Merge branch 'master' into autorange-bounds

Author: archmoj

CHANGELOG.md

@@ -9,6 +9,22 @@ To see all merged commits on the master branch that will be part of the next plo
 
 where X.Y.Z is the semver of most recent plotly.js release.
 
+## [2.25.2] -- 2023-08-11
+
+### Changed
+ - Update Croatian translations in `hr` locale [[#6690](https://github.com/plotly/plotly.js/pull/6690)],
+   with thanks to @Mkranj for the contribution!
+
+### Fixed
+ - Fix potential prototype pollution in plot API calls [[#6703](https://github.com/plotly/plotly.js/pull/6703), [6704](https://github.com/plotly/plotly.js/pull/6704)]
+
+
+## [2.25.1] -- 2023-08-02
+
+### Fixed
+ - Fix clearing legend using react (regression introduced in 2.25.0) [[#6695](https://github.com/plotly/plotly.js/pull/6695)]
+
+
 ## [2.25.0] -- 2023-07-25
 
 ### Added

README.md

@@ -55,7 +55,7 @@ You may also consider using [`plotly.js-dist`](https://www.npmjs.com/package/plo
 
 ```html
 <head>
-    <script src="https://cdn.plot.ly/plotly-2.25.0.min.js" charset="utf-8"></script>
+    <script src="https://cdn.plot.ly/plotly-2.25.2.min.js" charset="utf-8"></script>
 </head>
 <body>
     <div id="gd"></div>
@@ -72,7 +72,7 @@ You may also consider using [`plotly.js-dist`](https://www.npmjs.com/package/plo
 Alternatively you may consider using [native ES6 import](https://developer.mozilla.org/en-US/docs/Web/JavaScript/Guide/Modules) in the script tag.
 ```html
 <script type="module">
-    import "https://cdn.plot.ly/plotly-2.25.0.min.js"
+    import "https://cdn.plot.ly/plotly-2.25.2.min.js"
     Plotly.newPlot("gd", [{ y: [1, 2, 3] }])
 </script>
 ```
@@ -82,7 +82,7 @@ Fastly supports Plotly.js with free CDN service. Read more at <https://www.fastl
 ### Un-minified versions are also available on CDN
 While non-minified source files may contain characters outside UTF-8, it is recommended that you specify the `charset` when loading those bundles.
 ```html
-<script src="https://cdn.plot.ly/plotly-2.25.0.js" charset="utf-8"></script>
+<script src="https://cdn.plot.ly/plotly-2.25.2.js" charset="utf-8"></script>
 ```
 
 > Please note that as of v2 the "plotly-latest" outputs (e.g. https://cdn.plot.ly/plotly-latest.min.js) will no longer be updated on the CDN, and will stay at the last v1 patch v1.58.5. Therefore, to use the CDN with plotly.js v2 and higher, you must specify an exact plotly.js version.

dist/README.md

@@ -46,9 +46,9 @@ The main plotly.js bundles weight in at:
 | 8.1 MB | 3.4 MB | 1 MB | 8.4 MB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-2.25.0.js
+> https://cdn.plot.ly/plotly-2.25.2.js
 
-> https://cdn.plot.ly/plotly-2.25.0.min.js
+> https://cdn.plot.ly/plotly-2.25.2.min.js
 
 
 #### npm packages
@@ -91,12 +91,12 @@ The `basic` partial bundle contains trace modules `bar`, `pie` and `scatter`.
 
 | Raw size | Minified size | Minified + gzip size |
 |------|-----------------|------------------------|
-| 2.6 MB | 969.3 kB | 324.3 kB |
+| 2.6 MB | 969.5 kB | 324.4 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-basic-2.25.0.js
+> https://cdn.plot.ly/plotly-basic-2.25.2.js
 
-> https://cdn.plot.ly/plotly-basic-2.25.0.min.js
+> https://cdn.plot.ly/plotly-basic-2.25.2.min.js
 
 
 #### npm packages
@@ -114,12 +114,12 @@ The `cartesian` partial bundle contains trace modules `bar`, `box`, `contour`, `
 
 | Raw size | Minified size | Minified + gzip size |
 |------|-----------------|------------------------|
-| 3.3 MB | 1.2 MB | 410.4 kB |
+| 3.3 MB | 1.2 MB | 410.5 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-cartesian-2.25.0.js
+> https://cdn.plot.ly/plotly-cartesian-2.25.2.js
 
-> https://cdn.plot.ly/plotly-cartesian-2.25.0.min.js
+> https://cdn.plot.ly/plotly-cartesian-2.25.2.min.js
 
 
 #### npm packages
@@ -140,9 +140,9 @@ The `geo` partial bundle contains trace modules `choropleth`, `scatter` and `sca
 | 3.1 MB | 1.1 MB | 368.4 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-geo-2.25.0.js
+> https://cdn.plot.ly/plotly-geo-2.25.2.js
 
-> https://cdn.plot.ly/plotly-geo-2.25.0.min.js
+> https://cdn.plot.ly/plotly-geo-2.25.2.min.js
 
 
 #### npm packages
@@ -163,9 +163,9 @@ The `gl3d` partial bundle contains trace modules `cone`, `isosurface`, `mesh3d`,
 | 3.6 MB | 1.5 MB | 488.9 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-gl3d-2.25.0.js
+> https://cdn.plot.ly/plotly-gl3d-2.25.2.js
 
-> https://cdn.plot.ly/plotly-gl3d-2.25.0.min.js
+> https://cdn.plot.ly/plotly-gl3d-2.25.2.min.js
 
 
 #### npm packages
@@ -183,12 +183,12 @@ The `gl2d` partial bundle contains trace modules `heatmapgl`, `parcoords`, `poin
 
 | Raw size | Minified size | Minified + gzip size |
 |------|-----------------|------------------------|
-| 4.4 MB | 1.8 MB | 594.8 kB |
+| 4.4 MB | 1.8 MB | 594.9 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-gl2d-2.25.0.js
+> https://cdn.plot.ly/plotly-gl2d-2.25.2.js
 
-> https://cdn.plot.ly/plotly-gl2d-2.25.0.min.js
+> https://cdn.plot.ly/plotly-gl2d-2.25.2.min.js
 
 
 #### npm packages
@@ -209,9 +209,9 @@ The `mapbox` partial bundle contains trace modules `choroplethmapbox`, `densitym
 | 4.3 MB | 1.7 MB | 525.6 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-mapbox-2.25.0.js
+> https://cdn.plot.ly/plotly-mapbox-2.25.2.js
 
-> https://cdn.plot.ly/plotly-mapbox-2.25.0.min.js
+> https://cdn.plot.ly/plotly-mapbox-2.25.2.min.js
 
 
 #### npm packages
@@ -232,9 +232,9 @@ The `finance` partial bundle contains trace modules `bar`, `candlestick`, `funne
 | 2.8 MB | 1 MB | 353 kB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-finance-2.25.0.js
+> https://cdn.plot.ly/plotly-finance-2.25.2.js
 
-> https://cdn.plot.ly/plotly-finance-2.25.0.min.js
+> https://cdn.plot.ly/plotly-finance-2.25.2.min.js
 
 
 #### npm packages
@@ -255,9 +255,9 @@ The `strict` partial bundle contains trace modules `bar`, `barpolar`, `box`, `ca
 | 8.6 MB | 3.7 MB | 1.1 MB |
 
 #### CDN links
-> https://cdn.plot.ly/plotly-strict-2.25.0.js
+> https://cdn.plot.ly/plotly-strict-2.25.2.js
 
-> https://cdn.plot.ly/plotly-strict-2.25.0.min.js
+> https://cdn.plot.ly/plotly-strict-2.25.2.min.js
 
 
 #### npm packages

dist/plotly-basic.js

@@ -1,5 +1,5 @@
 /**
-* plotly.js (basic) v2.25.0
+* plotly.js (basic) v2.25.2
 * Copyright 2012-2023, Plotly, Inc.
 * All rights reserved.
 * Licensed under the MIT license
@@ -11255,7 +11255,6 @@ function drawOne(gd, opts) {
         trace: shapeLegend
       }]);
     }
-    if (!calcdata.length) return;
     legendData = fullLayout.showlegend && getLegendData(calcdata, legendObj, fullLayout._legends.length > 1);
   } else {
     if (!legendObj.entries) return;
@@ -25868,6 +25867,10 @@ lib.objectFromPath = function (path, value) {
 // the inner loop.
 var dottedPropertyRegex = /^([^\[\.]+)\.(.+)?/;
 var indexedPropertyRegex = /^([^\.]+)\[([0-9]+)\](\.)?(.+)?/;
+function notValid(prop) {
+  // guard against polluting __proto__ and other internals getters and setters
+  return prop.slice(0, 2) === '__';
+}
 lib.expandObjectPaths = function (data) {
   var match, key, prop, datum, idx, dest, trailingPath;
   if (typeof data === 'object' && !Array.isArray(data)) {
@@ -25876,11 +25879,13 @@ lib.expandObjectPaths = function (data) {
         if (match = key.match(dottedPropertyRegex)) {
           datum = data[key];
           prop = match[1];
+          if (notValid(prop)) continue;
           delete data[key];
           data[prop] = lib.extendDeepNoArrays(data[prop] || {}, lib.objectFromPath(key, lib.expandObjectPaths(datum))[prop]);
         } else if (match = key.match(indexedPropertyRegex)) {
           datum = data[key];
           prop = match[1];
+          if (notValid(prop)) continue;
           idx = parseInt(match[2]);
           delete data[key];
           data[prop] = data[prop] || [];
@@ -25906,9 +25911,12 @@ lib.expandObjectPaths = function (data) {
           } else {
             // This is the case where this property is the end of the line,
             // e.g. xaxis.range[0]
+
+            if (notValid(prop)) continue;
             data[prop][idx] = lib.expandObjectPaths(datum);
           }
         } else {
+          if (notValid(key)) continue;
           data[key] = lib.expandObjectPaths(data[key]);
         }
       }
@@ -26833,13 +26841,19 @@ module.exports = function nestedProperty(container, propStr) {
   if (isNumeric(propStr)) propStr = String(propStr);else if (typeof propStr !== 'string' || propStr.substr(propStr.length - 4) === '[-1]') {
     throw 'bad property string';
   }
-  var j = 0;
   var propParts = propStr.split('.');
   var indexed;
   var indices;
-  var i;
+  var i, j;
+  for (j = 0; j < propParts.length; j++) {
+    // guard against polluting __proto__ and other internals
+    if (String(propParts[j]).slice(0, 2) === '__') {
+      throw 'bad property string';
+    }
+  }
 
   // check for parts of the nesting hierarchy that are numbers (ie array elements)
+  j = 0;
   while (j < propParts.length) {
     // look for non-bracket chars, then any number of [##] blocks
     indexed = String(propParts[j]).match(/^([^\[\]]*)((\[\-?[0-9]*\])+)$/);
@@ -60287,7 +60301,7 @@ function getSortFunc(opts, d2c) {
 
 
 // package version injected by `npm run preprocess`
-exports.version = '2.25.0';
+exports.version = '2.25.2';
 
 /***/ }),
 

dist/plotly-basic.min.js

@@ -1,5 +1,5 @@
 /**
-* plotly.js (cartesian) v2.25.0
+* plotly.js (cartesian) v2.25.2
 * Copyright 2012-2023, Plotly, Inc.
 * All rights reserved.
 * Licensed under the MIT license
@@ -11345,7 +11345,6 @@ function drawOne(gd, opts) {
         trace: shapeLegend
       }]);
     }
-    if (!calcdata.length) return;
     legendData = fullLayout.showlegend && getLegendData(calcdata, legendObj, fullLayout._legends.length > 1);
   } else {
     if (!legendObj.entries) return;
@@ -25977,6 +25976,10 @@ lib.objectFromPath = function (path, value) {
 // the inner loop.
 var dottedPropertyRegex = /^([^\[\.]+)\.(.+)?/;
 var indexedPropertyRegex = /^([^\.]+)\[([0-9]+)\](\.)?(.+)?/;
+function notValid(prop) {
+  // guard against polluting __proto__ and other internals getters and setters
+  return prop.slice(0, 2) === '__';
+}
 lib.expandObjectPaths = function (data) {
   var match, key, prop, datum, idx, dest, trailingPath;
   if (typeof data === 'object' && !Array.isArray(data)) {
@@ -25985,11 +25988,13 @@ lib.expandObjectPaths = function (data) {
         if (match = key.match(dottedPropertyRegex)) {
           datum = data[key];
           prop = match[1];
+          if (notValid(prop)) continue;
           delete data[key];
           data[prop] = lib.extendDeepNoArrays(data[prop] || {}, lib.objectFromPath(key, lib.expandObjectPaths(datum))[prop]);
         } else if (match = key.match(indexedPropertyRegex)) {
           datum = data[key];
           prop = match[1];
+          if (notValid(prop)) continue;
           idx = parseInt(match[2]);
           delete data[key];
           data[prop] = data[prop] || [];
@@ -26015,9 +26020,12 @@ lib.expandObjectPaths = function (data) {
           } else {
             // This is the case where this property is the end of the line,
             // e.g. xaxis.range[0]
+
+            if (notValid(prop)) continue;
             data[prop][idx] = lib.expandObjectPaths(datum);
           }
         } else {
+          if (notValid(key)) continue;
           data[key] = lib.expandObjectPaths(data[key]);
         }
       }
@@ -26942,13 +26950,19 @@ module.exports = function nestedProperty(container, propStr) {
   if (isNumeric(propStr)) propStr = String(propStr);else if (typeof propStr !== 'string' || propStr.substr(propStr.length - 4) === '[-1]') {
     throw 'bad property string';
   }
-  var j = 0;
   var propParts = propStr.split('.');
   var indexed;
   var indices;
-  var i;
+  var i, j;
+  for (j = 0; j < propParts.length; j++) {
+    // guard against polluting __proto__ and other internals
+    if (String(propParts[j]).slice(0, 2) === '__') {
+      throw 'bad property string';
+    }
+  }
 
   // check for parts of the nesting hierarchy that are numbers (ie array elements)
+  j = 0;
   while (j < propParts.length) {
     // look for non-bracket chars, then any number of [##] blocks
     indexed = String(propParts[j]).match(/^([^\[\]]*)((\[\-?[0-9]*\])+)$/);
@@ -70700,7 +70714,7 @@ function getSortFunc(opts, d2c) {
 
 
 // package version injected by `npm run preprocess`
-exports.version = '2.25.0';
+exports.version = '2.25.2';
 
 /***/ }),