NodeJS/mermaid/10.9.2


Markdown-ish syntax for generating flowcharts, mindmaps, sequence diagrams, class diagrams, gantt charts, git graphs and more.

https://www.npmjs.com/package/mermaid
MIT

1 Security Vulnerabilities

Prototype pollution vulnerability found in Mermaid's bundled version of DOMPurify

Published date: 2024-10-22T18:17:02Z
Links:

The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to https://github.com/cure53/DOMPurify/security/advisories/GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.

This affects the built:

  • dist/mermaid.min.js
  • dist/mermaid.js
  • dist/mermaid.esm.mjs
  • dist/mermaid.esm.min.mjs

This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/mermaid@10.9.2/dist/mermaid.min.js

Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.

Patches

  • develop branch: 6c785c93166c151d27d328ddf68a13d9d65adc00
  • backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34

Affected versions: ["0.2.11", "0.2.12", "0.2.13", "0.2.14", "0.2.15", "0.2.16", "0.3.0", "0.3.2", "0.3.3", "0.3.4", "0.3.5", "0.4.0", "0.5.0", "0.5.1", "0.5.2", "0.5.3", "0.5.4", "0.5.5", "0.5.6", "0.5.7", "0.5.8", "6.0.0", "7.0.0", "7.0.1", "7.0.2", "7.0.3", "7.0.4", "7.0.5", "7.0.6", "7.0.7", "7.0.8", "7.0.9", "7.0.10", "7.0.11", "7.0.12", "7.0.13", "7.0.14", "7.0.15", "7.0.16", "7.0.17", "7.0.18", "7.1.0", "7.1.1", "7.1.2", "8.0.0-alpha.1", "8.0.0-alpha.2", "8.0.0-alpha.3", "8.0.0-alpha.4", "8.0.0-alpha.5", "8.0.0-alpha.6", "8.0.0-alpha.8", "8.0.0-alpha.9", "8.0.0-beta.1", "8.0.0-beta.2", "8.0.0-beta.3", "8.0.0-beta.4", "8.0.0-beta.5", "8.0.0-beta.6", "8.0.0-beta.7", "8.0.0-beta.8", "8.0.0-beta.9", "8.0.0-rc.1", "8.0.0-rc.2", "8.0.0-rc.3", "8.0.0-rc.4", "8.0.0-rc.5", "8.0.0-rc.6", "8.0.0-rc.7", "8.0.0-rc.8", "8.0.0", "8.1.0", "8.2.1", "8.2.2", "8.2.3", "8.2.4", "8.2.5", "8.2.6", "8.3.0", "8.3.1", "8.4.0", "8.4.1", "8.4.2", "8.4.3", "8.4.4", "8.4.5", "8.4.6", "8.4.7", "8.4.8", "8.5.0", "8.5.1", "8.5.2", "8.6.0", "8.6.1", "8.6.2", "8.6.3", "8.6.4", "8.7.0", "8.8.0", "8.8.1", "8.8.2", "8.8.3", "8.8.4", "8.9.0", "8.9.1", "8.9.2", "8.9.3", "8.10.1", "8.10.2", "8.11.0", "8.11.1", "8.11.2", "8.11.3", "8.11.4", "8.11.5", "8.12.0", "8.12.1", "8.13.0", "8.13.1", "8.13.2", "8.13.3", "8.13.4", "8.13.5", "8.13.6", "8.13.7", "8.13.8", "8.13.9", "8.13.10", "8.14.0-rc1", "8.14.0", "9.0.0", "9.0.1", "9.1.0", "9.1.1", "9.1.2", "9.1.3", "9.1.4", "9.1.5", "9.1.6", "9.2.0-rc1", "9.1.7", "9.2.0-rc2", "9.2.0-rc3", "9.2.0-rc4", "9.2.0-rc5", "9.2.0-rc6", "9.2.0-rc7", "9.2.0-rc8", "9.2.0-rc9", "9.2.0-rc10", "9.2.0", "9.2.1", "9.2.2-rc.2", "9.2.2", "9.2.3-rc.1", "9.3.0-rc.1", "9.3.0-rc.2", "9.3.0-rc.3", "9.3.0-rc.4", "9.3.0-rc.5", "9.3.0-rc.6", "9.3.0-rc.7", "9.3.0", "9.4.0-rc.1", "9.4.0-rc.2", "9.4.0", "9.4.2-rc.1", "10.0.0-rc.1", "10.0.0-rc.2", "10.0.0-rc.3", "10.0.0-rc.4", "10.0.0", "10.0.1-rc.1", "10.0.1-rc.2", "10.0.1-rc.3", "9.4.2-rc.2", "10.0.1-rc.4", "10.0.1-rc.5", "10.0.1", "10.0.2-rc.1", "10.0.2", "10.0.3-alpha.1", "9.4.2", "9.4.3", "10.1.0-rc.1", "10.1.0", "10.2.0-rc.1", "10.2.0-rc.2", "10.2.0-rc.3", "10.2.0-rc.4", "10.2.0", "10.2.1-rc.1", "10.2.1", "10.2.2", "10.2.3-rc.1", "10.2.3", "10.2.4-rc.1", "10.2.4", "10.3.0-rc.1", "10.3.0", "10.3.1", "10.4.0", "10.5.0-alpha.1", "10.5.0-rc.1", "10.5.0-rc.3", "10.5.0", "10.5.1", "10.6.0", "10.6.1", "10.6.2-rc.1", "10.6.2-rc.2", "10.6.2-rc.3", "10.7.0", "10.8.0", "10.9.0-rc.1", "10.9.0-rc.2", "10.9.0", "10.9.1", "10.9.2"]
Secure versions: [11.0.0-alpha.1, 11.0.0-alpha.2, 11.0.0-alpha.3, 11.0.0-alpha.4, 11.0.0-alpha.5, 11.0.0-alpha.6, 11.0.0-alpha.7, 11.0.0, 11.0.1, 11.0.2, 11.1.0, 11.1.1, 11.2.0, 11.2.1, 11.3.0, 10.9.3, 11.4.0]
Recommendation: Update to version 11.4.0.

