fix: update dagre-d3-es patch hash to prevent prototype pollution

fix: add patch for dagre-d3-es to prevent prototype pollution
Merge pull request #7054 from mermaid-js/fix/update-argos-ci-version
2025-10-12 10:39:44 +02:00 · 2025-10-09 12:19:11 +05:30 · 2025-10-09 12:06:37 +05:30 · 2025-10-07 08:34:58 +00:00 · 2025-10-07 13:39:28 +05:30
6 changed files with 66 additions and 48 deletions
--- a/.changeset/curly-apes-prove.md
+++ b/.changeset/curly-apes-prove.md
@@ -1,5 +0,0 @@
---
-'mermaid': patch
---
-
-fix: Improve participant parsing and prevent recursive loops on invalid syntax
--- a/package.json
+++ b/package.json
@@ -64,7 +64,7 @@
  },
  "devDependencies": {
    "@applitools/eyes-cypress": "^3.55.2",
-    "@argos-ci/cypress": "^6.1.1",
+    "@argos-ci/cypress": "^6.1.3",
    "@changesets/changelog-github": "^0.5.1",
    "@changesets/cli": "^2.29.7",
    "@cspell/eslint-plugin": "^8.19.4",
@@ -136,7 +136,8 @@
  },
  "pnpm": {
    "patchedDependencies": {
-      "roughjs": "patches/roughjs.patch"
+      "roughjs": "patches/roughjs.patch",
+      "dagre-d3-es@7.0.11": "patches/dagre-d3-es@7.0.11.patch"
    },
    "onlyBuiltDependencies": [
      "canvas",
--- a/packages/mermaid/src/diagrams/sequence/parser/sequenceDiagram.jison
+++ b/packages/mermaid/src/diagrams/sequence/parser/sequenceDiagram.jison
@@ -32,14 +32,13 @@
 <CONFIG>[^\}]+                                                  { return 'CONFIG_CONTENT'; }
 <CONFIG>\}                                                      { this.popState(); this.popState(); return 'CONFIG_END'; }
 <ID>[^\<->\->:\n,;@\s]+(?=\@\{)                                 { yytext = yytext.trim(); return 'ACTOR'; }
-<ID>[^<>:\n,;@\s]+(?=\s+as\s)                                   { yytext = yytext.trim(); this.begin('ALIAS'); return 'ACTOR'; }
-<ID>[^<>:\n,;@]+(?=\s*[\n;#]|$)                                 { yytext = yytext.trim(); this.popState(); return 'ACTOR'; }
-<ID>[^<>:\n,;@]*\<[^\n]*                                        { this.popState(); return 'INVALID'; }
+<ID>[^\<->\->:\n,;@]+?([\-]*[^\<->\->:\n,;@]+?)*?(?=((?!\n)\s)+"as"(?!\n)\s|[#\n;]|$) { yytext = yytext.trim(); this.begin('ALIAS'); return 'ACTOR'; }
 "box"															{ this.begin('LINE'); return 'box'; }
 "participant"                                                   { this.begin('ID'); return 'participant'; }
 "actor"                                                   		{ this.begin('ID'); return 'participant_actor'; }
 "create"                                                        return 'create';
 "destroy"                                                       { this.begin('ID'); return 'destroy'; }
+<ID>[^<\->\->:\n,;]+?([\-]*[^<\->\->:\n,;]+?)*?(?=((?!\n)\s)+"as"(?!\n)\s|[#\n;]|$)     { yytext = yytext.trim(); this.begin('ALIAS'); return 'ACTOR'; }
 <ALIAS>"as"                                                     { this.popState(); this.popState(); this.begin('LINE'); return 'AS'; }
 <ALIAS>(?:)                                                     { this.popState(); this.popState(); return 'NEWLINE'; }
 "loop"                                                          { this.begin('LINE'); return 'loop'; }
@@ -146,7 +145,6 @@ line
 	: SPACE statement { $$ = $2 }
 	| statement { $$ = $1 }
 	| NEWLINE { $$=[]; }
-	| INVALID { $$=[]; }
 	;

 box_section
@@ -413,4 +411,4 @@ text2
  : TXT {$$ = yy.parseMessage($1.trim().substring(1)) }
  ;

