NodeJS/mermaid/10.9.2
Markdown-ish syntax for generating flowcharts, mindmaps, sequence diagrams, class diagrams, gantt charts, git graphs and more.
https://www.npmjs.com/package/mermaid
MIT
1 Security Vulnerabilities
Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify
Published date: 2024-10-22T18:17:02Z
Links:
- https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674
- https://github.com/mermaid-js/mermaid/security/advisories/GHSA-m4gq-x24j-jpmf
- https://github.com/mermaid-js/mermaid/commit/6c785c93166c151d27d328ddf68a13d9d65adc00
- https://github.com/mermaid-js/mermaid/commit/92a07ffe40aab2769dd1c3431b4eb5beac282b34
- https://github.com/advisories/GHSA-m4gq-x24j-jpmf
The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.
This affects the built:
dist/mermaid.min.jsdist/mermaid.jsdist/mermaid.esm.mjsdist/mermaid.esm.min.mjs
This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js
Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.
Patches
developbranch: 6c785c93166c151d27d328ddf68a13d9d65adc00- backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34
Affected versions:
["0.2.11", "0.2.12", "0.2.13", "0.2.14", "0.2.15", "0.2.16", "0.3.0", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.5.3", "0.5.4", "0.5.5", "0.5.6", "0.5.7", "0.5.8", "6.0.0", "7.0.0", "7.0.1", "7.0.2", "7.0.3", "7.0.4", "7.0.5", "7.0.6", "7.0.7", "7.0.8", "7.0.9", "7.0.10", "7.0.11", "7.0.12", "7.0.13", "7.0.14", "7.0.15", "7.0.16", "7.0.17", "7.0.18", "7.1.0", "7.1.1", "7.1.2", "8.0.0-alpha.1", "8.0.0-alpha.2", "8.0.0-alpha.3", "8.0.0-alpha.4", "8.0.0-alpha.5", "8.0.0-alpha.6", "8.0.0-alpha.8", "8.0.0-alpha.9", "8.0.0-beta.1", "8.0.0-beta.2", "8.0.0-beta.3", "8.0.0-beta.4", "8.0.0-beta.5", "8.0.0-beta.6", "8.0.0-beta.7", "8.0.0-beta.8", "8.0.0-beta.9", "8.0.0-rc.1", "8.0.0-rc.2", "8.0.0-rc.3", "8.0.0-rc.4", "8.0.0-rc.5", "8.0.0-rc.6", "8.0.0-rc.7", "8.0.0-rc.8", "8.0.0", "8.1.0", "8.2.1", "8.2.2", "8.2.3", "8.2.4", "8.2.5", "8.2.6", "8.3.0", "8.3.1", "8.4.0", "8.4.1", "8.4.2", "8.4.3", "8.4.4", "8.4.5", "8.4.6", "8.4.7", "8.4.8", "8.5.0", "8.5.1", "8.5.2", "8.6.0", "8.6.1", "8.6.2", "8.6.3", "8.6.4", "8.7.0", "8.8.0", "8.8.1", "8.8.2", "8.8.3", "8.8.4", "8.9.0", "8.9.1", "8.9.2", "8.9.3", "8.10.1", "8.10.2", "8.11.0", "8.11.1", "8.11.2", "8.11.3", "8.11.4", "8.11.5", "8.12.0", "8.12.1", "8.13.0", "8.13.1", "8.13.2", "8.13.3", "8.13.4", "8.13.5", "8.13.6", "8.13.7", "8.13.8", "8.13.9", "8.13.10", "8.14