refactor: remove unnecessary Element check

[DOMPurify v3.2.2][1] narrowed down the types of these hooks so that these are known to have the `Element` type, which means checking the type of these at runtime is unnecessary. [1]: https://github.com/cure53/DOMPurify/releases/tag/3.2.2 See: fe3cffbb67 See: 4cdfd1ffef Cherry-picked-from: 7a1530d911
fix(deps): update dependency dompurify to ^3.2.4
2025-11-01 19:34:17 +01:00 · 2025-10-29 02:40:54 +09:00 · 2025-10-29 02:40:31 +09:00 · 2025-10-29 02:28:51 +09:00 · 2025-10-28 01:16:26 +09:00
5 changed files with 59 additions and 27 deletions
--- a/docs/config/setup/modules/mermaidAPI.md
+++ b/docs/config/setup/modules/mermaidAPI.md
@@ -96,7 +96,7 @@ mermaid.initialize(config);

 #### Defined in

-[mermaidAPI.ts:607](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L607)
+[mermaidAPI.ts:608](https://github.com/mermaid-js/mermaid/blob/master/packages/mermaid/src/mermaidAPI.ts#L608)

 ## Functions

--- a/packages/mermaid/package.json
+++ b/packages/mermaid/package.json
@@ -66,9 +66,9 @@
    "cytoscape-cose-bilkent": "^4.1.0",
    "d3": "^7.4.0",
    "d3-sankey": "^0.12.3",
-    "dagre-d3-es": "7.0.10",
+    "dagre-d3-es": "7.0.13",
    "dayjs": "^1.11.7",
-    "dompurify": "^3.0.5 <3.1.7",
+    "dompurify": "^3.2.4",
    "elkjs": "^0.9.0",
    "katex": "^0.16.9",
    "khroma": "^2.0.0",
@@ -88,7 +88,6 @@
    "@types/d3-scale": "^4.0.3",
    "@types/d3-selection": "^3.0.5",
    "@types/d3-shape": "^3.1.1",
-    "@types/dompurify": "^3.0.2",
    "@types/jsdom": "^21.1.1",
    "@types/katex": "^0.16.7",
    "@types/lodash-es": "^4.17.7",
--- a/packages/mermaid/src/diagrams/common/common.ts
+++ b/packages/mermaid/src/diagrams/common/common.ts
@@ -32,15 +32,15 @@ const setupDompurifyHooksIfNotSetup = (() => {
 function setupDompurifyHooks() {
  const TEMPORARY_ATTRIBUTE = 'data-temp-href-target';

-  DOMPurify.addHook('beforeSanitizeAttributes', (node: Element) => {
+  DOMPurify.addHook('beforeSanitizeAttributes', (node) => {
    if (node.tagName === 'A' && node.hasAttribute('target')) {
-      node.setAttribute(TEMPORARY_ATTRIBUTE, node.getAttribute('target') || '');
+      node.setAttribute(TEMPORARY_ATTRIBUTE, node.getAttribute('target') ?? '');
    }
  });

-  DOMPurify.addHook('afterSanitizeAttributes', (node: Element) => {
+  DOMPurify.addHook('afterSanitizeAttributes', (node) => {
    if (node.tagName === 'A' && node.hasAttribute(TEMPORARY_ATTRIBUTE)) {
-      node.setAttribute('target', node.getAttribute(TEMPORARY_ATTRIBUTE) || '');
+      node.setAttribute('target', node.getAttribute(TEMPORARY_ATTRIBUTE) ?? '');
      node.removeAttribute(TEMPORARY_ATTRIBUTE);
      if (node.getAttribute('target') === '_blank') {
        node.setAttribute('rel', 'noopener');
--- a/packages/mermaid/src/mermaidAPI.ts
+++ b/packages/mermaid/src/mermaidAPI.ts
@@ -464,6 +464,7 @@ const render = async function (
    svgCode = DOMPurify.sanitize(svgCode, {
      ADD_TAGS: DOMPURIFY_TAGS,
      ADD_ATTR: DOMPURIFY_ATTR,
+      HTML_INTEGRATION_POINTS: { foreignobject: true },
    });
  }

--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -221,14 +221,14 @@ importers:
        specifier: ^0.12.3
        version: 0.12.3
      dagre-d3-es:
-        specifier: 7.0.10
-        version: 7.0.10
+        specifier: 7.0.13
+        version: 7.0.13
      dayjs:
        specifier: ^1.11.7
        version: 1.11.10
      dompurify:
-        specifier: ^3.0.5 <3.1.7
-        version: 3.1.6
+        specifier: ^3.2.4
+        version: 3.2.4
      elkjs:
        specifier: ^0.9.0
        version: 0.9.2
@@ -278,9 +278,6 @@ importers:
      '@types/d3-shape':
        specifier: ^3.1.1
        version: 3.1.6
-      '@types/dompurify':
-        specifier: ^3.0.2
-        version: 3.0.5
      '@types/jsdom':
        specifier: ^21.1.1
        version: 21.1.6
@@ -5012,12 +5009,6 @@ packages:
    dependencies:
      '@types/ms': 0.7.34

-  /@types/dompurify@3.0.5:
-    resolution: {integrity: sha512-1Wg0g3BtQF7sSb27fJQAKck1HECM6zV1EB66j8JH9i3LCjYabJa0FSdiSgsD5K/RbrsR0SiraKacLB+T8ZVYAg==}
-    dependencies:
-      '@types/trusted-types': 2.0.7
-    dev: true
-
  /@types/eslint-scope@3.7.4:
    resolution: {integrity: sha512-9K4zoImiZc3HlIp6AVUDE4CWYx22a+lhSZMYNpbjW04+YF0KWj4pJXnEMjdnFTiQibFFmElcsasJXDbdI/EPhA==}
    dependencies:
@@ -5406,7 +5397,9 @@ packages:

  /@types/trusted-types@2.0.7:
    resolution: {integrity: sha512-ScaPdn1dQczgbl0QFTeTOmVHFULt394XJgOQNoyVhZ6r2vLnMLJfBPd53SB52T/3G36VI1/g2MZaX0cwDuXsfw==}
-    dev: true
+    requiresBuild: true
+    dev: false
+    optional: true

  /@types/unist@2.0.10:
    resolution: {integrity: sha512-IfYcSBWE3hLpBg8+X2SEa8LVkJdJEkT2Ese2aaLs3ptGdVtABxndrMaxuFlQ1qdFf9Q5rDvDpxI3WwgvKFAsQA==}
@@ -8510,6 +8503,42 @@ packages:
      d3-zoom: 3.0.0
    dev: false

+  /d3@7.9.0:
+    resolution: {integrity: sha512-e1U46jVP+w7Iut8Jt8ri1YsPOvFpg46k+K8TpCb0P+zjCkjkPnV7WzfDJzMHy1LnA+wj5pLT1wjO901gLXeEhA==}
+    engines: {node: '>=12'}
+    dependencies:
+      d3-array: 3.2.4
+      d3-axis: 3.0.0
+      d3-brush: 3.0.0
+      d3-chord: 3.0.1
+      d3-color: 3.1.0
+      d3-contour: 4.0.2
+      d3-delaunay: 6.0.4
+      d3-dispatch: 3.0.1
+      d3-drag: 3.0.0
+      d3-dsv: 3.0.1
+      d3-ease: 3.0.1
+      d3-fetch: 3.0.1
+      d3-force: 3.0.0
+      d3-format: 3.1.0
+      d3-geo: 3.1.0
+      d3-hierarchy: 3.1.2
+      d3-interpolate: 3.0.1
+      d3-path: 3.1.0
+      d3-polygon: 3.0.1
+      d3-quadtree: 3.0.1
+      d3-random: 3.0.1
+      d3-scale: 4.0.2
+      d3-scale-chromatic: 3.0.0
+      d3-selection: 3.0.0
+      d3-shape: 3.2.0
+      d3-time: 3.1.0
+      d3-time-format: 4.1.0
+      d3-timer: 3.0.1
+      d3-transition: 3.0.1(d3-selection@3.0.0)
+      d3-zoom: 3.0.0
+    dev: false
+
  /d@1.0.2:
    resolution: {integrity: sha512-MOqHvMWF9/9MX6nza0KgvFH4HpMU0EF5uUDXqX/BtxtU8NfB0QzRtJ8Oe/6SuS4kbhyzVJwjd97EA4PKrzJ8bw==}
    engines: {node: '>=0.12'}
@@ -8518,10 +8547,10 @@ packages:
      type: 2.7.2
    dev: true

