Skip to content

Comments

feat: bundle mermaid and elk directly into DS#732

Merged
michaeljguarino merged 1 commit intomainfrom
jake/bundle-mermaid
Nov 7, 2025
Merged

feat: bundle mermaid and elk directly into DS#732
michaeljguarino merged 1 commit intomainfrom
jake/bundle-mermaid

Conversation

@jsladerman
Copy link
Contributor

@jsladerman jsladerman commented Nov 7, 2025

No description provided.

@jsladerman jsladerman requested a review from a team as a code owner November 7, 2025 00:18
@jsladerman jsladerman added the enhancement New feature or request label Nov 7, 2025
github-advanced-security[bot]
github-advanced-security bot found potential problems Nov 7, 2025
View reviewed changes
yarn.lock
Comment on lines +14467 to +14493
"mermaid@npm:11.4.1":
version: 11.4.1
resolution: "mermaid@npm:11.4.1"
dependencies:
"@braintree/sanitize-url": ^7.0.1
"@iconify/utils": ^2.1.32
"@mermaid-js/parser": ^0.3.0
"@types/d3": ^7.4.3
cytoscape: ^3.29.2
cytoscape-cose-bilkent: ^4.1.0
cytoscape-fcose: ^2.2.0
d3: ^7.9.0
d3-sankey: ^0.12.3
dagre-d3-es: 7.0.11
dayjs: ^1.11.10
dompurify: ^3.2.1
katex: ^0.16.9
khroma: ^2.1.0
lodash-es: ^4.17.21
marked: ^13.0.2
roughjs: ^4.6.6
stylis: ^4.3.1
ts-dedent: ^2.2.0
uuid: ^9.0.1
checksum: ede145a0638264936a70800adead21b6538cccad8ad82ff200fa640ce6c70c666e6154c74fc87b293fb968c591b355ad5666f2be7994758d72877be88c5f1059
languageName: node
linkType: hard

Check warning

Code scanning / Trivy

Mermaid does not properly sanitize architecture diagram iconText leading to XSS Medium

Package: mermaid
Installed Version: 11.4.1
Vulnerability CVE-2025-54880
Severity: MEDIUM
Fixed Version: 11.10.0
Link: CVE-2025-54880
yarn.lock
Comment on lines +14467 to +14493
"mermaid@npm:11.4.1":
version: 11.4.1
resolution: "mermaid@npm:11.4.1"
dependencies:
"@braintree/sanitize-url": ^7.0.1
"@iconify/utils": ^2.1.32
"@mermaid-js/parser": ^0.3.0
"@types/d3": ^7.4.3
cytoscape: ^3.29.2
cytoscape-cose-bilkent: ^4.1.0
cytoscape-fcose: ^2.2.0
d3: ^7.9.0
d3-sankey: ^0.12.3
dagre-d3-es: 7.0.11
dayjs: ^1.11.10
dompurify: ^3.2.1
katex: ^0.16.9
khroma: ^2.1.0
lodash-es: ^4.17.21
marked: ^13.0.2
roughjs: ^4.6.6
stylis: ^4.3.1
ts-dedent: ^2.2.0
uuid: ^9.0.1
checksum: ede145a0638264936a70800adead21b6538cccad8ad82ff200fa640ce6c70c666e6154c74fc87b293fb968c591b355ad5666f2be7994758d72877be88c5f1059
languageName: node
linkType: hard

Check warning

Code scanning / Trivy

Mermaid improperly sanitizes sequence diagram labels leading to XSS Medium

Package: mermaid
Installed Version: 11.4.1
Vulnerability CVE-2025-54881
Severity: MEDIUM
Fixed Version: 11.10.0, 10.9.4
Link: CVE-2025-54881
@github-actions
Copy link

github-actions bot commented Nov 7, 2025

Visit the preview URL for this PR (updated for commit 4f30402):

https://pluralsh-design--pr732-jake-bundle-mermaid-au5pt4ut.web.app

(expires Fri, 14 Nov 2025 00:23:19 GMT)

🔥 via Firebase Hosting GitHub Action 🌎

Sign: 784914c934330f8d0a9fd65c68898b3988262b7d

@socket-security
Copy link

socket-security bot commented Nov 7, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedvite@​5.4.891508398100
Addedhusky@​9.0.101001005878100
Addedhonorable-recipe-mapper@​0.2.0721006276100
Addedreact-merge-refs@​2.1.1991006480100
Added@​vitest/​coverage-v8@​1.0.4991006699100
Added@​tanstack/​react-virtual@​3.13.121001006687100
Added@​react-stately/​utils@​3.9.01001006897100
Added@​react-types/​shared@​3.22.01001007097100
Added@​typescript-eslint/​parser@​8.24.01001007197100
Added@​babel/​preset-react@​7.23.31001007194100
Added@​storybook/​react-vite@​9.1.109910072100100
Added@​types/​chroma-js@​2.4.31001007279100
Added@​react-spring/​web@​10.0.31001007286100
Added@​tanstack/​match-sorter-utils@​8.8.41001007380100
Added@​tanstack/​react-table@​8.20.51001007382100
Addedtypescript-eslint@​8.24.01001007397100
Added@​radix-ui/​react-focus-scope@​1.1.010010074100100
Added@​radix-ui/​react-accordion@​1.2.09910074100100
Added@​react-aria/​utils@​3.23.01001007497100
Added@​types/​react-dom@​19.1.71001007493100
Added@​radix-ui/​react-dialog@​1.1.1991007598100
Added@​pluralsh/​eslint-config-typescript@​2.5.147791007586100
Added@​floating-ui/​react-dom-interactions@​0.13.3991007580100
Added@​react-hooks-library/​core@​0.6.0911008577100
Added@​loomhq/​loom-embed@​1.5.0961008377100
Addedhonorable-theme-default@​1.0.0-beta.5771007977100
Addedhonorable@​1.0.0-beta.17771009377100
Added@​babel/​preset-env@​7.23.6961007795100
Added@​vitest/​ui@​1.0.4991007799100
Addedvite-bundle-visualizer@​1.2.11001009878100
Addedreact-embed@​3.7.07810010078100
Added@​types/​d3@​7.4.3981008378100
Addedfuse.js@​6.6.21001009079100
See 46 more rows in the dashboard

View full report

@socket-security
Copy link

socket-security bot commented Nov 7, 2025

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm vite is 91.0% likely obfuscated

Confidence: 0.91

Location: Package overview

From: package.jsonnpm/vite@5.4.8

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/vite@5.4.8. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@michaeljguarino michaeljguarino merged commit f7164ce into main Nov 7, 2025
13 checks passed
@michaeljguarino michaeljguarino deleted the jake/bundle-mermaid branch November 7, 2025 02:40
@plural-bot
Copy link
Contributor

plural-bot commented Nov 7, 2025

🎉 This PR is included in version 5.31.0 🎉

The release is available on:

Your semantic-release bot 📦🚀

This was referenced Nov 7, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@michaeljguarino michaeljguarino michaeljguarino approved these changes

Assignees

No one assigned

Labels

enhancement New feature or request released

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jsladerman @plural-bot @michaeljguarino