Bump @braintree/sanitize-url and mermaid

[dependabot[bot]]

Bumps @braintree/sanitize-url to 6.0.2 and updates ancestor dependency mermaid. These dependencies need to be updated together.

Updates @braintree/sanitize-url from 3.1.0 to 6.0.2

Changelog

Sourced from @​braintree/sanitize-url's changelog.

6.0.2

• Fix issue where urls in the form https://example.com

/something were not properly sanitized

6.0.1

• Fix issue where urls in the form javascript:alert('xss'); were not properly sanitized
• Fix issue where urls in the form javasc	ript:alert('XSS'); were not properly sanitized

6.0.0

Breaking Changes

• Decode HTML characters automatically that would result in an XSS vulnerability when rendering links via a server rendered HTML file

// decodes to javacript:alert('XSS')
const vulnerableUrl =
  "&[#0000106](https://github.com/braintree/sanitize-url/issues/0000106)&[#0000097](https://github.com/braintree/sanitize-url/issues/0000097)&[#0000118](https://github.com/braintree/sanitize-url/issues/0000118)&[#0000097](https://github.com/braintree/sanitize-url/issues/0000097)&[#0000115](https://github.com/braintree/sanitize-url/issues/0000115)&[#0000099](https://github.com/braintree/sanitize-url/issues/0000099)&[#0000114](https://github.com/braintree/sanitize-url/issues/0000114)&[#0000105](https://github.com/braintree/sanitize-url/issues/0000105)&[#0000112](https://github.com/braintree/sanitize-url/issues/0000112)&[#0000116](https://github.com/braintree/sanitize-url/issues/0000116)&[#0000058](https://github.com/braintree/sanitize-url/issues/0000058)&[#0000097](https://github.com/braintree/sanitize-url/issues/0000097)&[#0000108](https://github.com/braintree/sanitize-url/issues/0000108)&[#0000101](https://github.com/braintree/sanitize-url/issues/0000101)&[#0000114](https://github.com/braintree/sanitize-url/issues/0000114)&[#0000116](https://github.com/braintree/sanitize-url/issues/0000116)&[#0000040](https://github.com/braintree/sanitize-url/issues/0000040)&[#0000039](https://github.com/braintree/sanitize-url/issues/0000039)&[#0000088](https://github.com/braintree/sanitize-url/issues/0000088)&[#0000083](https://github.com/braintree/sanitize-url/issues/0000083)&[#0000083](https://github.com/braintree/sanitize-url/issues/0000083)&[#0000039](https://github.com/braintree/sanitize-url/issues/0000039)&[#0000041](https://github.com/braintree/sanitize-url/issues/0000041)";
sanitizeUrl(vulnerableUrl); // 'about:blank'
const okUrl = "https://example.com/" + vulnerableUrl;
// since the javascript bit is in the path instead of the protocol
// this is successfully sanitized
sanitizeUrl(okUrl); // 'https://example.com/javascript:alert('XSS');

5.0.2

• Fix issue where certain invisible white space characters were not being sanitized (#35)

5.0.1

• Fix issue where certain safe characters were being filtered out (#31 thanks @​akirchmyer)

5.0.0

Breaking Changes

• Sanitize vbscript urls (thanks @​vicnicius)

4.1.1

• Fixup path to type declaration (closes #25)

4.1.0

• Add typescript types

... (truncated)

Commits

• 14a14e8 6.0.2
• b8eb575 chore: update changelog
• a39ca11 fix: remove newline entities (#46)
• ab8d43d 6.0.1
• 768e954 chore: update version in changelog
• d4bdc89 Fix html entity tab (#45)
• b70161d chore: fix CHANGELOG formatting
• eb4a764 chore: update dev dependencies
• 071dbfb chore: update dependencies
• 34fc643 6.0.0
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by braintree, a new releaser for @​braintree/sanitize-url since your current version.

