Hello Everyone,

Today it was identified that the Graph extension [1], which uses the older Vega 1 & Vega 2 libraries, had a number of security vulnerabilities. 

In the interest of the security of our users, the Graph extension was disabled on Wikimedia wiki's. We know that this is disruptive for editors and readers, and WMF teams are working quickly on a plan to respond to these vulnerabilities. 

We recommend that any other third party users of the Graph extension should disable the use of that extension on their wikis.

A configuration change will suppress the exposed raw tags and graph json definition to avoid excess disruption to the end user experience when the extension is disabled. [2] This also provides a tracking category "Category:Pages with disabled graphs" showing the pages that used to contain graphs. Local administrators can localise the name of the category and its description by editing [[MediaWiki:Graph-disabled-category]], [[MediaWiki:Graph-disabled-category-desc]] interface messages on your local wiki.

On Wikimedia projects, graphs created via the extension will remain unavailable. This means that pages that were formerly displaying graphs will now display a small blank area.  To help readers understand this situation, communities can now define a brief message that can be displayed to readers in place of each graph until this is resolved. That message can be defined on each wiki at [[MediaWiki:Graph-disabled]] by local administrators.

Wikimedia Foundation staff are looking at options available and expected timelines. For updates on this topic, follow the public Phabricator task for this issue: https://phabricator.wikimedia.org/T334940 

We are seeking translation to be able to distribute a massmessage about this to various language wikis tomorrow. Please help us translate here: https://meta.wikimedia.org/wiki/User:Seddon_(WMF)/Graph_massmessage 

Thank you,

Seddon

[1] https://www.mediawiki.org/wiki/Extension:Graph