Update dependency highcharts to v12 [SECURITY] - autoclosed #281

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Closed

renovate wants to merge 1 commit into main from renovate/npm-highcharts-vulnerability

Contributor

renovate bot commented Sep 30, 2025 •

edited

Loading

This PR contains the following updates:

Package	Change	Age	Confidence
highcharts (source)	`^6.0.2` -> `^12.0.0`

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

GitHub Vulnerability Alerts

GHSA-gr4j-r575-g665

Versions of highcharts prior to 7.2.2 or 8.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize href values and does not restrict URL schemes, allowing attackers to execute arbitrary JavaScript in a victim's browser if they click the link.

CVE-2021-29489

Impact

In Highcharts versions 8 and earlier, the chart options structure was not systematically filtered for XSS vectors. The potential impact was that content from untrusted sources could execute code in the end user's browser. Especially when using the useHTML flag, HTML string options would be inserted unfiltered directly into the DOM. When useHTML was false, malicious code could be inserted by using various character replacement tricks or malformed HTML.

If your chart configuration comes from a trusted source like a static setup or pre-filtered HTML (or no markup at all in the configuration), you are not impacted.

Patches

In version 9, the whole rendering layer was refactored to use an DOMParser, an AST and tag and HTML allow-listing to make sure only safe content entered the DOM. In addition, prototype pollution was stopped.

Workarounds

Implementers who are not able to upgrade may apply DOMPurify recursively to the options structure to filter out malicious markup.

References

Details on the improved Highcharts security
The AST and TextBuilder refactoring
The fix for prototype pollution

For more information

If you have any questions or comments about this advisory:

Visit our support page
For more Email us at [email protected]

Release Notes

highcharts/highcharts-dist (highcharts)

`v12.4.0`

`v12.3.0`

`v12.2.0`

`v12.1.2`

`v12.1.1`

`v12.1.0`

`v12.0.2`

`v12.0.1`

`v12.0.0`

`v11.4.8`

`v11.4.7`

`v11.4.6`

`v11.4.5`

`v11.4.4`

`v11.4.3`

`v11.4.2`

`v11.4.1`

`v11.4.0`

`v11.3.0`

`v11.2.0`

`v11.1.0`

`v11.0.1`

`v11.0.0`

`v10.3.3`

`v10.3.2`

`v10.3.1`

`v10.3.0`

`v10.2.1`

`v10.2.0`

`v10.1.0`

`v10.0.0`

`v9.3.3`

`v9.3.2`

`v9.3.1`

`v9.3.0`

`v9.2.2`

`v9.2.1`

`v9.2.0`

`v9.1.2`

`v9.1.1`

`v9.1.0`

`v9.0.1`

`v9.0.0`

`v8.2.2`

`v8.2.0`

`v8.1.2`

`v8.1.1`

`v8.1.0`

`v8.0.4`

`v8.0.3`

`v8.0.2`

`v8.0.1`

`v8.0.0`

`v7.2.2`

`v7.2.1`

`v7.2.0`

`v7.1.3`

`v7.1.2`

`v7.1.1`

`v7.1.0`

`v7.0.3`

`v7.0.2`

`v7.0.1`

`v7.0.0`

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

renovate bot force-pushed the renovate/npm-highcharts-vulnerability branch from 663e5b4 to 1f6c7a3 Compare

September 30, 2025 22:04

renovate bot changed the title ~~Update dependency highcharts to v12 [SECURITY]~~ Update dependency highcharts to v9 [SECURITY]

renovate bot force-pushed the renovate/npm-highcharts-vulnerability branch from 1f6c7a3 to f2c0ca3 Compare

September 30, 2025 22:05

renovate bot changed the title ~~Update dependency highcharts to v9 [SECURITY]~~ Update dependency highcharts to v12 [SECURITY]

renovate bot force-pushed the renovate/npm-highcharts-vulnerability branch from f2c0ca3 to 5a2b3c9 Compare