.0-rc1", "8.14.0", "9.0.0", "9.0.1", "9.1.0", "9.1.1", "9.1.2", "9.1.3", "9.1.4", "9.1.5", "9.1.6", "9.2.0-rc1", "9.1.7", "9.2.0-rc2", "9.2.0-rc3", "9.2.0-rc4", "9.2.0-rc5", "9.2.0-rc6", "9.2.0-rc7", "9.2.0-rc8", "9.2.0-rc9", "9.2.0-rc10", "9.2.0", "9.2.1", "9.2.2-rc.2", "9.2.2", "9.2.3-rc.1", "9.3.0-rc.1", "9.3.0-rc.2", "9.3.0-rc.3", "9.3.0-rc.4", "9.3.0-rc.5", "9.3.0-rc.6", "9.3.0-rc.7", "9.3.0", "9.4.0-rc.1", "9.4.0-rc.2", "9.4.0", "9.4.2-rc.1", "10.0.0-rc.1", "10.0.0-rc.2", "10.0.0-rc.3", "10.0.0-rc.4", "10.0.0", "10.0.1-rc.1", "10.0.1-rc.2", "10.0.1-rc.3", "9.4.2-rc.2", "10.0.1-rc.4", "10.0.1-rc.5", "10.0.1", "10.0.2-rc.1", "10.0.2", "10.0.3-alpha.1", "9.4.2", "9.4.3", "10.1.0-rc.1", "10.1.0", "10.2.0-rc.1", "10.2.0-rc.2", "10.2.0-rc.3", "10.2.0-rc.4", "10.2.0", "10.2.1-rc.1", "10.2.1", "10.2.2", "10.2.3-rc.1", "10.2.3", "10.2.4-rc.1", "10.2.4", "10.3.0-rc.1", "10.3.0", "10.3.1", "10.4.0", "10.5.0-alpha.1", "10.5.0-rc.1", "10.5.0-rc.3", "10.5.0", "10.5.1", "10.6.0", "10.6.1", "10.6.2-rc.1", "10.6.2-rc.2", "10.6.2-rc.3", "10.7.0", "10.8.0", "10.9.0-rc.1", "10.9.0-rc.2", "10.9.0", "10.9.1", "10.9.2"]
Secure versions:
[11.0.0-alpha.1, 11.0.0-alpha.2, 11.0.0-alpha.3, 11.0.0-alpha.4, 11.0.0-alpha.5, 11.0.0-alpha.6, 11.0.0-alpha.7, 11.0.0, 11.0.1, 11.0.2, 11.1.0, 11.1.1, 11.2.0, 11.2.1, 11.3.0, 10.9.3, 11.4.0]
Recommendation:
Update to version 11.4.0.
235 Other Versions
| Version | License | Security | Released | |
|---|---|---|---|---|
| 9.1.3 | MIT | 1 | 2022-06-28 - 18:09 | over 2 years |
| 9.1.2 | MIT | 1 | 2022-06-14 - 17:33 | over 2 years |
| 9.1.1 | MIT | 2 | 2022-05-11 - 12:27 | over 2 years |
| 9.1.0 | MIT | 2 | 2022-05-10 - 16:44 | over 2 years |
| 9.0.1 | MIT | 2 | 2022-04-21 - 20:05 | over 2 years |
| 9.0.0 | MIT | 2 | 2022-04-07 - 18:44 | over 2 years |
| 8.14.0 | MIT | 2 | 2022-02-10 - 17:52 | almost 3 years |
| 8.14.0-rc1 | MIT | 2 | 2022-01-22 - 12:33 | almost 3 years |
| 8.13.10 | MIT | 2 | 2022-01-22 - 09:07 | almost 3 years |
| 8.13.9 | MIT | 2 | 2022-01-16 - 15:07 | almost 3 years |
| 8.13.8 | MIT | 2 | 2021-12-29 - 10:23 | almost 3 years |
| 8.13.7 | MIT | 3 | 2021-12-23 - 10:18 | almost 3 years |
| 8.13.6 | MIT | 3 | 2021-12-16 - 19:16 | almost 3 years |
| 8.13.5 | MIT | 3 | 2021-12-08 - 06:31 | almost 3 years |
| 8.13.4 | MIT | 3 | 2021-11-18 - 16:08 | almost 3 years |
| 8.13.3 | MIT | 3 | 2021-10-14 - 19:18 | about 3 years |
| 8.13.2 | MIT | 3 | 2021-09-29 - 18:25 | about 3 years |