-%%
+%%
--- a/packages/mermaid/src/diagrams/sequence/sequenceDiagram.spec.js
+++ b/packages/mermaid/src/diagrams/sequence/sequenceDiagram.spec.js
@@ -2609,17 +2609,5 @@ Bob->>Alice:Got it!
      expect(actors.get('E').type).toBe('entity');
      expect(actors.get('E').description).toBe('E');
    });
-    it('should handle fail parsing when alias token causes conflicts in participant definition', async () => {
-      let error = false;
-      try {
-        await Diagram.fromText(`
-        sequenceDiagram
-        participant SAS MyServiceWithMoreThan20Chars <br> service decription
-       `);
-      } catch (e) {
-        error = true;
-      }
-      expect(error).toBe(true);
-    });
  });
 });
--- a/patches/dagre-d3-es@7.0.11.patch
+++ b/patches/dagre-d3-es@7.0.11.patch
@@ -0,0 +1,33 @@
+diff --git a/src/dagre/position/bk.js b/src/dagre/position/bk.js
+index d4aabdcef2c788873b799489cf27d48aaa0a2ee6..72beff8b3830f1e3241455400f68843888b60a06 100644
+--- a/src/dagre/position/bk.js
+++ b/src/dagre/position/bk.js
+@@ -129,6 +129,16 @@ function findOtherInnerSegmentNode(g, v) {
+   }
+ }
+ 
+/**
+ * Check if a key is safe to use as an object property to prevent prototype pollution
+ * @param {*} key - The key to check
+ * @returns {boolean} - True if the key is safe, false otherwise
+ */
+function isSafeKey(key) {
+  // Reject prototype pollution vectors
+  return key !== '__proto__' && key !== 'constructor' && key !== 'prototype';
+}
+
+ function addConflict(conflicts, v, w) {
+   if (v > w) {
+     var tmp = v;
+@@ -136,6 +146,11 @@ function addConflict(conflicts, v, w) {
+     w = tmp;
+   }
+ 
+  // Validate keys to prevent prototype pollution
+  if (!isSafeKey(v) || !isSafeKey(w)) {
+    return;
+  }
+
+   var conflictsV = conflicts[v];
+   if (!conflictsV) {
+     conflicts[v] = conflictsV = {};
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -5,6 +5,9 @@ settings:
  excludeLinksFromLockfile: false

 patchedDependencies:
+  dagre-d3-es@7.0.11:
+    hash: 9305508c97f786851c4d8a847b5dbb3e46e759f964305997bd486f8745290188
+    path: patches/dagre-d3-es@7.0.11.patch
  roughjs:
    hash: 3543d47108cb41b68ec6a671c0e1f9d0cfe2ce524fea5b0992511ae84c3c6b64
    path: patches/roughjs.patch
@@ -17,8 +20,8 @@ importers:
        specifier: ^3.55.2
        version: 3.55.2(encoding@0.1.13)(typescript@5.7.3)
      '@argos-ci/cypress':
-        specifier: ^6.1.1
-        version: 6.1.1(cypress@14.5.4)
+        specifier: ^6.1.3
+        version: 6.1.3(cypress@14.5.4)
      '@changesets/changelog-github':
        specifier: ^0.5.1
        version: 0.5.1(encoding@0.1.13)
@@ -252,7 +255,7 @@ importers:
        version: 0.12.3
      dagre-d3-es:
        specifier: 7.0.11
-        version: 7.0.11
+        version: 7.0.11(patch_hash=9305508c97f786851c4d8a847b5dbb3e46e759f964305997bd486f8745290188)
      dayjs:
        specifier: ^1.11.18
        version: 1.11.18
@@ -793,26 +796,26 @@ packages:
    resolution: {integrity: sha512-8mBaNNJ0zUBlb09ycc8aFTKajoqEu+E7M7kdV1IENIwuVOI3ecM6x9vr4ptWQz0LTnel7M+L3NPqAGJqoQ3AKA==}
    engines: {node: '>=12.13.0'}

