Bump vega-functions and vega

[dependabot]

Bumps vega-functions to 5.13.1 and updates ancestor dependency vega. These dependencies need to be updated together.

Updates vega-functions from 5.7.1 to 5.13.1

Release notes

Sourced from vega-functions's releases.

v5.13.0

Notable Changes

• Improved Streaming Performance.

  For performance, Vega caches a lot of internal data structures, including calculated tuples, scenegraph items, and SVG DOM nodes. Previously, nested scopes (such as those created for facetted data) that result in vega-runtime subcontexts were never cleaned. If no external View API calls are made, this is fine, and actually improves performance for interaction-driven dynamic filtering. However, when providing streaming data to Vega through the View API, uncleaned caches and subcontexts can result in substantial memory leaks that also eventually degrade performance.

  This version adds mechanisms for clearing caches and detaching subflows to support streaming data within nested specifications. When input data is removed via a View API call or via signal-valued URL, Vega will now by default trigger garbage collection to reclaim resources. This behavior can be disabled by calling clean(false) on a constructed ChangeSet passed to the View API.

• Improved Cursor Performance.

  Previously Vega updated the cursor style on the HTML document body. This persists cursor settings even during interactions (such as drags) that may leave the Vega View component. However, it also can result in large performance penalties in Chrome, which re-evaluates CSS styles in response. This version changes the default behavior to set the cursor locally on the Vega View component. If a global cursor is desired, the boolean config property events.globalCursor can be set true or the View method globalCursor can be invoked to change the setting at runtime.

• Optional Expression Interpreter.

  This release adds interpreter support for Vega expressions that is Content Security Policy (CSP) compliant. By default, the Vega parser performs code generation for parsed Vega expressions, and the Vega runtime uses the Function constructor to create JavaScript functions from the generated code. Although the Vega parser includes its own security checks, the runtime generation of functions from source code nevertheless violates security policies designed to prevent cross-site scripting.

  This release provides an interpreter plug-in (the new vega-interpreter package) that evaluates expressions by traversing an Abstract Syntax Tree (AST) for an expression and performing each operation in turn. Use of the interpreter enables compliance with CSP, but can incur a performance penalty. In tests of initial parse and dataflow evaluation times, the interpreter is on average ~10% slower. Interactive updates may incur higher penalties, as they are often more expression-heavy and amortize the one-time cost of Function constructor parsing.

Changelog

Changes from v5.12.3:

vega

• Update stream.html and stream-nested.html performance test pages.

vega-dataflow

• Add detach method to Operator to remove adjacent edges (listeners) from the dataflow graph.
• Add clean setter to ChangeSet, set to true by default if any tuples are removed.
• Add clean getter/setter to Pulse, propagate value to forked pulses if they share a data source.
• Update logging calls during Dataflow evaluation.

vega-encode

• Update DataJoin transform to clean internal map when pulse.clean() is true.
• Update Scale to include domainMid as an extrema if it exceeds the domain min or max. (#2656)

vega-functions

• Fix scale function to not special case undefined input. This ensures identical semantics with the internal _scale helper function used by code-generated encoders.

vega-geo

• Update d3-geo dependency.

vega-interpreter

... (truncated)

Commits

• See full diff in compare view

Updates vega from 5.13.0 to 5.23.0

Release notes

Sourced from vega's releases.

v5.23.0

Changes from v5.22.1:

This version contains dependency updates, bug fixes, and security patches, plus a few extra utilities to aid Vega-Lite.

monorepo

• Update dependencies, including D3 packages.
• Update rollup config to use .mjs extensions.

vega-canvas

• Update rollup config.

vega-crossfilter

• Update rollup config.

vega-dataflow

• Update rollup config.

vega-encode

• Update rollup config.

vega-event-selector

• Update rollup config.

vega-expression

• Update rollup config.

vega-force

• Update rollup config.

vega-format

• Update rollup config.

vega-functions

• Fix lassoAppend expression function XSS. (Thanks @​arvind!)
• Fix scale expression function XSS (Thanks @​ajxchapman and @​hydrosquall!)
• Update rollup config.

vega-geo

... (truncated)

Commits

• fb1092f docs: Update docs build files.
• 9ef5726 chore: Update LICENSE years.
• 3d4e672 chore: Update vega-util tsconfig.
• 1365926 chore: Bump version numbers.
• c793495 chore: Update dependencies, rollup config files.
• 6881e39 ci: Update CI node versions.
• 510b5bd test: Update tests for new d3-geo output.
• 67dc297 feat: Include projections as registered scales.
• ab371a0 feat(vega-functions): check if scale from context was registered in vega-scal...
• 75620ed feat(vega-scale): add function for testing if a given scale config object was...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
• @dependabot use these labels will set the current labels as the default for future PRs for this repo and language
• @dependabot use these reviewers will set the current reviewers as the default for future PRs for this repo and language
• @dependabot use these assignees will set the current assignees as the default for future PRs for this repo and language
• @dependabot use this milestone will set the current milestone as the default for future PRs for this repo and language

You can disable automated security fix PRs for this repo from the Security Alerts page.