Skip to content

[Security] Bump mermaid from 0.5.8 to 8.2.3 #97

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dependabot-preview wants to merge 1 commit into
base: master
Choose a base branch
from
Open

[Security] Bump mermaid from 0.5.8 to 8.2.3 #97

dependabot-preview wants to merge 1 commit into from

Conversation

@dependabot-preview
Copy link

@dependabot-preview dependabot-preview bot commented Dec 7, 2020

Bumps mermaid from 0.5.8 to 8.2.3. This update includes a security fix.

Vulnerabilities fixed

Sourced from The GitHub Security Advisory Database.

Cross-Site Scripting in mermaid Versions of mermaid prior to 8.2.3 are vulnerable to Cross-Site Scripting. If malicious input such as A[""] is provided to the application, it will execute the code instead of rendering it as text due to improper output encoding.

Recommendation

Upgrade to version 8.2.3 or later

Affected versions: < 8.2.3

Release notes

Sourced from mermaid's releases.

8.2.1

Fix for issue with configuration not always beeing applied properly (#884) Fix for issue with click events for flowcharts (#731)

8.2.0

Added securityLevel configuration

Sets the level of trust to be used on the parsed diagrams.

  • true: (default) tags in text are encoded, click functionality is disabled
  • false: tags in text are allowed, click functionality is enabled

⚠️ Note : This changes the default behaviour of mermaid so that after upgrade to 8.2, if the securityLevel is not configured, tags in flowcharts are encoded as tags and clicking is prohibited.

Closed issues

  • Create issue templates #847
  • Create issue templates #871
  • cross site scripting in mermaid #869
  • Make Gantt chart date inclusive #868
  • CHANGELOG missing updates for all versions since 0.4.0 #865
  • please add tag for 8.0.0 release #863
  • classDiagram breaks on any edit #858
  • found 1 high severity vulnerability #839
  • Missing fontawesome icon support #830
  • Docs for integration with wiki.js? #829
  • Is this project still maintained? #826
  • typroa #823
  • Maintain the order of the nodes in Flowchart #815
  • Overlap, Overflow and cut titles in flowchart #814
  • How load mermaidApi notejs electron #813
  • How to set the spacing between the text of the flowchart node and the border? #812
  • no triming participant name and the name following spaces is as another actor in sequence #809
  • uml Class as shape type #807
  • Force-directed graph Layout Style #806
  • how can I start a newLine in FlowChart #805
  • UOEProcessShow #801
  • Why the use of code blocks? #799
  • fixing class diagram #794
  • Autonumber support in sequence diagrams #782
  • MomentJS dependency #781
  • Feature : Can we color code the flow/arrows #766
  • Is there any way to convert flowchart.js code to mermaid code #726
  • Fixed width of nodes #653
  • Inline comment #650
  • alt attribute of img tag in HTML #619
  • Just wanted to say : THANKS ! #618
  • "animation" #446

Merged pull requests:

Changelog

Sourced from mermaid's changelog.

Change Log

Unreleased

Full Changelog

Closed issues:

  • Cross-Site Scripting:DOM - Issue #847

8.2.0 (2019-07-17)

Full Changelog

Closed issues:

  • Create issue templates #871
  • cross site scripting in mermaid #869
  • Make Gantt chart date inclusive #868
  • CHANGELOG missing updates for all versions since 0.4.0 #865
  • please add tag for 8.0.0 release #863
  • classDiagram breaks on any edit #858
  • found 1 high severity vulnerability #839
  • Missing fontawesome icon support #830
  • Docs for integration with wiki.js? #829
  • Is this project still maintained? #826
  • typroa #823
  • Maintain the order of the nodes in Flowchart #815
  • Overlap, Overflow and cut titles in flowchart #814
  • How load mermaidApi notejs electron #813
  • How to set the spacing between the text of the flowchart node and the border? #812
  • no triming participant name and the name following spaces is as another actor in sequence #809
  • uml Class as shape type #807
  • Force-directed graph Layout Style #806
  • how can I start a newLine in FlowChart #805
  • UOEProcessShow #801
  • Why the use of code blocks? #799
  • fixing class diagram #794
  • Autonumber support in sequence diagrams #782
  • MomentJS dependency #781
  • Feature : Can we color code the flow/arrows #766
  • Is there any way to convert flowchart.js code to mermaid code #726
  • Fixed width of nodes #653
  • Inline comment #650
  • alt attribute of img tag in HTML #619
  • Just wanted to say : THANKS ! #618
  • "animation" #446

Merged pull requests:

Commits
  • 5b85fe9 Merge branch 'sagea-sagea/sequencediagram-background-rect'
  • b5e3323 fix: workaround for function 25 line limit
  • 8f6d148 chore: added test for background rect dimensions
  • 671a892 fix: removed it.only
  • 5c25c55 chore: Added e2e snapshot tests
  • 8b05eea chore: Added unit tests around drawBackgroundRect and drawRect
  • 1b001cf chore: Added unit tests around drawBackgroundRect and drawRect
  • c8091c6 feat: sequence diagram background rect
  • 5d9018a Merge remote-tracking branch 'origin/master'
  • cf686c4 Standard fixes
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  • @dependabot badge me will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in the .dependabot/config.yml file in this repo:

  • Update frequency
  • Out-of-range updates (receive only lockfile updates, if desired)
  • Security updates (receive only security updates, if desired)

@dependabot-preview
[Security] Bump mermaid from 0.5.8 to 8.2.3
effa576 
Bumps [mermaid](https://github.com/knsv/mermaid) from 0.5.8 to 8.2.3. **This update includes a security fix.**
- [Release notes](https://github.com/knsv/mermaid/releases)
- [Changelog](https://github.com/mermaid-js/mermaid/blob/develop/CHANGELOG.md)
- [Commits](mermaid-js/mermaid@0.5.8...8.2.3)

Signed-off-by: dependabot-preview[bot] <[email protected]>
@dependabot-preview dependabot-preview bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code security Pull requests that address a security vulnerability labels Dec 7, 2020
@dependabot-preview dependabot-preview bot requested a review from igara December 7, 2020 07:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@igara igara Awaiting requested review from igara

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code security Pull requests that address a security vulnerability

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant