T334940 All Graphs broken on Wikimedia wikis (due to security issue T336556)

2 min read Original article ↗

On April 19, 2023 it was identified that the Graph extension, which uses the older Vega 1 & Vega 2 libraries, had a number of security vulnerabilities.

In the interest of the security of our users, the Graph extension was disabled on Wikimedia wiki's. WMF teams are working quickly on a plan to respond to these vulnerabilities.

We recommend that any other third party users of the Graph extension should disable the use of that extension on their wikis.

A configuration change will suppress the exposed raw tags and graph json definition to avoid excess disruption to the end user experience when the extension is disabled. [2] This also provides a tracking category "Category:Pages with disabled graphs" showing the pages that used to contain graphs. Local administrators can localise the name of the category and its description by editing [[MediaWiki:Graph-disabled-category]], [[MediaWiki:Graph-disabled-category-desc]] interface messages on your local wiki.

On Wikimedia projects, graphs created via the extension will remain unavailable. This means that pages that were formerly displaying graphs will now display a small blank area. To help readers understand this situation, communities can now define a brief message that can be displayed to readers in place of each graph until this is resolved. That message can be defined on each wiki at [[MediaWiki:Graph-disabled]] by local administrators.

An example from the English Wikipedia:

Screenshot 2023-04-19 at 00.58.31.png (610×636 px, 69 KB)

ORIGINAL:
Steps to replicate the issue (include links if applicable):

What happens?:

Any graph is not shown. Instead, this error message from the page MediaWiki:Graph-disabled is shown. Example error message on enwiki:

https://en.wikipedia.org/wiki/MediaWiki:Graph-disabled

Some wikis may have similar rendering errors instead, or blank page:

image.png (453×1 px, 59 KB)

What should have happened instead?:
Graphs should be shown.

Other information (browser name/version, screenshots, etc.):
I know graphs was disable because of a security issue, but an open issue is also needed so that people understand what's going on.

April 21 update part 1 - part 2. - exploring Vega 5 support for the Graph Extension

April 28 update. - Vega5 added for testing with limited features

July 15 update. - created the page https://www.mediawiki.org/wiki/Extension:Graph/Plans

August 11 update (archived).

December 22 update (archived)

April 10, 2024 update