chore: bump mermaid version to v10.9.3

Updates the bundled version of dependencies in the following files: - `dist/mermaid.min.js` - `dist/mermaid.js` - `dist/mermaid.esm.mjs` - `dist/mermaid.esm.min.mjs` **If you are not using these files (e.g. you are using the default NPM export of `mermaid`, e.g. `import mermaid from 'mermaid'`, or you are using `dist/mermaid.core.mjs`), this release is identical to v10.9.2.** This is to avoid potential security issues in KaTeX and DOMPurify, see: - https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674 - https://github.com/advisories/GHSA-64fm-8hw2-v72w - https://github.com/advisories/GHSA-cvr6-37gx-v8wc - https://github.com/advisories/GHSA-f98w-7cxr-ff2h - https://github.com/advisories/GHSA-3wc5-fcw2-2329 These dependencies have already been updated in [v11.0.0](https://github.com/mermaid-js/mermaid/releases/tag/v11.0.0). Changelog ========= Chore ----- - Updates the bundled version of KaTeX to 0.16.11 (2bedd0ef87) - Updates the bundled version of DOMPurify to 3.1.6 (92a07ffe40)
style: prettify src/diagrams/block/blockDB.ts
2025-08-15 06:19:24 +02:00 · 2024-10-22 17:32:05 +09:00 · 2024-10-10 17:44:54 +09:00 · 2024-10-10 17:06:09 +09:00 · 2024-10-10 16:53:45 +09:00 · 2024-10-02 15:01:48 +05:30
13 changed files with 22 additions and 22 deletions
--- a/.github/workflows/build-docs.yml
+++ b/.github/workflows/build-docs.yml
@@ -18,7 +18,7 @@ jobs:
      - name: Checkout
        uses: actions/checkout@v4

-      - uses: pnpm/action-setup@v2
+      - uses: pnpm/action-setup@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
--- a/.github/workflows/build.yml
+++ b/.github/workflows/build.yml
@@ -18,7 +18,7 @@ jobs:
    steps:
      - uses: actions/checkout@v4

-      - uses: pnpm/action-setup@v2
+      - uses: pnpm/action-setup@v4
        # uses version from "packageManager" field in package.json

      - name: Setup Node.js
--- a/.github/workflows/e2e-applitools.yml
+++ b/.github/workflows/e2e-applitools.yml
@@ -32,7 +32,7 @@ jobs:

      - uses: actions/checkout@v4

-      - uses: pnpm/action-setup@v2
+      - uses: pnpm/action-setup@v4
        # uses version from "packageManager" field in package.json

      - name: Setup Node.js
--- a/.github/workflows/e2e.yml
+++ b/.github/workflows/e2e.yml
@@ -28,7 +28,7 @@ jobs:
      options: --user 1001
    steps:
      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v2
+      - uses: pnpm/action-setup@v4
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
@@ -70,7 +70,7 @@ jobs:
    steps:
      - uses: actions/checkout@v4

-      - uses: pnpm/action-setup@v2
+      - uses: pnpm/action-setup@v4
        # uses version from "packageManager" field in package.json

      - name: Setup Node.js
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -19,7 +19,7 @@ jobs:
    steps:
      - uses: actions/checkout@v4

-      - uses: pnpm/action-setup@v2
+      - uses: pnpm/action-setup@v4
        # uses version from "packageManager" field in package.json

      - name: Setup Node.js
--- a/.github/workflows/publish-docs.yml
+++ b/.github/workflows/publish-docs.yml
@@ -25,7 +25,7 @@ jobs:
      - name: Checkout
        uses: actions/checkout@v4

-      - uses: pnpm/action-setup@v2
+      - uses: pnpm/action-setup@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
--- a/.github/workflows/release-preview-publish.yml
+++ b/.github/workflows/release-preview-publish.yml
@@ -13,7 +13,7 @@ jobs:
        with:
          fetch-depth: 0

