fix: ban version v3.1.7 of DOMPurify

[DOMPurify v3.1.7][1] forbids the use of `<foreignElement>` for HTML inside of an `<svg>` element, which breaks many mermaid diagrams. It is likely that v3.1.8 will add a new option that will allow us to re-enable this behaviour, but v3.1.7 definitely does not work. [1]: https://github.com/cure53/DOMPurify/releases/tag/3.1.7 See: cure53/DOMPurify#1002 Fix: #5904
mermaid-js · Oct 1, 2024 · de2c05c · de2c05c
1 parent b3dee34
commit de2c05c
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 2 deletions.
diff --git a/.changeset/witty-rabbits-hunt.md b/.changeset/witty-rabbits-hunt.md
@@ -0,0 +1,5 @@
+---
+'mermaid': patch
+---
+
+Ban DOMPurify v3.1.7 as a dependency
diff --git a/packages/mermaid/package.json b/packages/mermaid/package.json
@@ -77,7 +77,7 @@
     "d3-sankey": "^0.12.3",
     "dagre-d3-es": "7.0.10",
     "dayjs": "^1.11.10",
-    "dompurify": "^3.0.11",
+    "dompurify": "^3.0.11 <3.1.7",
     "katex": "^0.16.9",
     "khroma": "^2.1.0",
     "lodash-es": "^4.17.21",

diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml