docs
docs copied to clipboard
celo-org
fix(deps): update dependency mermaid to v10.9.3 [security]
This PR contains the following updates:
| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| mermaid | 10.9.2 -> 10.9.3 |
GitHub Vulnerability Alerts
GHSA-m4gq-x24j-jpmf
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
dist/mermaid.min.jsdist/mermaid.jsdist/mermaid.esm.mjsdist/mermaid.esm.min.mjs
This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/[email protected]/dist/mermaid.min.js
Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.
Patches
developbranch: 6c785c93166c151d27d328ddf68a13d9d65adc00- backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34
Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify
More information
Details
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
dist/mermaid.min.jsdist/mermaid.jsdist/mermaid.esm.mjsdist/mermaid.esm.min.mjs
This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/[email protected]/dist/mermaid.min.js
Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.
Patches
developbranch: 6c785c93166c151d27d328ddf68a13d9d65adc00- backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34
Severity
- CVSS Score: 7.0 / 10 (High)
- Vector String:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:H/A:L
References
- https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
- https://github.com/mermaid-js/mermaid/security/advisories/GHSA-m4gq-x24j-jpmf
- https://github.com/mermaid-js/mermaid/commit/6c785c93166c151d27d328ddf68a13d9d65adc00
- https://github.com/mermaid-js/mermaid/commit/92a07ffe40aab2769dd1c3431b4eb5beac282b34
- https://github.com/mermaid-js/mermaid
This data is provided by OSV and the GitHub Advisory Database (CC-BY 4.0).
Release Notes
mermaid-js/mermaid (mermaid)
v10.9.3
Updates the bundled version of dependencies in the following files:
dist/mermaid.min.jsdist/mermaid.jsdist/mermaid.esm.mjsdist/mermaid.esm.min.mjs
If you are not using these files (e.g. you are using the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or you are using dist/mermaid.core.mjs), this release is identical to v10.9.2.
This is to avoid potential security issues in KaTeX and DOMPurify, see:
- https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
- https://github.com/advisories/GHSA-64fm-8hw2-v72w
- https://github.com/advisories/GHSA-cvr6-37gx-v8wc
- https://github.com/advisories/GHSA-f98w-7cxr-ff2h
- https://github.com/advisories/GHSA-3wc5-fcw2-2329
These dependencies have already been updated in v11.0.0.
Changelog
Chore
- Updates the bundled version of KaTeX to 0.16.11 (
2bedd0e) - Updates the bundled version of DOMPurify to 3.1.6 (
92a07ff)
Full Changelog: https://github.com/mermaid-js/mermaid/compare/v10.9.2...v10.9.3
Configuration
๐ Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
๐ฆ Automerge: Disabled by config. Please merge this manually once you are satisfied.
โป Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
๐ Ignore: Close this PR and you won't be reminded about this update again.
- [ ] If you want to rebase/retry this PR, check this box
This PR was generated by Mend Renovate. View the repository job log.
![renovate[bot] avatar](https://avatars.githubusercontent.com/in/2740?v=4 "Published by a pub.dev verified publisher"){kind=small}
Deploy Preview for celo-docs ready!
| Name | Link |
|---|---|
| Latest commit | 59cd0d94f96467175a5bddd9f87f0d50c1b1df31 |
| Latest deploy log | https://app.netlify.com/sites/celo-docs/deploys/67337737793bbe00085cf7a0 |
| Deploy Preview | https://deploy-preview-1540--celo-docs.netlify.app |
| Preview on mobile | Toggle QR Code...Use your smartphone camera to open QR code link. |
Lighthouse |
1 paths audited Performance: 55 (๐ด down 2 from production) Accessibility: 92 (no change from production) Best Practices: 75 (no change from production) SEO: 81 (no change from production) PWA: - View the detailed breakdown and full score reports |
To edit notification comments on pull requests, go to your Netlify site configuration.
![netlify[bot] avatar](https://avatars.githubusercontent.com/in/13473?v=4 "Published by a pub.dev verified publisher"){kind=small}
New and removed dependencies detected. Learn more about Socket for GitHub โ๏ธ
| Package | New capabilities | Transitives | Size | Publisher |
|---|---|---|---|---|
| npm/[email protected] | None | 0 |
4.64 MB | maxkfranz |
| npm/[email protected] | None | +23 |
25.2 MB | aloisklink |
๐ฎ Removed packages: npm/[email protected], npm/[email protected]
![socket-security[bot] avatar](https://avatars.githubusercontent.com/in/156372?v=4 "Published by a pub.dev verified publisher"){kind=small}