Updates mermaid from 8.4.8 to 9.3.0

Release notes

Sourced from mermaid's releases.

v9.3.0

Significant Changes

• 25% Smaller
• New docs
• Replaces the deprecated and vulnerable dagre-d3 with dagre-es

Release Notes

• #3778 Adding a hexgon shape (#3834) @​knsv
• #3831 Re-enabling themes for er diagrams (#3837) @​knsv
• #3882 fix for issues with mindmaps with only a single node (#3833) @​knsv
• (chore) remove console stmt in pieDetector (#3840) @​weedySeaDragon
• (feat) state classDef documentation (#3841) @​weedySeaDragon
• 3882 edge labels (#3883) @​knsv
• Add GHA that will check links + Fix broken links (#3765) @​spier
• Add official vim plugin to list in integrations (#3847) @​craigmac
• Add package visualizations (#3823) @​sidharthv96
• Add support for @​include in docs (#3863) @​sidharthv96
• CI: disable pinning dependencies (#3735) @​aloisklink
• Defects/issue 3878 (#3880) @​MrCoder
• Feat: Add aria-describedby, aria-roledescription (#3808) @​weedySeaDragon
• Fix #3799: Remove type from package.json (#3802) @​sidharthv96
• Fix for #3835, makes it possible to style path elements (#3836) @​knsv
• Fix typos (#3820) @​endolith
• Housekeeping with eslint-unicorn (#3845) @​sidharthv96
• Integrations added - Visual Studio Code [Polyglot Interactive Notebooks] (#3821) @​dfinke
• Mindmap integration docs (#3810) @​sidharthv96
• Reduce mermaid size by 31% (#3825) @​sidharthv96
• Remove extra arrow and adjust cross position (#3641) @​ishuen
• Replace dagre/dagre-d3 with dagre-d3-es (#3809) @​aloisklink
• Revert "Added pie" (#3842) @​pbrolin47
• Switch CDN to unpkg.com (#3777) @​sidharthv96
• Switch back to jsdelivr (#3873) @​sidharthv96
• Use github-dark to highlight fence blocks in vitepress docs (#3807) @​aloisklink
• Use current mermaid version in docs. (#3846) @​sidharthv96
• Use stylis to prepend idSelector (#3829) @​DanInProgress
• bug: State diagram fix classes type (#3798) @​weedySeaDragon
• bug: change shiki getHighlighter import (#3804) @​weedySeaDragon
• chore(deps): remove dependency on graphlib (#3861) @​aloisklink
• chore(deps): update all non-major dependencies (minor) (#3905) @​renovate
• chore(deps): update all non-major dependencies (minor) (#3791) @​renovate
• chore(deps): update lycheeverse/lychee-action action to v1.5.4 (#3827) @​renovate
• chore(deps): update pnpm to v7.17.0 (#3828) @​renovate
• chore(deps): update pnpm to v7.17.1 (#3862) @​renovate
• chore(docs): Auto build docs (#3547) @​sidharthv96
• chore: Housekeeping (#3783) @​sidharthv96
• chore: Merge master to develop (#3780) @​sidharthv96
• chore: clean up code in mermaidAPI render() and write specs/tests (#3684) @​weedySeaDragon
• chore: delete functions not used in diagrams/c4 code (dead code) (#3871) @​weedySeaDragon
• comments in states are skipped now (#3762) @​avijit1258

... (truncated)

Commits

• 5735efa Merge pull request #3911 from mermaid-js/release/9.3.0
• 774512d v9.3.0
• 1529940 bump dagre-es 7.0.6
• d194e78 Bump mermaid version
• 16b5180 Update dagre-es
• 2176bef Bump mermaid version
• 9f9c95b fix: Incorrect removal of existing elements
• 3f0b13a fix: add .js to external imports.
• 3c44379 fix: add .js to external imports.
• 1d529d8 Bump mermaid version
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by sidv, a new releaser for mermaid since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/hackmdio/vscode-hackmd/network/alerts).