Deploying an update to address security vulnerability

[MgenGlder]

Description

Hello 👋🏾

Is it possible to release a patch that includes only the security vulnerability updates? In particular, was interested in the recent dagre-d3 updates by @aloisklink that gets rid of a critical vulnerability. This would help out those of us that use these in public enterprise-grade applications where security is a big concern.

Thanks!

Steps to reproduce

1. Install mermaid-js
2. Run npm audit

Screenshots

No response

Code Sample

No response

Setup

No response

Additional Context

No response

[huineng]

https://github.com/mermaid-js/mermaid/issues/3666#issuecomment-1340702927

[benjmac]

Hello, I'm checking to see if there is an update on when this fix will be released? Thanks!

[MgenGlder]

@weedySeaDragon Hey! 👋🏾 Is there any possibility this could get looked at? I would also love to take this on myself but I would need permissions to release to npm.

[weedySeaDragon]

@MgenGlder I'm just a contributor & don't have any input or control about releases. But @knsv certainly does :-) (and maybe @aloisklink and @sidharthv96 can help)

[aloisklink]

But @knsv certainly does :-) (and maybe @aloisklink and @sidharthv96 can help)

I also can't control releases, unfortunately.

@sidharthv96 did mention a couple days ago that a new release should be coming soon, but maybe there was some bugs encountered during testing. See https://mermaid-talk.slack.com/archives/CL1LQC1QU/p1669962476721549?thread_ts=1669930601.500959&cid=CL1LQC1QU

If bugs are blocking a new release, though, somebody with release permissions could just cherry-pick commit https://github.com/mermaid-js/mermaid/pull/3809/commits/fd76e0e27095997c2ac21902c0629cd6600e30d9 onto the v9.2.2 tag to make a v9.2.3 release. In that case, the v9.2.3 would be missing a bunch of other features/bug-fixes, but at least it would have this security issue fixed.

Edit: You could try using the 9.3.0-rc.6 pre-release on NPM, but as it's a release candidate, there's a good chance that there are still some bugs there that haven't been squashed.

[sidharthv96]

Yes, a bug with dagre-d3-es was holding up the release. https://github.com/mermaid-js/mermaid-live-editor/pull/1119

[sidharthv96]

That issue has been resolved. New release coming in few hours after a final round of testing (if we don't find some other bugs).

Meanwhile, can you try if 9.3.0-rc.7 resolves your problem and also works as expected?

[rinchik]

This is awesome! Thank you everyone (and @MgenGlder for driving!)

[MgenGlder]

Agreed, definitely a community effort here! And many thanks to @sidharthv96 for taking this home.