fix: update dagre-d3-es patch hash to prevent prototype pollution

fix: add patch for dagre-d3-es to prevent prototype pollution
2025-10-20 06:29:43 +02:00 · 2025-10-09 12:19:11 +05:30 · 2025-10-09 12:06:37 +05:30
21 changed files with 69 additions and 323 deletions
--- a/.changeset/brave-memes-flash.md
+++ b/.changeset/brave-memes-flash.md
@@ -1,5 +0,0 @@
---
-'mermaid': patch
---
-
-fix: Support edge animation in hand drawn look
--- a/.changeset/busy-mirrors-try.md
+++ b/.changeset/busy-mirrors-try.md
@@ -1,5 +0,0 @@
---
-'mermaid': patch
---
-
-fix: Resolved parsing error where direction TD was not recognized within subgraphs
--- a/.changeset/curly-apes-prove.md
+++ b/.changeset/curly-apes-prove.md
@@ -1,5 +0,0 @@
---
-'mermaid': patch
---
-
-fix: Improve participant parsing and prevent recursive loops on invalid syntax
--- a/cypress/helpers/util.ts
+++ b/cypress/helpers/util.ts
@@ -6,7 +6,6 @@ interface CypressConfig {
  listUrl?: boolean;
  listId?: string;
  name?: string;
-  screenshot?: boolean;
 }
 type CypressMermaidConfig = MermaidConfig & CypressConfig;

@@ -91,7 +90,7 @@ export const renderGraph = (

 export const openURLAndVerifyRendering = (
  url: string,
-  { screenshot = true, ...options }: CypressMermaidConfig,
+  options: CypressMermaidConfig,
  validation?: any
 ): void => {
  const name: string = (options.name ?? cy.state('runnable').fullTitle()).replace(/\s+/g, '-');
@@ -104,9 +103,7 @@ export const openURLAndVerifyRendering = (
    cy.get('svg').should(validation);
  }

-  if (screenshot) {
-    verifyScreenshot(name);
-  }
+  verifyScreenshot(name);
 };

