fix(deps): update dependency mermaid to v11 [security] #23
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
|
🧙 Sourcery has finished reviewing your pull request! Tips and commandsInteracting with Sourcery
Customizing Your ExperienceAccess your dashboard to:
Getting Help
|
![sourcery-ai[bot]](https://avatars.githubusercontent.com/in/48477?s=60&v=4){kind=small}
renovate
bot
force-pushed
the
renovate/npm-mermaid-vulnerability
branch
from
8271f2b to
be997d8
Compare
renovate
bot
force-pushed
the
renovate/npm-mermaid-vulnerability
branch
from
be997d8 to
bd3477c
Compare
renovate
bot
force-pushed
the
renovate/npm-mermaid-vulnerability
branch
from
bd3477c to
6cc11a4
Compare
renovate
bot
force-pushed
the
renovate/npm-mermaid-vulnerability
branch
from
6cc11a4 to
36b4b0a
Compare
renovate
bot
force-pushed
the
renovate/npm-mermaid-vulnerability
branch
from
36b4b0a to
7a5c077
Compare
renovate
bot
force-pushed
the
renovate/npm-mermaid-vulnerability
branch
from
7a5c077 to
f8d3cd0
Compare
renovate
bot
force-pushed
the
renovate/npm-mermaid-vulnerability
branch
from
f8d3cd0 to
ae11728
Compare
renovate
bot
force-pushed
the
renovate/npm-mermaid-vulnerability
branch
from
ae11728 to
b6ffd89
Compare
renovate
bot
force-pushed
the
renovate/npm-mermaid-vulnerability
branch
from
b6ffd89 to
6a204ad
Compare
renovate
bot
force-pushed
the
renovate/npm-mermaid-vulnerability
branch
from
6a204ad to
66bf5df
Compare
renovate
bot
changed the title
renovate
bot
force-pushed
the
renovate/npm-mermaid-vulnerability
branch
from
66bf5df to
a31f6ff
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^10.2.4->^11.0.0GitHub Vulnerability Alerts
GHSA-m4gq-x24j-jpmf
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
dist/mermaid.min.jsdist/mermaid.jsdist/mermaid.esm.mjsdist/mermaid.esm.min.mjsThis will also affect users that use the above files via a CDN link, e.g.
https://cdn.jsdelivr.net/npm/[email protected]/dist/mermaid.min.jsUsers that use the default NPM export of
mermaid, e.g.import mermaid from 'mermaid', or thedist/mermaid.core.mjsfile, do not use this bundled version of DOMPurify, and can easily update using their package manager with something likenpm audit fix.Patches
developbranch: 6c785c93166c151d27d328ddf68a13d9d65adc00CVE-2025-54881
Summary
In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to
innerHTMLduring calculation of element size, causing XSS.Details
Sequence diagram node labels with KaTeX delimiters are passed through
calculateMathMLDimensions. This method passes the full label toinnerHTMLwhich allows allows malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration (with KaTeX support enabled).The vulnerability lies here:
The
calculateMathMLDimensionsmethod was introduced in 5c69e5fdb004a6d0a2abe97e23d26e223a059832 two years ago, which was released in Mermaid 10.9.0.PoC
Render the following diagram and observe the modified DOM.
Here is a PoC on mermaid.live: https://mermaid.live/edit#pako:eNpVUMtOwzAQ_BWzyoFKaRTyaFILiio4IK7ckA-1km1iKbaLY6spUf4dJ0AF68uOZ2dm7REqXSNQ6PHDoarwWfDGcMkUudaJGysqceLKkj3hPdl3osJ7IRvSm-qBwcCAaIXGaONRrSsnUdnobITF28PQ954lwXglai25UNNhxWAXBMyXxcGOi-3kL_5k79e73atuFSUv2HWazH1IWn0m3CC5aPf4b3p2WK--BW-4DJCOWzQ3TM0HQmiMqIFa4zAEicZv4iGMsw0D26JEBtS3NR656ywDpiYv869_11r-Ko12TQv0yLveI3eqfcjP111HUNVonrRTFuhdsVgAHWEAmuRxlG7SuEzKMi-yJAnhAjTLIk_EcbFJtuk2y9MphM8lM47KIp--AOZghtU
Impact
XSS on all sites that use mermaid and render user supplied diagrams without further sanitization.