-  '@argos-ci/api-client@0.11.0':
-    resolution: {integrity: sha512-mv7LWrJfEDjjs+CmAJaM1GIexpb3A8TwuyTUCTKgDp/SHdbU0uF8uC6lV4P/mfeGIvBYZzIRKq/frd+IETlC2g==}
+  '@argos-ci/api-client@0.12.0':
+    resolution: {integrity: sha512-WfhI+StLJKIKERWQaIm7Kv1/k+YO/CYIp3djDVhZIU6mv/8yalyNXHnkRC6ofq1kPpmRvoag1KW79/C2WsB4Ag==}
    engines: {node: '>=20.0.0'}

  '@argos-ci/browser@5.0.0':
    resolution: {integrity: sha512-SKAD7EXoLX4u50dzTIT/ABnpD284+DnBfoJM0ZrTIav2eiiVJyknNKSznF5w118lYGnYvugTXbKMnukGPzJeOA==}
    engines: {node: '>=20.0.0'}

-  '@argos-ci/core@4.1.5':
-    resolution: {integrity: sha512-tPsbnSuHEClkdGLUU/qHTNsMe3kAPBvz0DK0nkv6Z18N0imEbzVg+ggmcTmc2x2yEm7i1V456Z2MLhFvTqXnlw==}
+  '@argos-ci/core@4.2.0':
+    resolution: {integrity: sha512-3RNyBZ84pYfQ8dn/Ivv5ls2x2rgqFuh8wA8e4ugggA5lx2dE7a6yghJw8cPzud+zbHrpOntl/HBM3akh2SXLkw==}
    engines: {node: '>=20.0.0'}

-  '@argos-ci/cypress@6.1.1':
-    resolution: {integrity: sha512-fs6K2o7vEiAjBtQhrB6cp7YG6beYBRI9WyVbAHRVYyhdEic36agAqQ7/q3tx8d+uf7nXjjtZuW7KGUxjBmC9MA==}
+  '@argos-ci/cypress@6.1.3':
+    resolution: {integrity: sha512-JlBabUsksKXH7QT2M47dhBNHRxNwW+GQ1lvBT/mgGaFJX8P/GqLkEEmKolf1YBn28MFemQmjuK4G+z5Pjs3rLg==}
    engines: {node: '>=20.0.0'}
    peerDependencies:
      cypress: ^12.0.0 || ^13.0.0 || ^14.0.0

-  '@argos-ci/util@3.1.0':
-    resolution: {integrity: sha512-QM0IwJGm9YsRdsvTAskQab9iXpQOTOOLb+h9Yev76L2TzoLZ2tM9QO+pYNNlX9YLK5dYr/H/pBNQ1lWr130Jjw==}
+  '@argos-ci/util@3.1.1':
+    resolution: {integrity: sha512-sGb9PS7yqdVVtxpxRD1Nfter3kaioC4nPPTknVmMSqo2GQKO1gdmjMJtwHY+Nf9FgiMfwpTCnk8Rrf0pjS3Sug==}
    engines: {node: '>=20.0.0'}

  '@asamuzakjp/css-color@3.2.0':
@@ -7603,8 +7606,8 @@ packages:
    resolution: {integrity: sha512-7x81NCL719oNbsq/3mh+hVrAWmFuEYUqrq/Iw3kUzH8ReypT9QQ0BLoJS7/G9k6N81XjW4qHWtjWwe/9eLy1EQ==}
    engines: {node: '>=12'}

