This repository was archived by the owner on Jan 16, 2025. It is now read-only.
patch: Update dependency mermaid to v9 [SECURITY]#1617
Open
renovate[bot] wants to merge 1 commit into
Open
Conversation
4442cc1 to
da468c9
Compare
da468c9 to
2c550d5
Compare
2c550d5 to
4bfefc1
Compare
4bfefc1 to
69127a5
Compare
dba73df to
8045d93
Compare
8045d93 to
674f205
Compare
674f205 to
cf42f9e
Compare
cf42f9e to
1a8febe
Compare
1a8febe to
724e331
Compare
724e331 to
76e4fcc
Compare
76e4fcc to
34a143d
Compare
34a143d to
19670c8
Compare
19670c8 to
35929d8
Compare
35929d8 to
929d703
Compare
780ef38 to
e78bdcb
Compare
e78bdcb to
9f9ee13
Compare
9f9ee13 to
331eb25
Compare
331eb25 to
ddc14cf
Compare
ddc14cf to
85adbc9
Compare
85adbc9 to
d21b4ed
Compare
d21b4ed to
c60aa14
Compare
7c7e95d to
25f02a7
Compare
25f02a7 to
581abd2
Compare
581abd2 to
13253ff
Compare
13253ff to
93dc890
Compare
93dc890 to
93fc585
Compare
93fc585 to
b671f12
Compare
Update mermaid from 8.14.0 to 9.1.2 Change-type: patch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
^8.13.9->^9.0.0GitHub Vulnerability Alerts
CVE-2022-31108
An attacker is able to inject arbitrary
CSSinto the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially craftedCSSselectors.The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the
valueattribute one character at a time. Whenever there is an actual match, anhttprequest will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character.Patches
Has the problem been patched? What versions should users upgrade to?
Workarounds
Is there a way for users to fix or remediate the vulnerability without upgrading?
References
Are there any links users can visit to find out more?
For more information
If you have any questions or comments about this advisory:
Product
mermaid.js
Tested Version
v9.1.1
Details
Issue 1: Multiple CSS Injection (
GHSL-2022-036)By supplying a carefully crafted
textColortheme variable, an attacker can inject arbitraryCSSrules into the document. In the following snippet we can see thatgetStylesdoes not sanitize any of the theme variables leaving the door open forCSSinjection.Snippet from src/styles.js:
For example, if we set
textColorto"green;} #target { background-color: crimson }"the resultingCSSwill contain a new selector#targetthat will apply acrimsonbackground color to an arbitrary element.In the proof of concept above we used the
textColorvariable to injectCSS, but there are multiple functions that can potentially be abused to change the style of the document. Some of them are in the following list but we encourage mantainers to look for additional injection points:Impact
This issue may lead to
Information Disclosurevia CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc.Remediation
Ensure that user input is adequately escaped before embedding it in CSS blocks.
Release Notes
knsv/mermaid
v9.1.2Compare Source
Release Notes
🚀 Features
Add support for cyclic themeVariable rotation when more than 8 branches (#3049) @ashishjain0512
#3060 support cherry commit in gitgraph (#3115) @ashishjain0512
#3080 Adding rotated commit label functionality (#3113) @ashishjain0512
feat: adding "Critical Region"/"Option" and "Break" blocks to sequence diagram (#3063) @financelurker
[Experimental] Add C4 Diagram. Compatible with C4-PlantUML syntax. (#3038) @pinghe
Bug Fixes & Cleanup
Documentation
Dependecy updates
🎉 Thanks to all contributors helping with this release! 🎉
v9.1.1Compare Source
Release Notes
🎉 Thanks to all contributors helping with this release! 🎉
v9.1.0Compare Source
Release Notes
🚀 Features
Accessibility added to the charts (#3008) (#2732) @knsv @gwincr11 @therzka @khiga8 @el-mapache @lindseywild
feat: add hideUnusedParticipants and some cleanup (#2943) @Yash-Singh1
Added default new line in the diagram text before parsing for special… (#2983) @ashishjain0512
Added support to change the position of the main branch (#3010) @ashishjain0512
Sequence autonumbering and Git fix options parsing (#2981) @Zumbala
GitGraph: add support for branch ordering (#3002) @husa
fix mermaidAPI.parse() behavior to match documentation, add tests to ensure behavior matches docs (#3004) @timmaffett
protect config.js from attempting to use invalid theme name (which corrupted mermaid use until reset()) (#2987) @timmaffett
Handling flowchart link style for html labels using legacy renderer #2951
Documentation
Dependecy updates
🎉 Thanks to all contributors helping with this release! 🎉
v9.0.1Compare Source
Release Notes
🐛 Bug Fixes
🎉 Thanks to all contributors helping with this release! 🎉
v9.0.0Compare Source
Release Notes
Main feature
Moving the gitGraph from experimental alpha status to a fully supported diagram type which handles theming and directives. The grammar has changed slightly from the alpha version, and no longer supports reset operations and some internal fast-forwarding has been removed for simplicity. Some few GitGraphs based on the alpha version might break with the update. This is the reason for the major version number update.
We now support:
Other changes:
Documentation updates
mkdocs-materialto the integrations (#2780) @chrimahoREADME.mdanddocs/README.mdare in sync (#2755) @kuanyi-nglivebookandexdocsintegrations (#2728) @RudolfManDependency updates
🎉 Thanks to all contributors helping with this release! 🎉
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.