 export const verifyScreenshot = (name: string): void => {
--- a/cypress/integration/rendering/flowchart-handDrawn.spec.js
+++ b/cypress/integration/rendering/flowchart-handDrawn.spec.js
@@ -1029,19 +1029,4 @@ graph TD
      }
    );
  });
-
-  it('FDH49: should add edge animation', () => {
-    renderGraph(
-      `
-      flowchart TD
-          A(["Start"]) L_A_B_0@--> B{"Decision"}
-          B --> C["Option A"] & D["Option B"]
-          style C stroke-width:4px,stroke-dasharray: 5
-          L_A_B_0@{ animation: slow } 
-          L_B_D_0@{ animation: fast }`,
-      { look: 'handDrawn', screenshot: false }
-    );
-    cy.get('path#L_A_B_0').should('have.class', 'edge-animation-slow');
-    cy.get('path#L_B_D_0').should('have.class', 'edge-animation-fast');
-  });
 });
--- a/cypress/integration/rendering/flowchart.spec.js
+++ b/cypress/integration/rendering/flowchart.spec.js
@@ -774,21 +774,6 @@ describe('Graph', () => {
      expect(svg).to.not.have.attr('style');
    });
  });
-  it('40: should add edge animation', () => {
-    renderGraph(
-      `
-      flowchart TD
-          A(["Start"]) L_A_B_0@--> B{"Decision"}
-          B --> C["Option A"] & D["Option B"]
-          style C stroke-width:4px,stroke-dasharray: 5
-          L_A_B_0@{ animation: slow } 
-          L_B_D_0@{ animation: fast }`,
-      { screenshot: false }
-    );
-    // Verify animation classes are applied to both edges
-    cy.get('path#L_A_B_0').should('have.class', 'edge-animation-slow');
-    cy.get('path#L_B_D_0').should('have.class', 'edge-animation-fast');
-  });
  it('58: handle styling with style expressions', () => {
    imgSnapshotTest(
      `
@@ -988,19 +973,4 @@ graph TD
      }
    );
  });
-
-  it('70: should render a subgraph with direction TD', () => {
-    imgSnapshotTest(
-      `
-      flowchart LR
-        subgraph A
-          direction TD
-          a --> b
-        end
-      `,
-      {
-        fontFamily: 'courier',
-      }
-    );
-  });
 });
--- a/cypress/platform/yari.html
+++ b/cypress/platform/yari.html
@@ -603,10 +603,6 @@
      </div>
      <div class="test">
        <pre class="mermaid">
-          ---
-            config:
-              theme: dark
-          ---
          classDiagram
            test ()--() test2
        </pre>
--- a/docs/syntax/classDiagram.md
+++ b/docs/syntax/classDiagram.md
@@ -21,7 +21,7 @@ title: Animal example
 classDiagram
    note "From Duck till Zebra"
    Animal <|-- Duck
-    note for Duck "can fly<br>can swim<br>can dive<br>can help in debugging"
+    note for Duck "can fly\ncan swim\ncan dive\ncan help in debugging"
    Animal <|-- Fish
    Animal <|-- Zebra
    Animal : +int age
@@ -50,7 +50,7 @@ title: Animal example
 classDiagram
    note "From Duck till Zebra"
    Animal <|-- Duck
-    note for Duck "can fly<br>can swim<br>can dive<br>can help in debugging"
+    note for Duck "can fly\ncan swim\ncan dive\ncan help in debugging"
    Animal <|-- Fish
    Animal <|-- Zebra
    Animal : +int age
--- a/package.json
+++ b/package.json
@@ -136,7 +136,8 @@
  },
  "pnpm": {
    "patchedDependencies": {
-      "roughjs": "patches/roughjs.patch"
+      "roughjs": "patches/roughjs.patch",
+      "dagre-d3-es@7.0.11": "patches/dagre-d3-es@7.0.11.patch"
    },
    "onlyBuiltDependencies": [
      "canvas",
--- a/packages/mermaid/src/diagrams/class/classDb.ts
+++ b/packages/mermaid/src/diagrams/class/classDb.ts
@@ -627,7 +627,7 @@ export class ClassDB implements DiagramDB {
          padding: config.class!.padding ?? 16,
          // parent node must be one of [rect, roundedWithTitle, noteGroup, divider]
          shape: 'rect',
-          cssStyles: [],
+          cssStyles: ['fill: none', 'stroke: black'],
          look: config.look,
        };
        nodes.push(node);
--- a/packages/mermaid/src/diagrams/class/styles.js
+++ b/packages/mermaid/src/diagrams/class/styles.js
@@ -13,30 +13,6 @@ const getStyles = (options) =>

