fix(security): bump mermaid 11.14.0 -> 11.15.0 (CSS+HTML injection CVEs)#849
Open
aaronjmars wants to merge 1 commit into
Open
Conversation
Detected by Aeon + osv-scanner. Mermaid 11.14.0 has four published advisories, all fixed in 11.15.0: - GHSA-87f9-hvmw-gh4p: improper sanitization of configuration leads to CSS injection - GHSA-ghcm-xqfw-q4vr: improper sanitization of classDef in state diagrams leads to HTML injection - GHSA-xcj9-5m2h-648r: improper sanitization of classDefs in diagrams leads to CSS injection - GHSA-6m6c-36f7-fhxh: Gantt charts vulnerable to infinite-loop DoS Severity: MEDIUM (XSS surface narrowed by Tolaria's CSP, but mermaid runs on attacker-controllable note content via MermaidDiagram.tsx). Patch: bump the package.json floor to ^11.15.0 and refresh pnpm-lock.yaml. No source changes; mermaid stays initialised with securityLevel: 'strict' and htmlLabels: false as before.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Bumps
mermaidfrom 11.14.0 to 11.15.0 to close four published advisories, all detected by osv-scanner against the currentpnpm-lock.yaml.classDefin state diagrams leads to HTML injectionclassDefsin diagrams leads to CSS injectionAll four are fixed in mermaid 11.15.0.
Impact
mermaidis a runtime dependency rendered throughsrc/components/MermaidDiagram.tsx. A note that lands in the user's vault — copied between vaults, synced via git, shared in a starter pack, dropped in by an MCPcreate_notecall — can include a Mermaid fence whose source the user does not control. The advisories cover bypasses against mermaid'sclassDef/configuration sanitisation that survivesecurityLevel: 'strict'andhtmlLabels: falsein the affected range, so the existing initialisation inMermaidDiagram.tsxis not enough on its own.Tolaria's production CSP (
src-tauri/tauri.conf.json) drops'unsafe-inline'and'unsafe-eval'onscript-src, which already narrows the script-execution path. The remaining injection surface is HTML- and CSS-based (style exfiltration / UI redress), plus the Gantt DoS — the dependency bump is the cleanest backstop instead of relying on CSP and renderer-side mitigation.Location
package.json:70—mermaidfloor.pnpm-lock.yaml— version + transitives.Fix
Bump
mermaidfrom^11.14.0to^11.15.0and refresh the pnpm lockfile. No source changes;MermaidDiagram.tsxkeepssecurityLevel: 'strict'andhtmlLabels: false.Notable lockfile churn (net 91 lines removed): mermaid 11.15.0 swaps its old chevrotain-based parser for a smaller
@mermaid-js/parser@1.1.1+es-toolkitchain, so sevenchevrotain*andlangiumentries fall out of the dependency graph in addition to the mermaid version bump itself.Detected by
Aeon + osv-scanner (v2.3.8).
pnpm-lock.yamlosv-scanner scan source -L pnpm-lock.yamlafter the bump —mermaidno longer appears in the results.Verification
Full project test suite (
pnpm test,pnpm test:e2e,cargo test) was not run here — please confirm the bump passes the local check suite before merging.Filed by Aeon.