chore(deps): unpin the dompurify dependency #4677
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Codecov Report
Additional details and impacted files@@ Coverage Diff @@
## develop #4677 +/- ##
===========================================
+ Coverage 74.90% 77.00% +2.09%
===========================================
Files 144 144
Lines 14583 14583
Branches 563 563
===========================================
+ Hits 10924 11230 +306
+ Misses 3546 3243 -303
+ Partials 113 110 -3
Flags with carried forward coverage won't be shown. Click here to find out more. |
|
@knsv @aloisklink do you remember if there was a reason why dompurify was pinned? |
aloisklink
approved these changes
Jul 28, 2023
There was a problem hiding this comment.
do you remember if there was a reason why dompurify was pinned?
There's some discussion about this here, since @markrian brought up the same issue in #3735 (comment):
dompurifywas already pinned as adependencybefore we switched to renovate, and has been pinned ever since it was first added, see b468065Personally, I'm happy to unpin
dompurifyas well, but there might be a reason why it was pinned (maybe security issues?), so I'd rather have it in a separate PR so it doesn't block the rest of the changes.Taken from #3735 (comment)
I'm happy for this to be unpinned, but @knsv was the one to originally pin this in b468065, so it's worth getting a review from them.
|
|
@djadmin, Thank you for the contribution! |
fuxingloh
referenced
this pull request
in fuxingloh/contented
Aug 15, 2023
[](https://renovatebot.com) This PR contains the following updates: | Package | Change | Age | Adoption | Passing | Confidence | |---|---|---|---|---|---| | [mermaid](https://togithub.com/mermaid-js/mermaid) | [`10.3.0` -> `10.3.1`](https://renovatebot.com/diffs/npm/mermaid/10.3.0/10.3.1) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>mermaid-js/mermaid (mermaid)</summary> ### [`v10.3.1`](https://togithub.com/mermaid-js/mermaid/releases/tag/v10.3.1) [Compare Source](https://togithub.com/mermaid-js/mermaid/compare/v10.3.0...v10.3.1) #### What's Changed #### Bugfixes - fix style in contributors section of intro by [@​keer4n](https://togithub.com/keer4n) in [https://github.com/mermaid-js/mermaid/pull/4670](https://togithub.com/mermaid-js/mermaid/pull/4670) - fix: [#​4676](https://togithub.com/mermaid-js/mermaid/issues/4676) redirect fix by [@​sidharthv96](https://togithub.com/sidharthv96) in [https://github.com/mermaid-js/mermaid/pull/4693](https://togithub.com/mermaid-js/mermaid/pull/4693) - [#​2139](https://togithub.com/mermaid-js/mermaid/issues/2139) Applying user defined classes properly when calculating shape width by [@​knsv](https://togithub.com/knsv) in [https://github.com/mermaid-js/mermaid/pull/4722](https://togithub.com/mermaid-js/mermaid/pull/4722) - Bug/4645 graph node containing keyword by [@​ibrahimWassouf](https://togithub.com/ibrahimWassouf) in [https://github.com/mermaid-js/mermaid/pull/4657](https://togithub.com/mermaid-js/mermaid/pull/4657) - fix: Remove triple parsing of diagrams by [@​sidharthv96](https://togithub.com/sidharthv96) in [https://github.com/mermaid-js/mermaid/pull/4697](https://togithub.com/mermaid-js/mermaid/pull/4697) - resolve info `HTML` and `Document` assignment by [@​Yokozuna59](https://togithub.com/Yokozuna59) in [https://github.com/mermaid-js/mermaid/pull/4514](https://togithub.com/mermaid-js/mermaid/pull/4514) - fix!(deps): fix zenuml style leakage. by [@​danshuitaihejie](https://togithub.com/danshuitaihejie) in [https://github.com/mermaid-js/mermaid/pull/4705](https://togithub.com/mermaid-js/mermaid/pull/4705) - Use our prettier config on the `packages/mermaid/src/config.type.ts` file by [@​aloisklink](https://togithub.com/aloisklink) in [https://github.com/mermaid-js/mermaid/pull/4715](https://togithub.com/mermaid-js/mermaid/pull/4715) - create `ParserDefinition` type by [@​Yokozuna59](https://togithub.com/Yokozuna59) in [https://github.com/mermaid-js/mermaid/pull/4719](https://togithub.com/mermaid-js/mermaid/pull/4719) - standardized `error` diagram by [@​Yokozuna59](https://togithub.com/Yokozuna59) in [https://github.com/mermaid-js/mermaid/pull/4718](https://togithub.com/mermaid-js/mermaid/pull/4718) #### Documentation - Docs: Directives not needed in new diagrams as yaml formatter does this for all new diagrams by [@​Incognito](https://togithub.com/Incognito) in [https://github.com/mermaid-js/mermaid/pull/4688](https://togithub.com/mermaid-js/mermaid/pull/4688) - Docs: add latest blog post by [@​huynhicode](https://togithub.com/huynhicode) in [https://github.com/mermaid-js/mermaid/pull/4668](https://togithub.com/mermaid-js/mermaid/pull/4668) - Lychee config by [@​mmorel-35](https://togithub.com/mmorel-35) in [https://github.com/mermaid-js/mermaid/pull/4699](https://togithub.com/mermaid-js/mermaid/pull/4699) - Syntax Update CONTRIBUTING.md by [@​soomrozaid](https://togithub.com/soomrozaid) in [https://github.com/mermaid-js/mermaid/pull/4713](https://togithub.com/mermaid-js/mermaid/pull/4713) #### Chores - chore(deps): update all minor dependencies (minor) by [@​renovate](https://togithub.com/renovate) in [https://github.com/mermaid-js/mermaid/pull/4682](https://togithub.com/mermaid-js/mermaid/pull/4682) - build(deps-dev): bump json5 from 2.2.1 to 2.2.3 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/mermaid-js/mermaid/pull/4685](https://togithub.com/mermaid-js/mermaid/pull/4685) - build(deps): bump [@​braintree/sanitize-url](https://togithub.com/braintree/sanitize-url) from 6.0.0 to 6.0.1 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/mermaid-js/mermaid/pull/4686](https://togithub.com/mermaid-js/mermaid/pull/4686) - build(deps-dev): bump vite from 4.3.3 to 4.3.9 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/mermaid-js/mermaid/pull/4687](https://togithub.com/mermaid-js/mermaid/pull/4687) - chore(deps): update all patch dependencies (patch) by [@​renovate](https://togithub.com/renovate) in [https://github.com/mermaid-js/mermaid/pull/4681](https://togithub.com/mermaid-js/mermaid/pull/4681) - chore: ts-ignore comment was misleading, JISON doesn't support types by [@​Incognito](https://togithub.com/Incognito) in [https://github.com/mermaid-js/mermaid/pull/4689](https://togithub.com/mermaid-js/mermaid/pull/4689) - chore(deps): unpin the dompurify dependency by [@​djadmin](https://togithub.com/djadmin) in [https://github.com/mermaid-js/mermaid/pull/4677](https://togithub.com/mermaid-js/mermaid/pull/4677) - build(deps-dev): bump pnpm from 8.3.1 to 8.6.8 by [@​dependabot](https://togithub.com/dependabot) in [https://github.com/mermaid-js/mermaid/pull/4692](https://togithub.com/mermaid-js/mermaid/pull/4692) #### New Contributors - [@​keer4n](https://togithub.com/keer4n) made their first contribution in [https://github.com/mermaid-js/mermaid/pull/4670](https://togithub.com/mermaid-js/mermaid/pull/4670) - [@​djadmin](https://togithub.com/djadmin) made their first contribution in [https://github.com/mermaid-js/mermaid/pull/4677](https://togithub.com/mermaid-js/mermaid/pull/4677) - [@​danshuitaihejie](https://togithub.com/danshuitaihejie) made their first contribution in [https://github.com/mermaid-js/mermaid/pull/4705](https://togithub.com/mermaid-js/mermaid/pull/4705) - [@​soomrozaid](https://togithub.com/soomrozaid) made their first contribution in [https://github.com/mermaid-js/mermaid/pull/4713](https://togithub.com/mermaid-js/mermaid/pull/4713) **Full Changelog**: mermaid-js/mermaid@v10.3.0...v10.3.1 </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/levaintech/contented). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNi40MC4zIiwidXBkYXRlZEluVmVyIjoiMzYuNDMuMiIsInRhcmdldEJyYW5jaCI6Im1haW4ifQ==--> Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
](https://renovatebot.com){kind=link}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
📑 Summary
Unpins the
DOMPurifydependency. Resolves concerns at #3735Why
This is because:
The consumers of Mermaid end up with a specific version of
DOMPurifypulled in, and to de-duplicate that they'd need to use sort of resolutions or overrides.As
DOMPurifyis a security library, it'd benefit to get regular updates and keep things secure by default.📋 Tasks
Make sure you
MERMAID_RELEASE_VERSIONis used for all new features.developbranch