Update dependency mermaid to v10 [SECURITY] #804
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^9.0.0
->^10.0.0
GitHub Vulnerability Alerts
GHSA-m4gq-x24j-jpmf
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
dist/mermaid.min.js
dist/mermaid.js
dist/mermaid.esm.mjs
dist/mermaid.esm.min.mjs
This will also affect users that use the above files via a CDN link, e.g.
https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js
Users that use the default NPM export of
mermaid
, e.g.import mermaid from 'mermaid'
, or thedist/mermaid.core.mjs
file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something likenpm audit fix
.Patches
develop
branch: 6c785c93166c151d27d328ddf68a13d9d65adc00Release Notes
mermaid-js/mermaid (mermaid)
v10.9.3
Compare Source
Updates the bundled version of dependencies in the following files:
dist/mermaid.min.js
dist/mermaid.js
dist/mermaid.esm.mjs
dist/mermaid.esm.min.mjs
If you are not using these files (e.g. you are using the default NPM export of
mermaid
, e.g.import mermaid from 'mermaid'
, or you are usingdist/mermaid.core.mjs
), this release is identical to v10.9.2.This is to avoid potential security issues in KaTeX and DOMPurify, see:
These dependencies have already been updated in v11.0.0.
Changelog
Chore
2bedd0e
)92a07ff
)Full Changelog: mermaid-js/mermaid@v10.9.2...v10.9.3
v10.9.2
Compare Source
This release back-ports https://github.com/mermaid-js/mermaid/pull/5914 to the v10 release line to fix #5904 (an incompatibility between mermaid and DOMPurify v3.1.7)
Patch Changes
402abdf
[10] fix: ban version v3.1.7 of DOMPurifyFull Changelog: mermaid-js/mermaid@v10.9.1...v10.9.2
v10.9.1
Compare Source
What's Changed
BugFixes
Docs
New Contributors
Full Changelog: mermaid-js/mermaid@v10.9.0...v10.9.1
v10.9.0
Compare Source
Release Notes
We now have Katex support!
Demo
🚀 Features
🧰 Maintenance
📚 Documentation
🎉 Thanks to all contributors helping with this release! 🎉
v10.8.0
Compare Source
v10.8.0
Features
Adding new diagram type - Block Diagram by @knsv in https://github.com/mermaid-js/mermaid/pull/5221
Feature/5114 add parallel commit config by @mathbraga in https://github.com/mermaid-js/mermaid/pull/5161
Changes to Gantt Parsers to allow hashes and semicolons to titles, sections, and task data. by @FutzMonitor in https://github.com/mermaid-js/mermaid/pull/5095
Feature/4653 add actor-top class to sequence diagram by @Ronid1 in https://github.com/mermaid-js/mermaid/pull/5241
Documentation
Bug fixes
Chores
New Contributors
Full Changelog: mermaid-js/mermaid@v10.7.0...v10.8.0
v10.7.0
Compare Source
Release Notes
🚀 Features
flowchart.maxEdges
config. (#5086) @sidharthv96🐛 Bug Fixes
🧰 Maintenance
release-drafter/release-drafter
GitHub Action to label our PRs (#4868) @aloisklinktsx
instead ofts-node-esm
(#5104) @aloisklink#registerExternalDiagrams
testTimeout from 5 seconds to 20 seconds (#5055) @omer-priel📚 Documentation
🎉 Thanks to all contributors helping with this release! 🎉
v10.6.1
: 10.6.1Compare Source
What's Changed
Bugfixes
(
char in ellipse nodesDocumentation
Chores
🎉 Thanks to all contributors helping with this release! 🎉
v10.6.0
: 10.6.0Compare Source
What's Changed
Fix
Docs
Chores
marker_unique_id.html
E2E test to render before taking a screenshot by @aloisklinkhttps://github.com/mermaid-js/mermaid/pull/48474847
theme-directives.html
E2E test to render before taking a screenshot by @aloisklink in https://github.com/mermaid-js/mermaid/pull/4846@typescript-eslint/*
plugins to v6 (major) by @aloisklink in https://github.com/mermaid-js/mermaid/pull/4857flow-huge.spec.js
test case using.repeat
by @Yokozuna59 in https://github.com/mermaid-js/mermaid/pull/4859develop
&next
branches by @sidharthv96 in https://github.com/mermaid-js/mermaid/pull/4841New Contributors
Full Changelog: mermaid-js/mermaid@v10.5.1...v10.6.0
v10.5.1
Compare Source
What's Changed
Full Changelog: mermaid-js/mermaid@v10.5.0...v10.5.1
v10.5.0
: 10.5.0Compare Source
What's Changed
Features
Bugfixes
Documentation
~test Array~string~
back in Class by @sidharthv96 in https://github.com/mermaid-js/mermaid/pull/4805Chores
commonDb
intodiagrams/common/commonDb
by @Yokozuna59 in https://github.com/mermaid-js/mermaid/pull/4802cypress/helpers/util.ts
by @RohanHandore in https://github.com/mermaid-js/mermaid/pull/4340New Contributors
Full Changelog: mermaid-js/mermaid@v10.4.0...v10.5.0
v10.4.0
Compare Source
Features
Docs
Chores
assignWithDepth
to TS by @Yokozuna59 in https://github.com/mermaid-js/mermaid/pull/4717diagrams/common/svgDrawCommon.js
to ts by @Yokozuna59 in https://github.com/mermaid-js/mermaid/pull/4724New Contributors
Full Changelog: mermaid-js/mermaid@v10.3.1...v10.4.0
v10.3.1
Compare Source
What's Changed
Bugfixes