 }

-  .cluster-label text {
-    fill: ${options.titleColor};
-  }
-  .cluster-label span {
-    color: ${options.titleColor};
-  }
-  .cluster-label span p {
-    background-color: transparent;
-  }
-
-  .cluster rect {
-    fill: ${options.clusterBkg};
-    stroke: ${options.clusterBorder};
-    stroke-width: 1px;
-  }
-
-  .cluster text {
-    fill: ${options.titleColor};
-  }
-
-  .cluster span {
-    color: ${options.titleColor};
-  }
-
 .nodeLabel, .edgeLabel {
  color: ${options.classText};
 }
--- a/packages/mermaid/src/diagrams/flowchart/parser/flow-arrows.spec.js
+++ b/packages/mermaid/src/diagrams/flowchart/parser/flow-arrows.spec.js
@@ -266,156 +266,4 @@ describe('[Arrows] when parsing', () => {
      });
    });
  });
-
-  describe('Issue #2492: Node names starting with o/x should not be consumed by arrow markers', () => {
-    it('should handle node names starting with "o" after plain arrows', function () {
-      const res = flow.parser.parse('graph TD;\ndev---ops;');
-
-      const vert = flow.parser.yy.getVertices();
-      const edges = flow.parser.yy.getEdges();
-
-      expect(vert.get('dev').id).toBe('dev');
-      expect(vert.get('ops').id).toBe('ops');
-      expect(edges.length).toBe(1);
-      expect(edges[0].start).toBe('dev');
-      expect(edges[0].end).toBe('ops');
-      expect(edges[0].type).toBe('arrow_open');
-      expect(edges[0].stroke).toBe('normal');
-    });
-
-    it('should handle node names starting with "x" after plain arrows', function () {
-      const res = flow.parser.parse('graph TD;\ndev---xerxes;');
-
-      const vert = flow.parser.yy.getVertices();
-      const edges = flow.parser.yy.getEdges();
-
-      expect(vert.get('dev').id).toBe('dev');
-      expect(vert.get('xerxes').id).toBe('xerxes');
-      expect(edges.length).toBe(1);
-      expect(edges[0].start).toBe('dev');
-      expect(edges[0].end).toBe('xerxes');
-      expect(edges[0].type).toBe('arrow_open');
-      expect(edges[0].stroke).toBe('normal');
-    });
-
-    it('should still support circle arrows with spaces', function () {
-      const res = flow.parser.parse('graph TD;\nA --o B;');
-
-      const vert = flow.parser.yy.getVertices();
-      const edges = flow.parser.yy.getEdges();
-
-      expect(vert.get('A').id).toBe('A');
-      expect(vert.get('B').id).toBe('B');
-      expect(edges.length).toBe(1);
-      expect(edges[0].start).toBe('A');
-      expect(edges[0].end).toBe('B');
-      expect(edges[0].type).toBe('arrow_circle');
-      expect(edges[0].stroke).toBe('normal');
-    });
-
-    it('should still support cross arrows with spaces', function () {
-      const res = flow.parser.parse('graph TD;\nC --x D;');
-
-      const vert = flow.parser.yy.getVertices();
-      const edges = flow.parser.yy.getEdges();
-
-      expect(vert.get('C').id).toBe('C');
-      expect(vert.get('D').id).toBe('D');
-      expect(edges.length).toBe(1);
-      expect(edges[0].start).toBe('C');
-      expect(edges[0].end).toBe('D');
-      expect(edges[0].type).toBe('arrow_cross');
-      expect(edges[0].stroke).toBe('normal');
-    });
-
-    it('should support circle arrows to uppercase nodes without spaces', function () {
-      const res = flow.parser.parse('graph TD;\nA--oB;');
-
-      const vert = flow.parser.yy.getVertices();
-      const edges = flow.parser.yy.getEdges();
-
-      expect(vert.get('A').id).toBe('A');
-      expect(vert.get('B').id).toBe('B');
-      expect(edges.length).toBe(1);
-      expect(edges[0].start).toBe('A');
-      expect(edges[0].end).toBe('B');
-      expect(edges[0].type).toBe('arrow_circle');
-      expect(edges[0].stroke).toBe('normal');
-    });
-
-    it('should support cross arrows to uppercase nodes without spaces', function () {
-      const res = flow.parser.parse('graph TD;\nA--xBar;');
-
-      const vert = flow.parser.yy.getVertices();
-      const edges = flow.parser.yy.getEdges();
-
-      expect(vert.get('A').id).toBe('A');
-      expect(vert.get('Bar').id).toBe('Bar');
-      expect(edges.length).toBe(1);
-      expect(edges[0].start).toBe('A');
-      expect(edges[0].end).toBe('Bar');
-      expect(edges[0].type).toBe('arrow_cross');
-      expect(edges[0].stroke).toBe('normal');
-    });
-
-    it('should handle thick arrows with lowercase node names starting with "o"', function () {
-      const res = flow.parser.parse('graph TD;\nalpha===omega;');
-
-      const vert = flow.parser.yy.getVertices();
-      const edges = flow.parser.yy.getEdges();
-
-      expect(vert.get('alpha').id).toBe('alpha');
-      expect(vert.get('omega').id).toBe('omega');
-      expect(edges.length).toBe(1);
-      expect(edges[0].start).toBe('alpha');
-      expect(edges[0].end).toBe('omega');
-      expect(edges[0].type).toBe('arrow_open');
-      expect(edges[0].stroke).toBe('thick');
-    });
-
-    it('should handle dotted arrows with lowercase node names starting with "o"', function () {
-      const res = flow.parser.parse('graph TD;\nfoo-.-opus;');
-
-      const vert = flow.parser.yy.getVertices();
-      const edges = flow.parser.yy.getEdges();
-
-      expect(vert.get('foo').id).toBe('foo');
-      expect(vert.get('opus').id).toBe('opus');
-      expect(edges.length).toBe(1);
-      expect(edges[0].start).toBe('foo');
-      expect(edges[0].end).toBe('opus');
-      expect(edges[0].type).toBe('arrow_open');
-      expect(edges[0].stroke).toBe('dotted');
-    });
-
-    it('should still support dotted circle arrows with spaces', function () {
-      const res = flow.parser.parse('graph TD;\nB -.-o C;');
-
-      const vert = flow.parser.yy.getVertices();
-      const edges = flow.parser.yy.getEdges();
-
-      expect(vert.get('B').id).toBe('B');
-      expect(vert.get('C').id).toBe('C');
-      expect(edges.length).toBe(1);
-      expect(edges[0].start).toBe('B');
-      expect(edges[0].end).toBe('C');
-      expect(edges[0].type).toBe('arrow_circle');
-      expect(edges[0].stroke).toBe('dotted');
-    });
-
-    it('should still support thick cross arrows with spaces', function () {
-      const res = flow.parser.parse('graph TD;\nC ==x D;');
-
-      const vert = flow.parser.yy.getVertices();
-      const edges = flow.parser.yy.getEdges();
-
-      expect(vert.get('C').id).toBe('C');
-      expect(vert.get('D').id).toBe('D');
-      expect(edges.length).toBe(1);
-      expect(edges[0].start).toBe('C');
-      expect(edges[0].end).toBe('D');
-      expect(edges[0].type).toBe('arrow_cross');
-      expect(edges[0].stroke).toBe('thick');
-    });
-  });
 });
--- a/packages/mermaid/src/diagrams/flowchart/parser/flow.jison
+++ b/packages/mermaid/src/diagrams/flowchart/parser/flow.jison
@@ -140,7 +140,6 @@ that id.
 .*direction\s+BT[^\n]*       return 'direction_bt';
 .*direction\s+RL[^\n]*       return 'direction_rl';
 .*direction\s+LR[^\n]*       return 'direction_lr';
-.*direction\s+TD[^\n]*       return 'direction_td';

