fix(deps): update dependency mermaid to ~10.9.3 [security] #667
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
~10.6.1
->~10.9.3
GitHub Vulnerability Alerts
GHSA-m4gq-x24j-jpmf
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
dist/mermaid.min.js
dist/mermaid.js
dist/mermaid.esm.mjs
dist/mermaid.esm.min.mjs
This will also affect users that use the above files via a CDN link, e.g.
https://cdn.jsdelivr.net/npm/[email protected]/dist/mermaid.min.js
Users that use the default NPM export of
mermaid
, e.g.import mermaid from 'mermaid'
, or thedist/mermaid.core.mjs
file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something likenpm audit fix
.Patches
develop
branch: 6c785c93166c151d27d328ddf68a13d9d65adc00Release Notes
mermaid-js/mermaid (mermaid)
v10.9.3
Compare Source
Updates the bundled version of dependencies in the following files:
dist/mermaid.min.js
dist/mermaid.js
dist/mermaid.esm.mjs
dist/mermaid.esm.min.mjs
If you are not using these files (e.g. you are using the default NPM export of
mermaid
, e.g.import mermaid from 'mermaid'
, or you are usingdist/mermaid.core.mjs
), this release is identical to v10.9.2.This is to avoid potential security issues in KaTeX and DOMPurify, see:
These dependencies have already been updated in v11.0.0.
Changelog
Chore
2bedd0e
)92a07ff
)Full Changelog: mermaid-js/mermaid@v10.9.2...v10.9.3
v10.9.2
Compare Source
This release back-ports https://github.com/mermaid-js/mermaid/pull/5914 to the v10 release line to fix #5904 (an incompatibility between mermaid and DOMPurify v3.1.7)
Patch Changes
402abdf
[10] fix: ban version v3.1.7 of DOMPurifyFull Changelog: mermaid-js/mermaid@v10.9.1...v10.9.2
v10.9.1
Compare Source
What's Changed
BugFixes
Docs
New Contributors
Full Changelog: mermaid-js/mermaid@v10.9.0...v10.9.1
v10.9.0
Compare Source
Release Notes
We now have Katex support!
Demo
🚀 Features
🧰 Maintenance
📚 Documentation
🎉 Thanks to all contributors helping with this release! 🎉
v10.8.0
Compare Source
v10.8.0
Features
Adding new diagram type - Block Diagram by @knsv in https://github.com/mermaid-js/mermaid/pull/5221
Feature/5114 add parallel commit config by @mathbraga in https://github.com/mermaid-js/mermaid/pull/5161
Changes to Gantt Parsers to allow hashes and semicolons to titles, sections, and task data. by @FutzMonitor in https://github.com/mermaid-js/mermaid/pull/5095
Feature/4653 add actor-top class to sequence diagram by @Ronid1 in https://github.com/mermaid-js/mermaid/pull/5241
Documentation
Bug fixes
Chores
New Contributors
Full Changelog: mermaid-js/mermaid@v10.7.0...v10.8.0
v10.7.0
Compare Source
Release Notes
🚀 Features
flowchart.maxEdges
config. (#5086) @sidharthv96🐛 Bug Fixes
🧰 Maintenance
release-drafter/release-drafter
GitHub Action to label our PRs (#4868) @aloisklinktsx
instead ofts-node-esm
(#5104) @aloisklink#registerExternalDiagrams
testTimeout from 5 seconds to 20 seconds (#5055) @omer-priel📚 Documentation
🎉 Thanks to all contributors helping with this release! 🎉
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.