-      - uses: pnpm/action-setup@v2
+      - uses: pnpm/action-setup@v4

      - name: Setup Node.js
        uses: actions/setup-node@v4
--- a/.github/workflows/release-publish.yml
+++ b/.github/workflows/release-publish.yml
@@ -11,7 +11,7 @@ jobs:
      - uses: actions/checkout@v4
      - uses: fregante/setup-git-user@v2

-      - uses: pnpm/action-setup@v2
+      - uses: pnpm/action-setup@v4
        # uses version from "packageManager" field in package.json

      - name: Setup Node.js
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@@ -11,7 +11,7 @@ jobs:
    steps:
      - uses: actions/checkout@v4

-      - uses: pnpm/action-setup@v2
+      - uses: pnpm/action-setup@v4
        # uses version from "packageManager" field in package.json

      - name: Setup Node.js
--- a/.github/workflows/update-browserlist.yml
+++ b/.github/workflows/update-browserlist.yml
@@ -9,7 +9,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
-      - uses: pnpm/action-setup@v2
+      - uses: pnpm/action-setup@v4
      - run: npx update-browserslist-db@latest
      - name: Commit changes
        uses: EndBug/add-and-commit@v9
--- a/packages/mermaid/package.json
+++ b/packages/mermaid/package.json
@@ -1,6 +1,6 @@
 {
  "name": "mermaid",
-  "version": "10.9.1",
+  "version": "10.9.3",
  "description": "Markdown-ish syntax for generating flowcharts, sequence diagrams, class diagrams, gantt charts and git graphs.",
  "type": "module",
  "module": "./dist/mermaid.core.mjs",
@@ -68,7 +68,7 @@
    "d3-sankey": "^0.12.3",
    "dagre-d3-es": "7.0.10",
    "dayjs": "^1.11.7",
-    "dompurify": "^3.0.5",
+    "dompurify": "^3.0.5 <3.1.7",
    "elkjs": "^0.9.0",
    "katex": "^0.16.9",
    "khroma": "^2.0.0",
--- a/packages/mermaid/src/diagrams/block/blockDB.ts
+++ b/packages/mermaid/src/diagrams/block/blockDB.ts
@@ -20,7 +20,7 @@ const config = getConfig();

 let classes = {} as Record<string, ClassDef>;

-const sanitizeText = (txt:string) => common.sanitizeText(txt, config);
+const sanitizeText = (txt: string) => common.sanitizeText(txt, config);

 /**
 * Called when the parser comes across a (style) class definition
@@ -93,7 +93,7 @@ const populateBlockDatabase = (_blockList: Block[] | Block[][], parent: Block):
  const children = [];
  for (const block of blockList) {
    if (block.label) {
-        block.label = sanitizeText(block.label);
+      block.label = sanitizeText(block.label);
    }
    if (block.type === 'classDef') {
      addStyleClass(block.id, block.css);
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -227,14 +227,14 @@ importers:
        specifier: ^1.11.7
        version: 1.11.10
      dompurify:
-        specifier: ^3.0.5
-        version: 3.0.9
+        specifier: ^3.0.5 <3.1.7
+        version: 3.1.6
      elkjs:
        specifier: ^0.9.0
        version: 0.9.2
      katex:
        specifier: ^0.16.9
-        version: 0.16.9
+        version: 0.16.11
      khroma:
        specifier: ^2.0.0
        version: 2.1.0
@@ -8833,8 +8833,8 @@ packages:
      domelementtype: 2.3.0
    dev: true

-  /dompurify@3.0.9:
-    resolution: {integrity: sha512-uyb4NDIvQ3hRn6NiC+SIFaP4mJ/MdXlvtunaqK9Bn6dD3RuB/1S/gasEjDHD8eiaqdSael2vBv+hOs7Y+jhYOQ==}
+  /dompurify@3.1.6:
+    resolution: {integrity: sha512-cTOAhc36AalkjtBpfG6O8JimdTMWNXjiePT2xQH/ppBGi/4uIpmj8eKyIkMJErXWARyINV/sB38yf8JCLF5pbQ==}
    dev: false

  /domutils@3.1.0:
@@ -12081,8 +12081,8 @@ packages:
    engines: {node: '>=12.20'}
    dev: true

-  /katex@0.16.9:
-    resolution: {integrity: sha512-fsSYjWS0EEOwvy81j3vRA8TEAhQhKiqO+FQaKWp0m39qwOzHVBgAUBIXWj1pB+O2W3fIpNa6Y9KSKCVbfPhyAQ==}
+  /katex@0.16.11:
+    resolution: {integrity: sha512-RQrI8rlHY92OLf3rho/Ts8i/XvjgguEjOkO1BEXcU3N8BqPpSzBNwV/G0Ukr+P/l3ivvJUE/Fa/CwbS6HesGNQ==}
    hasBin: true
    dependencies:
      commander: 8.3.0
Author	SHA1	Message	Date
Alois Klink	85ec96a72d	chore: bump mermaid version to v10.9.3 Updates the bundled version of dependencies in the following files: - `dist/mermaid.min.js` - `dist/mermaid.js` - `dist/mermaid.esm.mjs` - `dist/mermaid.esm.min.mjs` If you are not using these files (e.g. you are using the default NPM export of `mermaid`, e.g. `import mermaid from 'mermaid'`, or you are using `dist/mermaid.core.mjs`), this release is identical to v10.9.2. This is to avoid potential security issues in KaTeX and DOMPurify, see: - https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674 - https://github.com/advisories/GHSA-64fm-8hw2-v72w - https://github.com/advisories/GHSA-cvr6-37gx-v8wc - https://github.com/advisories/GHSA-f98w-7cxr-ff2h - https://github.com/advisories/GHSA-3wc5-fcw2-2329 These dependencies have already been updated in [v11.0.0](https://github.com/mermaid-js/mermaid/releases/tag/v11.0.0). Changelog ========= Chore ----- - Updates the bundled version of KaTeX to 0.16.11 (`2bedd0ef87`) - Updates the bundled version of DOMPurify to 3.1.6 (`92a07ffe40`)	2024-10-22 17:32:05 +09:00
Alois Klink	9301a5788a	style: prettify src/diagrams/block/blockDB.ts	2024-10-10 17:44:54 +09:00
Alois Klink	2bedd0ef87	chore(deps): update katex to 0.16.11 This affects the built: - `dist/mermaid.min.js` - `dist/mermaid.js` - `dist/mermaid.esm.mjs` - `dist/mermaid.esm.min.mjs` See: GHSA-64fm-8hw2-v72w See: GHSA-cvr6-37gx-v8wc See: GHSA-f98w-7cxr-ff2h See: GHSA-3wc5-fcw2-2329	2024-10-10 17:06:09 +09:00
Alois Klink	92a07ffe40	chore(deps): update bundled DOMPurify to 3.1.6 This affects the built: - `dist/mermaid.min.js` - `dist/mermaid.js` - `dist/mermaid.esm.mjs` - `dist/mermaid.esm.min.mjs` See: GHSA-mmhx-hmjr-r674	2024-10-10 16:53:45 +09:00
Sidharth Vinod	4dd4997c4d	chore: Bump version	2024-10-02 15:01:48 +05:30
Jiahao Guo	fc61512a0a	[10] ci: upgrade to pnpm/action-setup@v4 to avoid CI failures see: https://github.com/pnpm/action-setup/issues/135 (cherry picked from commit `fde668a3a6`)	2024-10-02 14:52:25 +09:00
Alois Klink	402abdf883	[10] fix: ban version v3.1.7 of DOMPurify [DOMPurify v3.1.7][1] forbids the use of `<foreignElement>` for HTML inside of an `<svg>` element, which breaks many mermaid diagrams. It is likely that v3.1.8 will add a new option that will allow us to re-enable this behaviour, but v3.1.7 definitely does not work. (cherry picked from commit `de2c05cd54`) [1]: https://github.com/cure53/DOMPurify/releases/tag/3.1.7 See: https://github.com/cure53/DOMPurify/issues/1002 Fix: https://github.com/mermaid-js/mermaid/issues/5904	2024-10-02 14:30:19 +09:00