hay-kot / scaffold

A cookie cutter alternative with in-project scaffolding for generating components, controllers, or other common code patterns.
https://hay-kot.github.io/scaffold/
MIT License
63 stars 8 forks source link

chore(deps): update dependency mermaid to v10.9.3 [security] #236

Closed renovate[bot] closed 1 month ago

renovate[bot] commented 1 month ago

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
mermaid 10.9.2 -> 10.9.3 age adoption passing confidence

GitHub Vulnerability Alerts

GHSA-m4gq-x24j-jpmf

The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.

This affects the built:

This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js

Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.

Patches


Release Notes

mermaid-js/mermaid (mermaid) ### [`v10.9.3`](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.3) [Compare Source](https://redirect.github.com/mermaid-js/mermaid/compare/v10.9.2...v10.9.3) Updates the bundled version of dependencies in the following files: - `dist/mermaid.min.js` - `dist/mermaid.js` - `dist/mermaid.esm.mjs` - `dist/mermaid.esm.min.mjs` **If you are not using these files (e.g. you are using the default NPM export of `mermaid`, e.g. `import mermaid from 'mermaid'`, or you are using `dist/mermaid.core.mjs`), this release is identical to v10.9.2.** This is to avoid potential security issues in KaTeX and DOMPurify, see: - https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674 - https://github.com/advisories/GHSA-64fm-8hw2-v72w - https://github.com/advisories/GHSA-cvr6-37gx-v8wc - https://github.com/advisories/GHSA-f98w-7cxr-ff2h - https://github.com/advisories/GHSA-3wc5-fcw2-2329 These dependencies have already been updated in [v11.0.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v11.0.0). #### Changelog ##### Chore - Updates the bundled version of KaTeX to 0.16.11 ([`2bedd0e`](https://redirect.github.com/mermaid-js/mermaid/commit/2bedd0ef87df92a9971ba3490a43d9c1f535e13e)) - Updates the bundled version of DOMPurify to 3.1.6 ([`92a07ff`](https://redirect.github.com/mermaid-js/mermaid/commit/92a07ffe40aab2769dd1c3431b4eb5beac282b34)) **Full Changelog**: https://github.com/mermaid-js/mermaid/compare/v10.9.2...v10.9.3

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.



This PR was generated by Mend Renovate. View the repository job log.