Remediation
The value of the
textargument for thecalculateMathMLDimensionsmethod needs to be sanitized before getting passed on toinnerHTML.Release Notes
mermaid-js/mermaid (mermaid)
v11.10.0Compare Source
Minor Changes
daf8d8dThanks @SpecularAura! - feat: Added support for per link curve styling in flowchart diagram using edge idsPatch Changes
#6857
b9ef683Thanks @knsv! - feat: Exposing elk configuration forceNodeModelOrder and considerModelOrder to the mermaid configuration#6653
2c0931dThanks @darshanr0107! - chore: Remove the "-beta" suffix from the XYChart, Block, Sankey diagrams to reflect their stable status#6683
33e08daThanks @darshanr0107! - fix: Position the edge label in state diagram correctly relative to the edge#6693
814b68bThanks @darshanr0107! - fix: Apply correct dateFormat in Gantt chart to show only day when specified#6734
fce7cabThanks @darshanr0107! - fix: handle exclude dates properly in Gantt charts when using dateFormat: 'YYYY-MM-DD HH:mm:ss'#6733
fc07f0dThanks @omkarht! - fix: fixed connection gaps in flowchart for roundedRect, stadium and diamond shape#6876
12e01bdThanks @sidharthv96! - fix: sanitize icon labels and icon SVGsResolves CVE-2025-54880 reported by @fourcube
#6801
01aaef3Thanks @sidharthv96! - fix: Update casing of ID in requirement diagram#6796
c36cd05Thanks @HashanCP! - fix: Make flowchart elk detector regex match less greedy#6702
8bb29fcThanks @qraqras! - fix(block): overflowing blocks no longer affect later linesThis may change the layout of block diagrams that have overflowing lines
(i.e. block diagrams that use up more columns that the
columnsspecifier).#6717
71b04f9Thanks @darshanr0107! - fix: log warning for blocks exceeding column widthThis update adds a validation check that logs a warning message when a block's width exceeds the defined column layout.
#6820
c99bce6Thanks @kriss-u! - fix: Add escaped class literal name on namespace#6332
6cc1926Thanks @ajuckel! - fix: Allow equals sign in sequenceDiagram labels#6651
9da6fb3Thanks @darshanr0107! - Add validation for negative values in pie charts:Prevents crashes during parsing by validating values post-parsing.
Provides clearer, user-friendly error messages for invalid negative inputs.
#6803
e48b0baThanks @omkarht! - chore: migrate to class-based ArchitectureDB implementation#6838
4d62d59Thanks @saurabhg772244! - fix: node border style for handdrawn shapes#6739
e9ce8cfThanks @kriss-u! - fix: Update flowchart direction TD's behavior to be the same as TB#6833
9258b29Thanks @darshanr0107! - fix: correctly render non-directional lines for '---' in block diagrams#6855
da90f67Thanks @sidharthv96! - fix: fallback to raw text instead of rendering Unsupported markdown or empty blocksInstead of printing Unsupported markdown: XXX, or empty blocks when using a markdown feature
that Mermaid does not yet support when
htmlLabels: true(default) orhtmlLabels: false,fallback to the raw markdown text.
#6876
0133f1cThanks @sidharthv96! - fix: sanitize KATEX blocksResolves CVE-2025-54881 reported by @fourcube
#6804
895f9d4Thanks @omkarht! - chore: Update packet diagram to use new class-based database structurev11.9.0Compare Source
Minor Changes
5acbd7eThanks @sidharthv96! - feat: AddgetRegisteredDiagramsMetadatatomermaid, which returns all the registered diagram IDs in mermaidPatch Changes
#6738
d90634bThanks @shubham-mermaid! - chore: Updated TreeMapDB to use class based approach#6510
7a38eb7Thanks @sidharthv96! - chore: Move packet diagram out of beta#6747
3e3ae08Thanks @darshanr0107! - fix: adjust sequence diagram title positioning to prevent overlap with top border in Safari#6751
d3e2be3Thanks @darshanr0107! - chore: Update MindmapDB to use class based approach#6715
637680dThanks @Syn3ugar! - fix(timeline): fix loadingleftMarginfrom configThe
timeline.leftMarginconfig value should now correctly control the size of the left margin, instead of being ignored.Updated dependencies [
7a38eb7]:v11.8.1Compare Source
Patch Changes
0da2922]:v11.8.0Compare Source
Minor Changes
f338802Thanks @knsv! - Adding support for the new diagram type nested treemapPatch Changes
#6707
592c5bbThanks @darshanr0107! - fix: Log a warning when duplicate commit IDs are encountered in gitGraph to help identify and debug rendering issues caused by non-unique IDs.Updated dependencies [
f338802]:v11.7.0Compare Source
