This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js
Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.
backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34
Release Notes
mermaid-js/mermaid (mermaid)
### [`v10.9.3`](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.3)
[Compare Source](https://redirect.github.com/mermaid-js/mermaid/compare/v10.9.2...v10.9.3)
Updates the bundled version of dependencies in the following files:
- `dist/mermaid.min.js`
- `dist/mermaid.js`
- `dist/mermaid.esm.mjs`
- `dist/mermaid.esm.min.mjs`
**If you are not using these files (e.g. you are using the default NPM export of `mermaid`, e.g. `import mermaid from 'mermaid'`, or you are using `dist/mermaid.core.mjs`), this release is identical to v10.9.2.**
This is to avoid potential security issues in KaTeX and DOMPurify, see:
- https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
- https://github.com/advisories/GHSA-64fm-8hw2-v72w
- https://github.com/advisories/GHSA-cvr6-37gx-v8wc
- https://github.com/advisories/GHSA-f98w-7cxr-ff2h
- https://github.com/advisories/GHSA-3wc5-fcw2-2329
These dependencies have already been updated in [v11.0.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v11.0.0).
#### Changelog
##### Chore
- Updates the bundled version of KaTeX to 0.16.11 ([`2bedd0e`](https://redirect.github.com/mermaid-js/mermaid/commit/2bedd0ef87df92a9971ba3490a43d9c1f535e13e))
- Updates the bundled version of DOMPurify to 3.1.6 ([`92a07ff`](https://redirect.github.com/mermaid-js/mermaid/commit/92a07ffe40aab2769dd1c3431b4eb5beac282b34))
**Full Changelog**: https://github.com/mermaid-js/mermaid/compare/v10.9.2...v10.9.3
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
[ ] If you want to rebase/retry this PR, check this box
This PR contains the following updates:
10.9.2
->10.9.3
GitHub Vulnerability Alerts
GHSA-m4gq-x24j-jpmf
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
dist/mermaid.min.js
dist/mermaid.js
dist/mermaid.esm.mjs
dist/mermaid.esm.min.mjs
This will also affect users that use the above files via a CDN link, e.g.
https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js
Users that use the default NPM export of
mermaid
, e.g.import mermaid from 'mermaid'
, or thedist/mermaid.core.mjs
file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something likenpm audit fix
.Patches
develop
branch: 6c785c93166c151d27d328ddf68a13d9d65adc00Release Notes
mermaid-js/mermaid (mermaid)
### [`v10.9.3`](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.3) [Compare Source](https://redirect.github.com/mermaid-js/mermaid/compare/v10.9.2...v10.9.3) Updates the bundled version of dependencies in the following files: - `dist/mermaid.min.js` - `dist/mermaid.js` - `dist/mermaid.esm.mjs` - `dist/mermaid.esm.min.mjs` **If you are not using these files (e.g. you are using the default NPM export of `mermaid`, e.g. `import mermaid from 'mermaid'`, or you are using `dist/mermaid.core.mjs`), this release is identical to v10.9.2.** This is to avoid potential security issues in KaTeX and DOMPurify, see: - https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674 - https://github.com/advisories/GHSA-64fm-8hw2-v72w - https://github.com/advisories/GHSA-cvr6-37gx-v8wc - https://github.com/advisories/GHSA-f98w-7cxr-ff2h - https://github.com/advisories/GHSA-3wc5-fcw2-2329 These dependencies have already been updated in [v11.0.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v11.0.0). #### Changelog ##### Chore - Updates the bundled version of KaTeX to 0.16.11 ([`2bedd0e`](https://redirect.github.com/mermaid-js/mermaid/commit/2bedd0ef87df92a9971ba3490a43d9c1f535e13e)) - Updates the bundled version of DOMPurify to 3.1.6 ([`92a07ff`](https://redirect.github.com/mermaid-js/mermaid/commit/92a07ffe40aab2769dd1c3431b4eb5beac282b34)) **Full Changelog**: https://github.com/mermaid-js/mermaid/compare/v10.9.2...v10.9.3Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.