235 Other Versions

Version License Security Released
7.0.12 MIT 4 2017-09-10 - 14:58 about 7 years
7.0.11 MIT 4 2017-09-09 - 13:49 about 7 years
7.0.10 MIT 4 2017-09-08 - 16:58 about 7 years
7.0.9 MIT 4 2017-09-06 - 03:15 about 7 years
7.0.8 MIT 4 2017-09-03 - 14:18 about 7 years
7.0.7 MIT 4 2017-09-02 - 15:43 about 7 years
7.0.6 MIT 4 2017-09-01 - 13:41 about 7 years
7.0.5 MIT 4 2017-09-01 - 10:39 about 7 years
7.0.4 MIT 4 2017-08-16 - 16:03 about 7 years
7.0.3 MIT 4 2017-06-04 - 04:19 over 7 years
7.0.2 MIT 4 2017-06-01 - 05:42 over 7 years
7.0.1 MIT 4 2017-06-01 - 05:13 over 7 years
7.0.0 MIT 4 2017-01-29 - 11:15 almost 8 years
6.0.0 MIT 4 2016-05-29 - 17:27 over 8 years
0.5.8 MIT 4 2016-01-27 - 14:06 almost 9 years
0.5.7 MIT 4 2016-01-25 - 18:12 almost 9 years
0.5.6 MIT 4 2015-11-22 - 18:09 almost 9 years
0.5.5 MIT 4 2015-10-21 - 19:15 about 9 years
0.5.4 MIT 4 2015-10-19 - 20:09 about 9 years
0.5.3 MIT 4 2015-10-04 - 21:29 about 9 years
0.5.2 MIT 4 2015-10-04 - 21:09 about 9 years
0.5.1 MIT 4 2015-06-21 - 15:27 over 9 years
0.5.0 MIT 4 2015-06-07 - 15:06 over 9 years
0.4.0 MIT 4 2015-03-01 - 15:52 over 9 years
0.3.5 MIT 4 2015-02-15 - 18:38 over 9 years
0.3.4 MIT 4 2015-02-15 - 17:16 over 9 years
0.3.3 MIT 4 2015-01-25 - 15:46 almost 10 years
0.3.2 MIT 4 2015-01-11 - 14:13 almost 10 years
0.3.0 MIT 4 2014-12-22 - 12:55 almost 10 years
0.2.16 MIT 4 2014-12-15 - 18:44 almost 10 years
0.2.15 BSD-2-Clause 4 2014-12-05 - 09:56 almost 10 years
0.2.14 BSD-2-Clause 4 2014-12-03 - 18:36 almost 10 years
0.2.13 BSD-2-Clause 4 2014-12-03 - 18:29 almost 10 years
0.2.12 BSD-2-Clause 4 2014-12-02 - 18:03 almost 10 years
0.2.11 BSD-2-Clause 4 2014-12-02 - 17:39 almost 10 years