fix: update dagre-d3-es patch hash to prevent prototype pollution

fix: add patch for dagre-d3-es to prevent prototype pollution
2025-10-16 12:39:58 +02:00 · 2025-10-09 12:19:11 +05:30 · 2025-10-09 12:06:37 +05:30
11 changed files with 49 additions and 43 deletions
--- a/.changeset/chilly-words-march.md
+++ b/.changeset/chilly-words-march.md
@@ -1,5 +0,0 @@
---
-'mermaid': patch
---
-
-fix: Correct viewBox casing and make SVGs responsive
--- a/cypress/helpers/util.ts
+++ b/cypress/helpers/util.ts
@@ -98,7 +98,6 @@ export const openURLAndVerifyRendering = (
  cy.visit(url);
  cy.window().should('have.property', 'rendered', true);
  cy.get('svg').should('be.visible');
-  cy.get('svg').should('not.have.attr', 'viewbox');

  if (validation) {
    cy.get('svg').should(validation);
--- a/cypress/platform/yari.html
+++ b/cypress/platform/yari.html
@@ -603,10 +603,6 @@
      </div>
      <div class="test">
        <pre class="mermaid">
-          ---
-            config:
-              theme: dark
-          ---
          classDiagram
            test ()--() test2
        </pre>
--- a/package.json
+++ b/package.json
@@ -136,7 +136,8 @@
  },
  "pnpm": {
    "patchedDependencies": {
-      "roughjs": "patches/roughjs.patch"
+      "roughjs": "patches/roughjs.patch",
+      "dagre-d3-es@7.0.11": "patches/dagre-d3-es@7.0.11.patch"
    },
    "onlyBuiltDependencies": [
      "canvas",
--- a/packages/mermaid/src/diagrams/class/classDb.ts
+++ b/packages/mermaid/src/diagrams/class/classDb.ts
@@ -627,7 +627,7 @@ export class ClassDB implements DiagramDB {
          padding: config.class!.padding ?? 16,
          // parent node must be one of [rect, roundedWithTitle, noteGroup, divider]
          shape: 'rect',
-          cssStyles: [],
+          cssStyles: ['fill: none', 'stroke: black'],
          look: config.look,
        };
        nodes.push(node);
--- a/packages/mermaid/src/diagrams/class/styles.js
+++ b/packages/mermaid/src/diagrams/class/styles.js
@@ -13,30 +13,6 @@ const getStyles = (options) =>

 }

-  .cluster-label text {
-    fill: ${options.titleColor};
-  }
-  .cluster-label span {
-    color: ${options.titleColor};
-  }
-  .cluster-label span p {
-    background-color: transparent;
-  }
-
-  .cluster rect {
-    fill: ${options.clusterBkg};
-    stroke: ${options.clusterBorder};
-    stroke-width: 1px;
-  }
-
-  .cluster text {
-    fill: ${options.titleColor};
-  }
-
-  .cluster span {
-    color: ${options.titleColor};
-  }
-
 .nodeLabel, .edgeLabel {
  color: ${options.classText};
 }
--- a/packages/mermaid/src/diagrams/packet/renderer.ts
+++ b/packages/mermaid/src/diagrams/packet/renderer.ts
@@ -16,7 +16,7 @@ const draw: DrawDefinition = (_text, id, _version, diagram: Diagram) => {
  const svgWidth = bitWidth * bitsPerRow + 2;
  const svg: SVG = selectSvgElement(id);

-  svg.attr('viewBox', `0 0 ${svgWidth} ${svgHeight}`);
+  svg.attr('viewbox', `0 0 ${svgWidth} ${svgHeight}`);
  configureSvgSize(svg, svgHeight, svgWidth, config.useMaxWidth);

  for (const [word, packet] of words.entries()) {
--- a/packages/mermaid/src/diagrams/radar/renderer.ts
+++ b/packages/mermaid/src/diagrams/radar/renderer.ts
@@ -2,7 +2,6 @@ import type { Diagram } from '../../Diagram.js';
 import type { RadarDiagramConfig } from '../../config.type.js';
 import type { DiagramRenderer, DrawDefinition, SVG, SVGGroup } from '../../diagram-api/types.js';
 import { selectSvgElement } from '../../rendering-util/selectSvgElement.js';
-import { configureSvgSize } from '../../setupGraphViewbox.js';
 import type { RadarDB, RadarAxis, RadarCurve } from './types.js';