Minor Changes
#6479
97b79c3Thanks @monicanguyen25! - feat: Add Vertical Line To Gantt Plot At Specified Time#6225
41e84b7Thanks @Shahir-47! - feat: Add support for styling Journey Diagram title (color, font-family, and font-size)#6423
aa6cb86Thanks @BambioGaming! - Added support for the click directive in stateDiagram syntax#5980
df9df9dThanks @BryanCrotazGivEnergy! - feat: Add shorter+<count>: Labelsyntax in packet diagram#6523
c17277eThanks @NourBenz! - fix: allow sequence diagram arrows with a trailing colon but no message#6475
a1ba65cThanks @Shahir-47! - feat: Dynamically Render Data Labels Within Bar ChartsPatch Changes
#6588
b1cf291Thanks @omkarht! - Fix stroke styles for ER diagram to correctly apply path and row-specific styles#6296
a4754adThanks @sidharthv96! - chore: Convert StateDB into TypeScript#6463
2b05d7eThanks @AaronMoat! - fix: Remove incorrectstyle="undefined;"attributes in some Mermaid diagrams#6282
d63d3bfThanks @saurabhg772244! - FontAwesome icons can now be embedded as SVGs in flowcharts if they are registered viamermaid.registerIconPacks.#6407
cdbd3e5Thanks @thomascizeron! - Refactor grammar so that title don't break Architecture Diagrams#6343
1ddaf10Thanks @jeswr! - fix: allow colons in events#6616
ca80f71Thanks @ashishjain0512! - fix(timeline): ensure consistent vertical line lengths with visible arrowheadsFixed timeline diagrams where vertical dashed lines from tasks had inconsistent lengths. All vertical lines now extend to the same depth regardless of the number of events in each column, with sufficient padding to clearly display both the dashed line pattern and complete arrowheads.
#6566
bca6ed6Thanks @arpitjain099! - fix: Fix incomplete string escaping in URL manipulation logic whenarrowMarkerAbsolute: trueby ensuring all unsafe characters are escaped.Updated dependencies [
df9df9d,cdbd3e5]:v11.6.0Compare Source
Minor Changes
#6408
ad65313Thanks @ashishjain0512! - fix: restore curve type configuration functionality for flowcharts. This fixes the issue where curve type settings were not being applied when configured through any of the following methods:#6381
95d73bcThanks @thomascizeron! - Add Radar ChartPatch Changes
16d9b63Thanks @calvinvette! - - #6388Thanks @bollwyvl - Fix requirement diagram containment arrow
95d73bc]:v11.5.0Compare Source
Minor Changes
#6187
7809b5aThanks @ashishjain0512! - Flowchart new syntax for node metadata bugs&}with trailing spaces before new line#6136
ec0d9c3Thanks @knsv! - Adding support for animation of flowchart edges#6373
05bdf0eThanks @ashishjain0512! - Upgrade Requirement and ER diagram to use the common renderer flow#6371
4d25cabThanks @knsv! - The arrowhead color should match the color of the edge. Creates a unique clone of the arrow marker with the appropriate color.Patch Changes
#6064
2a91849Thanks @NicolasNewman! - fix: architecture diagrams no longer grow to extreme heights due to conflicting alignments#6198
963efa6Thanks @ferozmht! - Fixes for consistent edge id creation & handling edge cases for animate edge feature#6196
127bac1Thanks @knsv! - Fix for issue #6195 - allowing @ signs inside node labels#6212
90bbf90Thanks @saurabhg772244! - fix:mermaidAPI.getDiagramFromText()now returns a new different db for each class diagram#6218
232e60cThanks @saurabhg772244! - fix: revert state db to resolve getData returning empty nodes and edges#6250
9cad3c7Thanks @saurabhg772244! -mermaidAPI.getDiagramFromText()now returns a new db instance on each call for state diagrams#6293
cfd84e5Thanks @saurabhg772244! - Added versioning to StateDB and updated tests and diagrams to use it.#6161
6cc31b7Thanks @saurabhg772244! - fix:mermaidAPI.getDiagramFromText()now returns a new different db for each flowchart#6272
ffa7804Thanks @saurabhg772244! - fix:mermaidAPI.getDiagramFromText()now returns a new different db for each sequence diagram. Added unique IDs for messages.#6205
32a68d4Thanks @saurabhg772244! - fix: Gantt, Sankey and User Journey diagram are now able to pick font-family from mermaid config.#6295
da6361fThanks @omkarht! - fix:getDirectionandsetDirectioninstateDbrefactored to return and set actual direction#6185
3e32332Thanks @saurabhg772244! -mermaidAPI.getDiagramFromText()now returns a new different db for each state diagramv11.4.1Compare Source
Patch Changes
#6059
