare Source

Added

Introduce horizontal colorbars [#6024]
Implement legend.grouptitlefont and hoverlabel.grouptitlefont [#6040]
Add texttemplate and textfont to heatmap and histogram2d traces as well as
histogram2dcontour and contour traces when coloring is set "heatmap" [#6028]

Fixed

Fix to discard negative values from pie chart post-aggregation instead of during summation [#6051],
with thanks to @destiny-wu for the contribution!

`v2.7.0`

Compare Source

Added

Add texttemplate, textposition, textfont, textangle,
outsidetextfont, insidetextfont, insidetextanchor,
constraintext and cliponaxis to histogram trace [#6038]

Changed

Bump probe-image-size module to v7.2.2 [#6036]

Fixed

Fix mapbox derived coordinate for Retina displays [#6039]
Fix interaction between uirevision and autorange. Because we push autorange and range back into layout,
there can be times it looks like we're applying GUI-driven changes on top of explicit autorange and other times
it's an implicit autorange, even though the user's intent was always implicit. This fix treats them as equivalent. [#6046]

`v2.6.4`

Compare Source

Fixed

Avoid bar with text to jump when selected [#6043]

`v2.6.3`

Compare Source

Fixed

Fix hover events in Shadow DOM [#6021],
with thanks to @SabineWren for the contribution!

`v2.6.2`

Compare Source

Fixed

Fix loading issue in orca (regression introduced in 2.6.0) [#6011]

`v2.6.1`

Compare Source

Fixed

Fix to avoid including local stackgl_modules/node_modules in the package (regression introduced in 2.6.0) [#6008]

`v2.6.0`

Compare Source

Added

add pattern to pie, funnelarea, sunburst, icicle and treemap traces [#6601, #6619, #6622, #6626, #6627, #6628, #6629],
with thanks to @thierryVergult for the contribution!

Fixed

Fix to prevent accessing undefined (hoverText.hoverLabels) in case all currently shown markers
have hoverinfo: "none" (regression introduced in 2.6.0)(https://redirect.github.com/plotly/plotly.js/issues/6614)y.js/issues/6614\)),
with thanks to @Domino987 for the contribution!
Fix to ensure only minimum margin spacing is added for container-referenced legends and colorbars [#6616]

`v2.5.1`

Compare Source

Fixed

Fix mesh3d generation when alphahull is a positive number (regression introduced in 2.5.1) [#6133]

`v2.5.0`

Compare Source

Changed

Bump d3-interpolate and d3-color to v3 to address audit warnings [#6463]

Fixed

Fix scaling of exports e.g. the SVG format by not adding vector-effect CSS to static plots [#6445]
Fix hover on IE (regression introduced in 2.5.0) [#6466]

`v2.4.2`

Compare Source

Fixed

Fix positioning unified hover box when div has zero height
(regression introduced in 2.3.0) [#5913]

`v2.4.1`

Compare Source

Fixed

Fix double click legends when groupclick is set to "toggleitem" [#5909]

`v2.4.0`

Compare Source

Added

Add legend.groupclick options [#5849, #5906],
with thanks to @brussee for the contribution!
Add touch support to slider component [#5856],
with thanks to @keul for the contribution!
Provide bbox of hover items in event data [#5512]

Changed

Upgrade regl module from version 1.6.1 to version 2.1.0 [#5870]

Fixed

Fix invalid call to lib.promiseError in lib.syncOrAsync [#5878],
with thanks to @jklimke for the contribution!
Use hoverlabel.font for group titles in unified hover modes [#5895]

`v2.3.1`

Compare Source

Fixed

Fix period positioned hover to work in different time zones as well as on grouped bars [#5864]
Use ids from axes when making hover data keys [#5852]
Do not include regl based traces parcoords, splom, scattergl and scatterpolargl in the "strict" bundle so that it could be used with CSP without WebGL warning [#5865]

`v2.3.0`

Compare Source

Fixed

Fix positioning unified hover box when div has zero height
(regression introduced in 2.3.0) [#5913]

`v2.2.1`

Compare Source

Fixed

Fix to improve sanitizing href inputs for SVG and HTML text elements [#5803]

`v2.2.0`

Compare Source

Added

Legend group titles [#5752],
this feature was anonymously sponsored: thank you to our sponsor!
Add half-year directive (%h) for formatting dates and improve descriptions to include extra date formatting options [#5762],
this feature was anonymously sponsored: thank you to our sponsor!

