chore(deps): update dependency mermaid to v10.9.3 [security] (release-0.30) #5046
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
10.9.1
->10.9.3
GitHub Vulnerability Alerts
GHSA-m4gq-x24j-jpmf
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
dist/mermaid.min.js
dist/mermaid.js
dist/mermaid.esm.mjs
dist/mermaid.esm.min.mjs
This will also affect users that use the above files via a CDN link, e.g.
https://cdn.jsdelivr.net/npm/[email protected]/dist/mermaid.min.js
Users that use the default NPM export of
mermaid
, e.g.import mermaid from 'mermaid'
, or thedist/mermaid.core.mjs
file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something likenpm audit fix
.Patches
develop
branch: 6c785c93166c151d27d328ddf68a13d9d65adc00Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify
GHSA-m4gq-x24j-jpmf
More information
Details
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
dist/mermaid.min.js
dist/mermaid.js
dist/mermaid.esm.mjs
dist/mermaid.esm.min.mjs
This will also affect users that use the above files via a CDN link, e.g.
https://cdn.jsdelivr.net/npm/[email protected]/dist/mermaid.min.js
Users that use the default NPM export of
mermaid
, e.g.import mermaid from 'mermaid'
, or thedist/mermaid.core.mjs
file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something likenpm audit fix
.Patches
develop
branch: 6c785c93166c151d27d328ddf68a13d9d65adc00Severity
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
References
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
mermaid-js/mermaid (mermaid)
v10.9.3
Compare Source
Updates the bundled version of dependencies in the following files:
dist/mermaid.min.js
dist/mermaid.js
dist/mermaid.esm.mjs
dist/mermaid.esm.min.mjs
If you are not using these files (e.g. you are using the default NPM export of
mermaid
, e.g.import mermaid from 'mermaid'
, or you are usingdist/mermaid.core.mjs
), this release is identical to v10.9.2.This is to avoid potential security issues in KaTeX and DOMPurify, see:
These dependencies have already been updated in v11.0.0.
Changelog
Chore
2bedd0e
)92a07ff
)Full Changelog: mermaid-js/mermaid@v10.9.2...v10.9.3
v10.9.2
Compare Source
This release back-ports https://github.com/mermaid-js/mermaid/pull/5914 to the v10 release line to fix #5904 (an incompatibility between mermaid and DOMPurify v3.1.7)
Patch Changes
402abdf
[10] fix: ban version v3.1.7 of DOMPurifyFull Changelog: mermaid-js/mermaid@v10.9.1...v10.9.2
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.