 [^\s\"]+\@(?=[^\{\"])               { return 'LINK_ID'; }
 [0-9]+                       return 'NUM';
@@ -152,23 +151,17 @@ that id.
 ","                          return 'COMMA';
 "*"                          return 'MULT';

-<INITIAL,edgeText>\s*[xo<]?\-\-+[xo>]\s+                 { this.popState(); return 'LINK'; }
-<INITIAL,edgeText>\s*[xo<]?\-\-+[xo>](?=[A-Z])           { this.popState(); return 'LINK'; }
-<INITIAL,edgeText>\s*[xo<]?\-\-+[-]\s*                   { this.popState(); return 'LINK'; }
-<INITIAL>\s*[xo<]?\-\-\s*                             { this.pushState("edgeText"); return 'START_LINK'; }
-<edgeText>[^-]|\-(?!\-)+                              return 'EDGE_TEXT';
+<INITIAL,edgeText>\s*[xo<]?\-\-+[-xo>]\s*          { this.popState(); return 'LINK'; }
+<INITIAL>\s*[xo<]?\-\-\s*                          { this.pushState("edgeText"); return 'START_LINK'; }
+<edgeText>[^-]|\-(?!\-)+                           return 'EDGE_TEXT';

-<INITIAL,thickEdgeText>\s*[xo<]?\=\=+[xo>]\s+            { this.popState(); return 'LINK'; }
-<INITIAL,thickEdgeText>\s*[xo<]?\=\=+[xo>](?=[A-Z])       { this.popState(); return 'LINK'; }
-<INITIAL,thickEdgeText>\s*[xo<]?\=\=+[=]\s*               { this.popState(); return 'LINK'; }
-<INITIAL>\s*[xo<]?\=\=\s*                              { this.pushState("thickEdgeText"); return 'START_LINK'; }
-<thickEdgeText>[^=]|\=(?!=)                            return 'EDGE_TEXT';
+<INITIAL,thickEdgeText>\s*[xo<]?\=\=+[=xo>]\s*      { this.popState(); return 'LINK'; }
+<INITIAL>\s*[xo<]?\=\=\s*                           { this.pushState("thickEdgeText"); return 'START_LINK'; }
+<thickEdgeText>[^=]|\=(?!=)                         return 'EDGE_TEXT';