-  openapi-fetch@0.14.0:
-    resolution: {integrity: sha512-PshIdm1NgdLvb05zp8LqRQMNSKzIlPkyMxYFxwyHR+UlKD4t2nUjkDhNxeRbhRSEd3x5EUNh2w5sJYwkhOH4fg==}
+  openapi-fetch@0.14.1:
+    resolution: {integrity: sha512-l7RarRHxlEZYjMLd/PR0slfMVse2/vvIAGm75/F7J6MlQ8/b9uUQmUF2kCPrQhJqMXSxmYWObVgeYXbFYzZR+A==}

  openapi-typescript-helpers@0.0.15:
    resolution: {integrity: sha512-opyTPaunsklCBpTK8JGef6mfPhLSnyy5a0IN9vKtx3+4aExf+KxEqYwIy3hqkedXIB97u357uLMJsOnm3GVjsw==}
@@ -10298,19 +10301,19 @@ snapshots:

  '@applitools/utils@1.12.0': {}

-  '@argos-ci/api-client@0.11.0':
+  '@argos-ci/api-client@0.12.0':
    dependencies:
      debug: 4.4.3(supports-color@8.1.1)
-      openapi-fetch: 0.14.0
+      openapi-fetch: 0.14.1
    transitivePeerDependencies:
      - supports-color

  '@argos-ci/browser@5.0.0': {}

-  '@argos-ci/core@4.1.5':
+  '@argos-ci/core@4.2.0':
    dependencies:
-      '@argos-ci/api-client': 0.11.0
-      '@argos-ci/util': 3.1.0
+      '@argos-ci/api-client': 0.12.0
+      '@argos-ci/util': 3.1.1
      convict: 6.2.4
      debug: 4.4.3(supports-color@8.1.1)
      fast-glob: 3.3.3
@@ -10319,17 +10322,17 @@ snapshots:
    transitivePeerDependencies:
      - supports-color

-  '@argos-ci/cypress@6.1.1(cypress@14.5.4)':
+  '@argos-ci/cypress@6.1.3(cypress@14.5.4)':
    dependencies:
      '@argos-ci/browser': 5.0.0
-      '@argos-ci/core': 4.1.5
-      '@argos-ci/util': 3.1.0
+      '@argos-ci/core': 4.2.0
+      '@argos-ci/util': 3.1.1
      cypress: 14.5.4
      cypress-wait-until: 3.0.2
    transitivePeerDependencies:
      - supports-color

-  '@argos-ci/util@3.1.0': {}
+  '@argos-ci/util@3.1.1': {}

  '@asamuzakjp/css-color@3.2.0':
    dependencies:
@@ -15161,7 +15164,7 @@ snapshots:
      d3-transition: 3.0.1(d3-selection@3.0.0)
      d3-zoom: 3.0.0

-  dagre-d3-es@7.0.11:
+  dagre-d3-es@7.0.11(patch_hash=9305508c97f786851c4d8a847b5dbb3e46e759f964305997bd486f8745290188):
    dependencies:
      d3: 7.9.0
      lodash-es: 4.17.21
@@ -18528,7 +18531,7 @@ snapshots:
      is-docker: 2.2.1
      is-wsl: 2.2.0

-  openapi-fetch@0.14.0:
+  openapi-fetch@0.14.1:
    dependencies:
      openapi-typescript-helpers: 0.0.15
Author	SHA1	Message	Date
shubhamparikh2704	3feb4e5551	fix: update dagre-d3-es patch hash to prevent prototype pollution	2025-10-09 12:19:11 +05:30
shubhamparikh2704	b945696721	fix: add patch for dagre-d3-es to prevent prototype pollution	2025-10-09 12:06:37 +05:30
Shubham P	c728d864c8	Merge pull request #7054 from mermaid-js/fix/update-argos-ci-version fix: update @argos-ci/cypress to version 6.1.3	2025-10-07 08:34:58 +00:00
shubhamparikh2704	99f17bea3a	fix: update @argos-ci/cypress to version 6.1.3	2025-10-07 13:39:28 +05:30