Changed

Modernize the process of creating baselines using Kaleido and improve image & other export test systems [#5724]
Centralize jsdom utility to return Plotly object in node.js test scripts and use it in generating plot-schema [#5755]
Bump turf bbox dependency to v6.4.0 [#5747]
Bump turf area dependency to v6.4.0 [#5748]
More maintenance work listed under the v2.2.0 milestone

Fixed

Cache values and patterns in set_convert for axes with rangebreaks to improve performance [#5659],
with thanks to @spasovski for the contribution!
Fix fetching geojson when ES6 import is used to load the library [#5763]
Correct readme links [#5746]

`v2.1.0`

Compare Source

Added

Add legend.groupclick options [#5849, #5906],
with thanks to @brussee for the contribution!
Add touch support to slider component [#5856],
with thanks to @keul for the contribution!
Provide bbox of hover items in event data [#5512]

Changed

Upgrade regl module from version 1.6.1 to version 2.1.0 [#5870]

Fixed

Fix invalid call to lib.promiseError in lib.syncOrAsync [#5878],
with thanks to @jklimke for the contribution!
Use hoverlabel.font for group titles in unified hover modes [#5895]

`v2.0.0`

Compare Source

Added

Add new number formatting and text alignment options by upgrading d3.format method from d3@v3 to version 1.4.5 of d3-format module [#5125, #5842]
Add "satellite" and several other projection types to geo subplots [#5801]
Improve rendering of scattergl, splom and parcoords by implementing plotGlPixelRatio for those traces [#5500]

Changed

Upgrade d3.geo method from d3@v3 to version 1.12.1 of d3-geo module and version 2.9.0 of d3-geo-projection module [#5112]
Upgrade d3.interpolate method from d3@v3 to version 1.4.0 of d3-interpolate module in icicle, indicator, parcats, sunburst and treemap [#5826]
Upgrade regl-scatter2d, regl-line2d and regl-error2d modules to use version 1.1.0 of to-float32 module to improve the performance [#5786],
with thanks to @Seranicio for the contribution!
Edit the type of constraintrange in parcoords trace to pass validation [#5673]
Sort object key values in schema [#5813]
Sort plot-schema and add test to track plot-schema changes [#5776]
Preview CHANGELOG when building dist on master [#5780, #5808]
Preview plot-schema changes between releases when building dist on master [#5814]
Display changes made to package.json between versions and add identical tags to draft bundles created by publish-dist job on CircleCI [#5815]
Simplify devtool by relying on XMLHttpRequest instead of d3.json [#5832]
Update CONTRIBUTING guidelines on how to submit pull requests and generate new baseline [#5791, #5792]
More maintenance work listed under the v2.3.0 milestone

Fixed

Fix unknown filename when exporting charts using new versions of Safari [#5609, 5838],
with thanks to @rlreamy for the contribution!
Improve README for ES6 module import [#5779],
with thanks to @andreafonso for the contribution!
Position hover in respect to the average of values in (x|y) unified modes (regression introduced in 2.0.0) [#5845]
Fix hover with period alignment points and improve positioning of spikes and unified hover label
in order not to obscure referring data points and fit inside plotting area [#5846]
Allow clickable legend group titles when group has no pie-like traces [#5771]
Fix mapbox line text example [#5804]
Fix links to time format options so that they point to the d3-time-format v2.2.3 applied not the latest [#5818]

`v1.58.5`

Compare Source

Fixed

Fix to improve sanitizing href inputs for SVG and HTML text elements [#5803]

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot force-pushed the renovate/npm-plotly.js-vulnerability branch 2 times, most recently from f8ef7ee to 70f8b3c Compare August 13, 2025 14:47

renovate bot force-pushed the renovate/npm-plotly.js-vulnerability branch from 70f8b3c to 1471bca Compare August 19, 2025 17:14

renovate bot force-pushed the renovate/npm-plotly.js-vulnerability branch from 1471bca to fdd03ad Compare August 31, 2025 09:42

renovate bot force-pushed the renovate/npm-plotly.js-vulnerability branch from fdd03ad to 3447646 Compare September 25, 2025 19:51

fix(deps): update dependency plotly.js to v2 [security]

97338ae

renovate bot force-pushed the renovate/npm-plotly.js-vulnerability branch from 3447646 to 97338ae Compare October 22, 2025 00:12

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(deps): update dependency plotly.js to v2 [security] #219

fix(deps): update dependency plotly.js to v2 [security] #219

Uh oh!

renovate bot commented Jan 3, 2024 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

fix(deps): update dependency plotly.js to v2 [security] #219

Are you sure you want to change the base?

fix(deps): update dependency plotly.js to v2 [security] #219

Uh oh!

Conversation

renovate bot commented Jan 3, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Release Notes

Changed

Fixed

Fixed

Fixed

Added

Fixed

Fixed

Fixed

Fixed

Fixed

Fixed

Added

Changed

Fixed

Added

Fixed

Added

Fixed

Added

Changed

Fixed

Fixed

Changed

Fixed

Added

Changed

Fixed

Fixed

Fixed

Fixed

Fixed

Fixed

Fixed

Fixed

Fixed

Fixed

Fixed

Added

Changed

Fixed

Fixed

Fixed

Fixed

Fixed

Added

Changed

Fixed

Fixed

Added

Fixed

Added

Added

Changed

Fixed

Fixed

Fixed

Fixed

Added

Fixed

Added

Changed

Fixed

Fixed

Fixed

Fixed

Fixed

Added

Fixed

Fixed

Changed

Fixed

renovate bot commented Jan 3, 2024 •

edited

Loading