-<INITIAL,dottedEdgeText>\s*[xo<]?\-?\.+\-[xo>]\s+         { this.popState(); return 'LINK'; }
-<INITIAL,dottedEdgeText>\s*[xo<]?\-?\.+\-[xo>](?=[A-Z])    { this.popState(); return 'LINK'; }
-<INITIAL,dottedEdgeText>\s*[xo<]?\-?\.+\-\s*               { this.popState(); return 'LINK'; }
-<INITIAL>\s*[xo<]?\-\.\s*                               { this.pushState("dottedEdgeText"); return 'START_LINK'; }
-<dottedEdgeText>[^\.]|\.(?!-)                           return 'EDGE_TEXT';
+<INITIAL,dottedEdgeText>\s*[xo<]?\-?\.+\-[xo>]?\s*   { this.popState(); return 'LINK'; }
+<INITIAL>\s*[xo<]?\-\.\s*                            { this.pushState("dottedEdgeText"); return 'START_LINK'; }
+<dottedEdgeText>[^\.]|\.(?!-)                        return 'EDGE_TEXT';


 <*>\s*\~\~[\~]+\s*              return 'LINK';
@@ -633,8 +626,6 @@ direction
    { $$={stmt:'dir', value:'RL'};}
    | direction_lr
    { $$={stmt:'dir', value:'LR'};}
-    | direction_td
-    { $$={stmt:'dir', value:'TD'};}
    ;

 %%
--- a/packages/mermaid/src/diagrams/flowchart/parser/subgraph.spec.js
+++ b/packages/mermaid/src/diagrams/flowchart/parser/subgraph.spec.js
@@ -309,21 +309,4 @@ describe('when parsing subgraphs', function () {
    expect(subgraphA.nodes).toContain('a');
    expect(subgraphA.nodes).not.toContain('c');
  });
-  it('should correctly parse direction TD inside a subgraph', function () {
-    const res = flow.parser.parse(`
-      graph LR
-        subgraph WithTD
-          direction TD
-          A1 --> A2
-        end
-    `);
-
-    const subgraphs = flow.parser.yy.getSubGraphs();
-    expect(subgraphs.length).toBe(1);
-    const subgraph = subgraphs[0];
-
-    expect(subgraph.dir).toBe('TD');
-    expect(subgraph.nodes).toContain('A1');
-    expect(subgraph.nodes).toContain('A2');
-  });
 });
--- a/packages/mermaid/src/diagrams/sequence/parser/sequenceDiagram.jison
+++ b/packages/mermaid/src/diagrams/sequence/parser/sequenceDiagram.jison
@@ -32,14 +32,13 @@
 <CONFIG>[^\}]+                                                  { return 'CONFIG_CONTENT'; }
 <CONFIG>\}                                                      { this.popState(); this.popState(); return 'CONFIG_END'; }
 <ID>[^\<->\->:\n,;@\s]+(?=\@\{)                                 { yytext = yytext.trim(); return 'ACTOR'; }
-<ID>[^<>:\n,;@\s]+(?=\s+as\s)                                   { yytext = yytext.trim(); this.begin('ALIAS'); return 'ACTOR'; }
-<ID>[^<>:\n,;@]+(?=\s*[\n;#]|$)                                 { yytext = yytext.trim(); this.popState(); return 'ACTOR'; }
-<ID>[^<>:\n,;@]*\<[^\n]*                                        { this.popState(); return 'INVALID'; }
+<ID>[^\<->\->:\n,;@]+?([\-]*[^\<->\->:\n,;@]+?)*?(?=((?!\n)\s)+"as"(?!\n)\s|[#\n;]|$) { yytext = yytext.trim(); this.begin('ALIAS'); return 'ACTOR'; }
 "box"															{ this.begin('LINE'); return 'box'; }
 "participant"                                                   { this.begin('ID'); return 'participant'; }
 "actor"                                                   		{ this.begin('ID'); return 'participant_actor'; }
 "create"                                                        return 'create';
 "destroy"                                                       { this.begin('ID'); return 'destroy'; }
+<ID>[^<\->\->:\n,;]+?([\-]*[^<\->\->:\n,;]+?)*?(?=((?!\n)\s)+"as"(?!\n)\s|[#\n;]|$)     { yytext = yytext.trim(); this.begin('ALIAS'); return 'ACTOR'; }
 <ALIAS>"as"                                                     { this.popState(); this.popState(); this.begin('LINE'); return 'AS'; }
 <ALIAS>(?:)                                                     { this.popState(); this.popState(); return 'NEWLINE'; }
 "loop"                                                          { this.begin('LINE'); return 'loop'; }
@@ -146,7 +145,6 @@ line
 	: SPACE statement { $$ = $2 }
 	| statement { $$ = $1 }
 	| NEWLINE { $$=[]; }
-	| INVALID { $$=[]; }
 	;