September 30, 2025 22:06

renovate bot changed the title ~~Update dependency highcharts to v12 [SECURITY]~~ Update dependency highcharts to v9 [SECURITY]

renovate bot force-pushed the renovate/npm-highcharts-vulnerability branch from 5a2b3c9 to f3a55bc Compare

October 6, 2025 12:01

renovate bot changed the title ~~Update dependency highcharts to v9 [SECURITY]~~ Update dependency highcharts to v12 [SECURITY]

renovate bot force-pushed the renovate/npm-highcharts-vulnerability branch 3 times, most recently from f04a5d8 to e92765f Compare

October 6, 2025 12:17

renovate bot changed the title ~~Update dependency highcharts to v12 [SECURITY]~~ Update dependency highcharts to v9 [SECURITY]

renovate bot force-pushed the renovate/npm-highcharts-vulnerability branch 2 times, most recently from 6522e31 to 463530f Compare

October 9, 2025 14:01

renovate bot changed the title ~~Update dependency highcharts to v9 [SECURITY]~~ Update dependency highcharts to v12 [SECURITY]

renovate bot force-pushed the renovate/npm-highcharts-vulnerability branch from 463530f to 92f93ea Compare

October 9, 2025 18:02

renovate bot changed the title ~~Update dependency highcharts to v12 [SECURITY]~~ Update dependency highcharts to v9 [SECURITY]

renovate bot force-pushed the renovate/npm-highcharts-vulnerability branch from 92f93ea to c40606c Compare

October 23, 2025 08:12

renovate bot changed the title ~~Update dependency highcharts to v9 [SECURITY]~~ Update dependency highcharts to v12 [SECURITY]

renovate bot force-pushed the renovate/npm-highcharts-vulnerability branch from c40606c to 514df23 Compare

October 23, 2025 10:44

renovate bot changed the title ~~Update dependency highcharts to v12 [SECURITY]~~ Update dependency highcharts to v9 [SECURITY]

renovate bot force-pushed the renovate/npm-highcharts-vulnerability branch from 514df23 to a021cd7 Compare

November 11, 2025 02:44

renovate bot changed the title ~~Update dependency highcharts to v9 [SECURITY]~~ Update dependency highcharts to v12 [SECURITY]

renovate bot force-pushed the renovate/npm-highcharts-vulnerability branch from a021cd7 to 812dbf1 Compare

November 11, 2025 07:38

renovate bot changed the title ~~Update dependency highcharts to v12 [SECURITY]~~ Update dependency highcharts to v9 [SECURITY]

renovate bot force-pushed the renovate/npm-highcharts-vulnerability branch from 812dbf1 to b4a8114 Compare

November 18, 2025 15:05

renovate bot changed the title ~~Update dependency highcharts to v9 [SECURITY]~~ Update dependency highcharts to v12 [SECURITY]

renovate bot force-pushed the renovate/npm-highcharts-vulnerability branch from b4a8114 to 23c3456 Compare

November 19, 2025 01:05

renovate bot changed the title ~~Update dependency highcharts to v12 [SECURITY]~~ Update dependency highcharts to v9 [SECURITY]

renovate bot force-pushed the renovate/npm-highcharts-vulnerability branch from 23c3456 to 4d59df3 Compare

November 21, 2025 07:51

renovate bot changed the title ~~Update dependency highcharts to v9 [SECURITY]~~ Update dependency highcharts to v12 [SECURITY]


          Update dependency highcharts to v12 [SECURITY]

463fc52

renovate bot force-pushed the renovate/npm-highcharts-vulnerability branch from 4d59df3 to 463fc52 Compare

November 21, 2025 07:52

renovate bot changed the title ~~Update dependency highcharts to v12 [SECURITY]~~ Update dependency highcharts to v12 [SECURITY] - autoclosed

renovate bot closed this

renovate bot deleted the renovate/npm-highcharts-vulnerability branch

November 21, 2025 10:46

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet