Security Issue with plotly.js

[jiyuan12354]

Firstly, I would like to express my gratitude to the SurveyJS team for providing such a robust open-source tool. Our company was so impressed that we didn’t hesitate to purchase the pro plan.

However, we’ve encountered a problem that we need your assistance with. Our company has a portal site that relies on survey-analytics@1.8.42. Our security team has discovered a security issue with this version.

Even after updating to the latest version of survey-analytics, which includes plotly.js@2.11.1, the issue persists as this version of plotly.js does not contain the necessary fix.

Is there any possibility of updating to plotly.js@2.25.2, which we believe has the required security fix? Alternatively, could you suggest any other methods to circumvent this security issue?

We look forward to your response and thank you in advance for your help.

I hope this helps! Let me know if you need further assistance.

refer to:
Fixed
Fix potential prototype pollution in plot API calls [#6703, 6704]

[tsv2013]

The current version is 1.9.127. It depends on

"plotly.js-dist-min": "^2.11.1",

Probably you need to upgrade.

[jiyuan12354]

The current version is 1.9.127. It depends on

"plotly.js-dist-min": "^2.11.1",

Probably you need to upgrade.

Got your point.. but as I described, Even after updating to the latest version of survey-analytics, which includes plotly.js@2.11.1, the issue persists as this version of plotly.js does not contain the necessary fix.

[tsv2013]

I've updated dependency:

"plotly.js-dist-min": "^2.28.0",

@jiyuan12354 could you check it on your side and tell me whether it works for you?

[JaneSjs]

T23435 - Security Issue - Inline Styles in SurveyJS Violate Content Security Policy
https://surveyjs.answerdesk.io/internal/ticket/details/T23435