| 8.13.1 | MIT | 3 | 2021-09-29 - 18:02 | about 3 years |
| 8.13.0 | MIT | 3 | 2021-09-23 - 16:26 | about 3 years |
| 8.12.1 | MIT | 3 | 2021-09-05 - 09:34 | about 3 years |
| 8.12.0 | MIT | 3 | 2021-08-26 - 17:34 | about 3 years |
| 8.11.5 | MIT | 3 | 2021-08-16 - 13:39 | about 3 years |
| 8.11.4 | MIT | 3 | 2021-08-05 - 17:57 | over 3 years |
| 8.11.3 | MIT | 3 | 2021-08-04 - 17:22 | over 3 years |
| 8.11.2 | MIT | 3 | 2021-07-30 - 08:34 | over 3 years |
| 8.11.1 | MIT | 3 | 2021-07-28 - 13:57 | over 3 years |
| 8.11.0 | MIT | 3 | 2021-06-27 - 05:53 | over 3 years |
| 8.10.2 | MIT | 4 | 2021-06-06 - 06:19 | over 3 years |
| 8.10.1 | MIT | 4 | 2021-05-10 - 16:59 | over 3 years |
| 8.9.3 | MIT | 4 | 2021-04-25 - 11:27 | over 3 years |
| 8.9.2 | MIT | 4 | 2021-03-11 - 20:20 | over 3 years |
| 8.9.1 | MIT | 4 | 2021-02-18 - 20:39 | over 3 years |
| 8.9.0 | MIT | 4 | 2021-01-21 - 19:53 | almost 4 years |
| 8.8.4 | MIT | 4 | 2020-12-05 - 13:43 | almost 4 years |
| 8.8.3 | MIT | 4 | 2020-11-05 - 18:43 | about 4 years |
| 8.8.2 | MIT | 4 | 2020-10-08 - 17:34 | about 4 years |
| 8.8.1 | MIT | 4 | 2020-09-30 - 17:22 | about 4 years |
| 8.8.0 | MIT | 4 | 2020-09-05 - 07:45 | about 4 years |
| 8.7.0 | MIT | 4 | 2020-08-09 - 12:00 | over 4 years |
| 8.6.4 | MIT | 4 | 2020-07-26 - 20:25 | over 4 years |
| 8.6.3 | MIT | 4 | 2020-07-24 - 11:17 | over 4 years |
| 8.6.2 | MIT | 4 | 2020-07-22 - 17:16 | over 4 years |
| 8.6.1 | MIT | 4 | 2020-07-22 - 16:53 | over 4 years |
| 8.6.0 | MIT | 4 | 2020-07-13 - 14:39 | over 4 years |
| 8.5.2 | MIT | 4 | 2020-06-07 - 08:52 | over 4 years |
| 8.5.1 | MIT | 4 | 2020-05-17 - 08:02 | over 4 years |
| 8.5.0 | MIT | 4 | 2020-04-11 - 15:46 | over 4 years |
| 8.4.8 | MIT | 4 | 2020-02-21 - 09:42 | over 4 years |
| 8.4.7 | MIT | 4 | 2020-02-16 - 13:00 | over 4 years |
| 8.4.6 | MIT | 4 | 2020-01-22 - 18:21 | almost 5 years |
| 8.4.5 | MIT | 4 | 2020-01-11 - 09:03 | almost 5 years |
| 8.4.4 | MIT | 4 | 2019-12-14 - 08:22 | almost 5 years |
| 8.4.3 | MIT | 4 | 2019-12-01 - 06:47 | almost 5 years |
| 8.4.2 | MIT | 4 | 2019-11-07 - 20:39 | about 5 years |
| 8.4.1 | MIT | 4 | 2019-11-06 - 18:42 | about 5 years |
| 8.4.0 | MIT | 4 | 2019-10-19 - 14:48 | about 5 years |
| 8.3.1 | MIT | 4 | 2019-09-19 - 22:10 | about 5 years |
| 8.3.0 | MIT | 4 | 2019-09-19 - 05:33 | about 5 years |
| 8.2.6 | MIT | 4 | 2019-09-01 - 11:18 | about 5 years |
| 8.2.5 | MIT | 4 | 2019-08-26 - 18:25 | about 5 years |