 const draw: DrawDefinition = (_text, id, _version, diagram: Diagram) => {
@@ -54,9 +53,11 @@ const drawFrame = (svg: SVG, config: Required<RadarDiagramConfig>): SVGGroup =>
    x: config.marginLeft + config.width / 2,
    y: config.marginTop + config.height / 2,
  };
-  configureSvgSize(svg, totalHeight, totalWidth, config.useMaxWidth ?? true);
-
-  svg.attr('viewBox', `0 0 ${totalWidth} ${totalHeight}`);
+  // Initialize the SVG
+  svg
+    .attr('viewbox', `0 0 ${totalWidth} ${totalHeight}`)
+    .attr('width', totalWidth)
+    .attr('height', totalHeight);
  // g element to center the radar chart
  return svg.append('g').attr('transform', `translate(${center.x}, ${center.y})`);
 };
--- a/packages/mermaid/src/rendering-util/rendering-elements/markers.js
+++ b/packages/mermaid/src/rendering-util/rendering-elements/markers.js
@@ -130,6 +130,7 @@ const lollipop = (elem, type, id) => {
    .attr('markerHeight', 240)
    .attr('orient', 'auto')
    .append('circle')
+    .attr('stroke', 'black')
    .attr('fill', 'transparent')
    .attr('cx', 7)
    .attr('cy', 7)
@@ -146,6 +147,7 @@ const lollipop = (elem, type, id) => {
    .attr('markerHeight', 240)
    .attr('orient', 'auto')
    .append('circle')
+    .attr('stroke', 'black')
    .attr('fill', 'transparent')
    .attr('cx', 7)
    .attr('cy', 7)
--- a/patches/dagre-d3-es@7.0.11.patch
+++ b/patches/dagre-d3-es@7.0.11.patch
@@ -0,0 +1,33 @@
+diff --git a/src/dagre/position/bk.js b/src/dagre/position/bk.js
+index d4aabdcef2c788873b799489cf27d48aaa0a2ee6..72beff8b3830f1e3241455400f68843888b60a06 100644
+--- a/src/dagre/position/bk.js
+++ b/src/dagre/position/bk.js
+@@ -129,6 +129,16 @@ function findOtherInnerSegmentNode(g, v) {
+   }
+ }
+ 
+/**
+ * Check if a key is safe to use as an object property to prevent prototype pollution
+ * @param {*} key - The key to check
+ * @returns {boolean} - True if the key is safe, false otherwise
+ */
+function isSafeKey(key) {
+  // Reject prototype pollution vectors
+  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
+}
+
+ function addConflict(conflicts, v, w) {
+   if (v > w) {
+     var tmp = v;
+@@ -136,6 +146,11 @@ function addConflict(conflicts, v, w) {
+     w = tmp;
+   }
+ 
+  // Validate keys to prevent prototype pollution
+  if (!isSafeKey(v) || !isSafeKey(w)) {
+    return;
+  }
+
+   var conflictsV = conflicts[v];
+   if (!conflictsV) {
+     conflicts[v] = conflictsV = {};
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -5,6 +5,9 @@ settings:
  excludeLinksFromLockfile: false

 patchedDependencies:
+  dagre-d3-es@7.0.11:
+    hash: 9305508c97f786851c4d8a847b5dbb3e46e759f964305997bd486f8745290188
+    path: patches/dagre-d3-es@7.0.11.patch
  roughjs:
    hash: 3543d47108cb41b68ec6a671c0e1f9d0cfe2ce524fea5b0992511ae84c3c6b64
    path: patches/roughjs.patch
@@ -252,7 +255,7 @@ importers:
        version: 0.12.3
      dagre-d3-es:
        specifier: 7.0.11
-        version: 7.0.11
+        version: 7.0.11(patch_hash=9305508c97f786851c4d8a847b5dbb3e46e759f964305997bd486f8745290188)
      dayjs:
        specifier: ^1.11.18
        version: 1.11.18
@@ -15161,7 +15164,7 @@ snapshots:
      d3-transition: 3.0.1(d3-selection@3.0.0)
      d3-zoom: 3.0.0

-  dagre-d3-es@7.0.11:
+  dagre-d3-es@7.0.11(patch_hash=9305508c97f786851c4d8a847b5dbb3e46e759f964305997bd486f8745290188):
    dependencies:
      d3: 7.9.0
      lodash-es: 4.17.21
Author	SHA1	Message	Date
shubhamparikh2704	3feb4e5551	fix: update dagre-d3-es patch hash to prevent prototype pollution	2025-10-09 12:19:11 +05:30
shubhamparikh2704	b945696721	fix: add patch for dagre-d3-es to prevent prototype pollution	2025-10-09 12:06:37 +05:30