Update dependency mermaid to v10.9.3 [SECURITY]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mermaid	10.9.1 -> 10.9.3

GitHub Vulnerability Alerts

GHSA-m4gq-x24j-jpmf

The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.

This affects the built:

• dist/mermaid.min.js
• dist/mermaid.js
• dist/mermaid.esm.mjs
• dist/mermaid.esm.min.mjs

This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js

Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.

Patches

• develop branch: 6c785c93166c151d27d328ddf68a13d9d65adc00
• backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34

---

Release Notes

mermaid-js/mermaid (mermaid)

### [`v10.9.3`](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.3) [Compare Source](https://redirect.github.com/mermaid-js/mermaid/compare/v10.9.2...v10.9.3) Updates the bundled version of dependencies in the following files: - `dist/mermaid.min.js` - `dist/mermaid.js` - `dist/mermaid.esm.mjs` - `dist/mermaid.esm.min.mjs` **If you are not using these files (e.g. you are using the default NPM export of `mermaid`, e.g. `import mermaid from 'mermaid'`, or you are using `dist/mermaid.core.mjs`), this release is identical to v10.9.2.** This is to avoid potential security issues in KaTeX and DOMPurify, see: - https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674 - https://github.com/advisories/GHSA-64fm-8hw2-v72w - https://github.com/advisories/GHSA-cvr6-37gx-v8wc - https://github.com/advisories/GHSA-f98w-7cxr-ff2h - https://github.com/advisories/GHSA-3wc5-fcw2-2329 These dependencies have already been updated in [v11.0.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v11.0.0). #### Changelog ##### Chore - Updates the bundled version of KaTeX to 0.16.11 ([`2bedd0e`](https://redirect.github.com/mermaid-js/mermaid/commit/2bedd0ef87df92a9971ba3490a43d9c1f535e13e)) - Updates the bundled version of DOMPurify to 3.1.6 ([`92a07ff`](https://redirect.github.com/mermaid-js/mermaid/commit/92a07ffe40aab2769dd1c3431b4eb5beac282b34)) **Full Changelog**: https://github.com/mermaid-js/mermaid/compare/v10.9.2...v10.9.3 ### [`v10.9.2`](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.2) [Compare Source](https://redirect.github.com/mermaid-js/mermaid/compare/v10.9.1...v10.9.2) This release back-ports [https://github.com/mermaid-js/mermaid/pull/5914](https://redirect.github.com/mermaid-js/mermaid/pull/5914) to the v10 release line to fix [#​5904](https://redirect.github.com/mermaid-js/mermaid/issues/5904) (an incompatibility between mermaid and DOMPurify v3.1.7) ##### Patch Changes - [https://github.com/mermaid-js/mermaid/pull/5914](https://redirect.github.com/mermaid-js/mermaid/pull/5914) [`402abdf`](https://redirect.github.com/mermaid-js/mermaid/commit/402abdf8838d4239bbbd08a0b5ce1e9116751c9f) \[10] fix: ban version v3.1.7 of DOMPurify **Full Changelog**: https://github.com/mermaid-js/mermaid/compare/v10.9.1...v10.9.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.