-  /dagre-d3-es@7.0.10:
-    resolution: {integrity: sha512-qTCQmEhcynucuaZgY5/+ti3X/rnszKZhEQH/ZdWdtP1tA/y3VoHJzcVrO9pjjJCNpigfscAtoUB5ONcd2wNn0A==}
+  /dagre-d3-es@7.0.13:
+    resolution: {integrity: sha512-efEhnxpSuwpYOKRm/L5KbqoZmNNukHa/Flty4Wp62JRvgH2ojwVgPgdYyr4twpieZnyRDdIH7PY2mopX26+j2Q==}
    dependencies:
-      d3: 7.8.5
+      d3: 7.9.0
      lodash-es: 4.17.21
    dev: false

@@ -8833,8 +8862,10 @@ packages:
      domelementtype: 2.3.0
    dev: true

-  /dompurify@3.1.6:
-    resolution: {integrity: sha512-cTOAhc36AalkjtBpfG6O8JimdTMWNXjiePT2xQH/ppBGi/4uIpmj8eKyIkMJErXWARyINV/sB38yf8JCLF5pbQ==}
+  /dompurify@3.2.4:
+    resolution: {integrity: sha512-ysFSFEDVduQpyhzAob/kkuJjf5zWkZD8/A9ywSp1byueyuCfHamrCBa14/Oc2iiB0e51B+NpxSl5gmzn+Ms/mg==}
+    optionalDependencies:
+      '@types/trusted-types': 2.0.7
    dev: false

  /domutils@3.1.0:
@@ -15045,6 +15076,7 @@ packages:
  /source-map@0.8.0-beta.0:
    resolution: {integrity: sha512-2ymg6oRBpebeZi9UUNsgQ89bhx01TcTkmNTGnNO88imTmbSgy4nfujrgVEFKWpMTEGA11EDkTt7mqObTPdigIA==}
    engines: {node: '>= 8'}
+    deprecated: The work that was done in this beta branch won't be included in future versions
    dependencies:
      whatwg-url: 7.1.0
    dev: true
Author	SHA1	Message	Date
Alois Klink	5b3912f9ec	refactor: remove unnecessary `Element` check [DOMPurify v3.2.2][1] narrowed down the types of these hooks so that these are known to have the `Element` type, which means checking the type of these at runtime is unnecessary. [1]: https://github.com/cure53/DOMPurify/releases/tag/3.2.2 See: `fe3cffbb67` See: `4cdfd1ffef` Cherry-picked-from: `7a1530d911`	2025-10-29 02:40:54 +09:00
renovate[bot]	01ff8c52b2	fix(deps): update dependency dompurify to ^3.2.4 Cherry-picked-from: `33f9d8bdc9`	2025-10-29 02:40:31 +09:00
Alois Klink	d9618daab6	chore: update dompurify to `^3.2.1` As [DOMPurify 3.2.0 added TypeScript types][1], this means that we can remove our dependency on the `@types/dompurify` package. [DOMPurify 3.2.0 also adds the `HTML_INTEGRATION_POINTS` option][2], which adds back support for `<foreignObject>`, [which broke in DOMPurify 3.1.7.][3] [1]: https://github.com/cure53/DOMPurify/releases/tag/3.2.0 [2]: `e4caa67971` [3]: `de2c05cd54` Cherry-picked-from: `fe3cffbb67` Fixes: https://github.com/mermaid-js/mermaid/issues/6328	2025-10-29 02:28:51 +09:00
shubhamparikh2704	a65bcc55af	fix: update dagre-d3-es to version 7.0.13 This backports the hotfix release from v11.12.1 into v10. Cherry-picked-from: `cbf89462ac` Fixes: CVE-2025-57347	2025-10-28 01:16:26 +09:00