01b5079Thanks @knsv! - fix: Kanban diagrams will not render when adding a number as ticket id or assigned for a task#6038
1388662Thanks @knsv! - fix: Intersection calculations for tilted cylinder/DAS when using handdrawn look. Some random seeds could cause the calculations to break.#6079
fe3cffbThanks @aloisklink! - Bump dompurify to^3.2.1. This removes the need for@types/dompurify.v11.4.0Compare Source
Minor Changes
#5999
742ad7cThanks @knsv! - Adding Kanban board, a new diagram type#5880
bdf145fThanks @yari-dewalt! - Class diagram changes:Patch Changes
#5937
17b7831Thanks @saurabhg772244! - fix: Jagged edge fix for icon shape#5933
72d60d2Thanks @remcohaszing! - Add missing TypeScript dependencies#5937
17b7831Thanks @saurabhg772244! - fix: Icon color fix for colored icons.#6002
5fabd41Thanks @aloisklink! - fix: errormermaid.parseon an invalid shape, so that it matches the errors thrown bymermaid.renderv11.3.0Compare Source
Minor Changes
9e3aa70Thanks @knsv, @ashishjain0512, @omkarht, @saurabhg772244, @aloisklink, @sidharthv96 ! - New Flowchart Shapes (with new syntax)Patch Changes
#5849
6c5b7ceThanks @ReneLombard! - Fixed an issue when the mermaid classdiagram crashes when adding a . to the namespace.Forexample
classDiagram namespace Company.Project.Module { class GenericClass~T~ { +addItem(item: T) +getItem() T } }#5914
de2c05cThanks @aloisklink! - Ban DOMPurify v3.1.7 as a dependencyv11.2.1Compare Source
Patch Changes
bfd8c63Thanks @knsv! - Fix for issue with calculation of label width when using in firefoxv11.2.0Compare Source
Minor Changes
64abf29Thanks @sidharthv96! - feat: Return parsed config from mermaid.parsePatch Changes
5e75320Thanks @bollwyvl! - fix: Replace $root with relative pathsv11.1.1Compare Source
Patch Changes
4c43d21Thanks @knsv! - fix: Fix for issue where self-loops in the root of diagrams break the renderingv11.1.0Compare Source
11.1.0
Minor Changes
#5793
6ecdf7bThanks @sidharthv96! - feat: Add support for iconify icons#5711
8e640daThanks @NicolasNewman! - feat(er): allow multi-line relationship labels#5452
256a148Thanks @NicolasNewman! - New Diagram: ArchitectureAdds architecture diagrams which allows users to show relations between services.
Patch Changes
#5810
28bd07fThanks @knsv! - Fix for self loops in clusterSupporting legacy defaultRenderer directive
#5789
16faef4Thanks @sidharthv96! - chore: Move icons to architecture, remove full icon sets to reduce bundle sizeUpdated dependencies [
256a148,7d8143b]:v11.0.2Compare Source
Patch Changes
#5664
5deaef4Thanks @Austin-Fulbright! - chore: Migrate git graph to langium, use typescript for internalsUpdated dependencies [
5deaef4]:v11.0.1Compare Source
Patch Changes
bf05d87Thanks @calvinvette! - test changesetv11.0.0Compare Source
Release Notes
Major Update
Refactored the Mermaid rendering engine to support new features, including customizable layout algorithms and visual styles. This update enhances diagram flexibility, starting with flowcharts and state diagrams, with plans to extend to all diagram types by @knsv, @ashishjain0512, @sidharthv96 in https://github.com/mermaid-js/mermaid/pull/5604
🚨 Breaking Changes
useMaxWidthtrue (#5723) @aloisklinkuseMaxWidthtrue (#5724) @aloisklink🚀 Features
@mermaid-js/parserpackage andinfolangium parser by @Yokozuna59 in https://github.com/mermaid-js/mermaid/pull/4727pielangium parser by @Yokozuna59 in https://github.com/mermaid-js/mermaid/pull/4751suppressErrorRenderingoption to avoid inserting 'Syntax error' message to DOM directly by @rhysd in https://github.com/mermaid-js/mermaid/pull/4359nodeSpacing/rankSpacingconfig to subgraphs by @rowanfr in https://github.com/mermaid-js/mermaid/pull/5183🐛 Bug Fixes
s being added by @NicolasNewman in https://github.com/mermaid-js/mermaid/pull/5483
sandboxmode with UTF-16 characters by @iansan5653 in https://github.com/mermaid-js/mermaid/pull/5520elkjsdependency from mermaid package by @Gusted in https://github.com/mermaid-js/mermaid/pull/5654🧰 Maintenance
@types/d3-scaledev dependency by @Yokozuna59 in https://github.com/mermaid-js/mermaid/pull/4749MermaidConfigenum TypesScript types to certain values by @aloisklink in https://github.com/mermaid-js/mermaid/pull/4803langiumtov3and apply the required changes by @Yokozuna59 in https://github.com/mermaid-js/mermaid/pull/5345Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.