 box_section
@@ -413,4 +411,4 @@ text2
  : TXT {$$ = yy.parseMessage($1.trim().substring(1)) }
  ;

-%%
+%%
--- a/packages/mermaid/src/diagrams/sequence/sequenceDiagram.spec.js
+++ b/packages/mermaid/src/diagrams/sequence/sequenceDiagram.spec.js
@@ -2609,17 +2609,5 @@ Bob->>Alice:Got it!
      expect(actors.get('E').type).toBe('entity');
      expect(actors.get('E').description).toBe('E');
    });
-    it('should handle fail parsing when alias token causes conflicts in participant definition', async () => {
-      let error = false;
-      try {
-        await Diagram.fromText(`
-        sequenceDiagram
-        participant SAS MyServiceWithMoreThan20Chars <br> service decription
-       `);
-      } catch (e) {
-        error = true;
-      }
-      expect(error).toBe(true);
-    });
  });
 });
--- a/packages/mermaid/src/docs/syntax/classDiagram.md
+++ b/packages/mermaid/src/docs/syntax/classDiagram.md
@@ -15,7 +15,7 @@ title: Animal example
 classDiagram
    note "From Duck till Zebra"
    Animal <|-- Duck
-    note for Duck "can fly<br>can swim<br>can dive<br>can help in debugging"
+    note for Duck "can fly\ncan swim\ncan dive\ncan help in debugging"
    Animal <|-- Fish
    Animal <|-- Zebra
    Animal : +int age
--- a/packages/mermaid/src/rendering-util/rendering-elements/edges.js
+++ b/packages/mermaid/src/rendering-util/rendering-elements/edges.js
@@ -605,14 +605,6 @@ export const insertEdge = function (
  const edgeStyles = Array.isArray(edge.style) ? edge.style : [edge.style];
  let strokeColor = edgeStyles.find((style) => style?.startsWith('stroke:'));

-  let animationClass = '';
-  if (edge.animate) {
-    animationClass = 'edge-animation-fast';
-  }
-  if (edge.animation) {
-    animationClass = 'edge-animation-' + edge.animation;
-  }
-
  let animatedEdge = false;
  if (edge.look === 'handDrawn') {
    const rc = rough.svg(elem);
@@ -628,13 +620,7 @@ export const insertEdge = function (
    svgPath = select(svgPathNode)
      .select('path')
      .attr('id', edge.id)
-      .attr(
-        'class',
-        ' ' +
-          strokeClasses +
-          (edge.classes ? ' ' + edge.classes : '') +
-          (animationClass ? ' ' + animationClass : '')
-      )
+      .attr('class', ' ' + strokeClasses + (edge.classes ? ' ' + edge.classes : ''))
      .attr('style', edgeStyles ? edgeStyles.reduce((acc, style) => acc + ';' + style, '') : '');
    let d = svgPath.attr('d');
    svgPath.attr('d', d);
@@ -642,6 +628,13 @@ export const insertEdge = function (
  } else {
    const stylesFromClasses = edgeClassStyles.join(';');
    const styles = edgeStyles ? edgeStyles.reduce((acc, style) => acc + style + ';', '') : '';
+    let animationClass = '';
+    if (edge.animate) {
+      animationClass = ' edge-animation-fast';
+    }
+    if (edge.animation) {
+      animationClass = ' edge-animation-' + edge.animation;
+    }

    const pathStyle =
      (stylesFromClasses ? stylesFromClasses + ';' + styles + ';' : styles) +
@@ -653,10 +646,7 @@ export const insertEdge = function (
      .attr('id', edge.id)
      .attr(
        'class',
-        ' ' +
-          strokeClasses +
-          (edge.classes ? ' ' + edge.classes : '') +
-          (animationClass ? ' ' + animationClass : '')
+        ' ' + strokeClasses + (edge.classes ? ' ' + edge.classes : '') + (animationClass ?? '')
      )
      .attr('style', pathStyle);