| 8.2.4 | MIT | 4 | 2019-08-25 - 13:32 | about 5 years |
| 8.2.3 | MIT | 4 | 2019-07-22 - 12:25 | over 5 years |
| 8.2.2 | MIT | 5 | 2019-07-21 - 14:41 | over 5 years |
| 8.2.1 | MIT | 5 | 2019-07-21 - 09:34 | over 5 years |
| 8.1.0 | MIT | 5 | 2019-06-25 - 08:39 | over 5 years |
| 8.0.0 | MIT | 5 | 2018-12-18 - 06:56 | almost 6 years |
| 8.0.0-rc.8 | MIT | 4 | 2018-04-12 - 15:06 | over 6 years |
| 8.0.0-rc.7 | MIT | 4 | 2018-04-12 - 01:07 | over 6 years |
| 8.0.0-rc.6 | MIT | 4 | 2018-03-21 - 13:30 | over 6 years |
| 8.0.0-rc.5 | MIT | 4 | 2018-03-20 - 15:05 | over 6 years |
| 8.0.0-rc.4 | MIT | 4 | 2018-03-20 - 13:51 | over 6 years |
| 8.0.0-rc.3 | MIT | 4 | 2018-03-20 - 12:42 | over 6 years |
| 8.0.0-rc.2 | MIT | 4 | 2018-03-20 - 12:10 | over 6 years |
| 8.0.0-rc.1 | MIT | 4 | 2018-03-19 - 01:32 | over 6 years |
| 8.0.0-beta.9 | MIT | 4 | 2018-03-18 - 01:36 | over 6 years |
| 8.0.0-beta.8 | MIT | 4 | 2018-03-18 - 01:09 | over 6 years |
| 8.0.0-beta.7 | MIT | 4 | 2018-03-17 - 15:20 | over 6 years |
| 8.0.0-beta.6 | MIT | 4 | 2018-03-17 - 10:13 | over 6 years |
| 8.0.0-beta.5 | MIT | 4 | 2018-03-17 - 01:11 | over 6 years |
| 8.0.0-beta.4 | MIT | 4 | 2018-03-16 - 12:28 | over 6 years |
| 8.0.0-beta.3 | MIT | 4 | 2018-03-16 - 12:17 | over 6 years |
| 8.0.0-beta.2 | MIT | 4 | 2018-03-15 - 14:45 | over 6 years |
| 8.0.0-beta.1 | MIT | 4 | 2018-03-15 - 13:49 | over 6 years |
| 8.0.0-alpha.9 | MIT | 4 | 2018-03-14 - 13:41 | over 6 years |
| 8.0.0-alpha.8 | MIT | 4 | 2018-03-13 - 14:57 | over 6 years |
| 8.0.0-alpha.6 | MIT | 4 | 2018-03-13 - 11:32 | over 6 years |
| 8.0.0-alpha.5 | MIT | 4 | 2018-03-13 - 05:25 | over 6 years |
| 8.0.0-alpha.4 | MIT | 4 | 2018-03-12 - 13:35 | over 6 years |
| 8.0.0-alpha.3 | MIT | 4 | 2018-03-11 - 15:49 | over 6 years |
| 8.0.0-alpha.2 | MIT | 4 | 2018-03-11 - 15:28 | over 6 years |
| 8.0.0-alpha.1 | MIT | 4 | 2018-03-09 - 01:36 | over 6 years |
| 7.1.2 | MIT | 4 | 2017-12-26 - 13:00 | almost 7 years |
| 7.1.1 | MIT | 4 | 2017-12-20 - 14:20 | almost 7 years |
| 7.1.0 | MIT | 4 | 2017-09-14 - 03:26 | about 7 years |
| 7.0.18 | MIT | 4 | 2017-09-13 - 02:14 | about 7 years |
| 7.0.17 | MIT | 4 | 2017-09-12 - 15:14 | about 7 years |
| 7.0.16 | MIT | 4 | 2017-09-12 - 14:51 | about 7 years |
| 7.0.15 | MIT | 4 | 2017-09-12 - 14:16 | about 7 years |
| 7.0.14 | MIT | 4 | 2017-09-11 - 15:03 | about 7 years |
| 7.0.13 | MIT | 4 | 2017-09-10 - 15:15 | about 7 years |