--- a/packages/mermaid/src/rendering-util/rendering-elements/markers.js
+++ b/packages/mermaid/src/rendering-util/rendering-elements/markers.js
@@ -130,6 +130,7 @@ const lollipop = (elem, type, id) => {
    .attr('markerHeight', 240)
    .attr('orient', 'auto')
    .append('circle')
+    .attr('stroke', 'black')
    .attr('fill', 'transparent')
    .attr('cx', 7)
    .attr('cy', 7)
@@ -146,6 +147,7 @@ const lollipop = (elem, type, id) => {
    .attr('markerHeight', 240)
    .attr('orient', 'auto')
    .append('circle')
+    .attr('stroke', 'black')
    .attr('fill', 'transparent')
    .attr('cx', 7)
    .attr('cy', 7)
--- a/patches/dagre-d3-es@7.0.11.patch
+++ b/patches/dagre-d3-es@7.0.11.patch
@@ -0,0 +1,33 @@
+diff --git a/src/dagre/position/bk.js b/src/dagre/position/bk.js
+index d4aabdcef2c788873b799489cf27d48aaa0a2ee6..72beff8b3830f1e3241455400f68843888b60a06 100644
+--- a/src/dagre/position/bk.js
+++ b/src/dagre/position/bk.js
+@@ -129,6 +129,16 @@ function findOtherInnerSegmentNode(g, v) {
+   }
+ }
+ 
+/**
+ * Check if a key is safe to use as an object property to prevent prototype pollution
+ * @param {*} key - The key to check
+ * @returns {boolean} - True if the key is safe, false otherwise
+ */
+function isSafeKey(key) {
+  // Reject prototype pollution vectors
+  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
+}
+
+ function addConflict(conflicts, v, w) {
+   if (v > w) {
+     var tmp = v;
+@@ -136,6 +146,11 @@ function addConflict(conflicts, v, w) {
+     w = tmp;
+   }
+ 
+  // Validate keys to prevent prototype pollution
+  if (!isSafeKey(v) || !isSafeKey(w)) {
+    return;
+  }
+
+   var conflictsV = conflicts[v];
+   if (!conflictsV) {
+     conflicts[v] = conflictsV = {};
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -5,6 +5,9 @@ settings:
  excludeLinksFromLockfile: false

 patchedDependencies:
+  dagre-d3-es@7.0.11:
+    hash: 9305508c97f786851c4d8a847b5dbb3e46e759f964305997bd486f8745290188
+    path: patches/dagre-d3-es@7.0.11.patch
  roughjs:
    hash: 3543d47108cb41b68ec6a671c0e1f9d0cfe2ce524fea5b0992511ae84c3c6b64
    path: patches/roughjs.patch
@@ -252,7 +255,7 @@ importers:
        version: 0.12.3
      dagre-d3-es:
        specifier: 7.0.11
-        version: 7.0.11
+        version: 7.0.11(patch_hash=9305508c97f786851c4d8a847b5dbb3e46e759f964305997bd486f8745290188)
      dayjs:
        specifier: ^1.11.18
        version: 1.11.18
@@ -15161,7 +15164,7 @@ snapshots:
      d3-transition: 3.0.1(d3-selection@3.0.0)
      d3-zoom: 3.0.0

-  dagre-d3-es@7.0.11:
+  dagre-d3-es@7.0.11(patch_hash=9305508c97f786851c4d8a847b5dbb3e46e759f964305997bd486f8745290188):
    dependencies:
      d3: 7.9.0
      lodash-es: 4.17.21
Author	SHA1	Message	Date
shubhamparikh2704	3feb4e5551	fix: update dagre-d3-es patch hash to prevent prototype pollution	2025-10-09 12:19:11 +05:30
shubhamparikh2704	b945696721	fix: add patch for dagre-d3-es to prevent prototype pollution	2025-10-09 12:06:37 +05:30