main
64 Commits
| Author | SHA1 | Message | Date | |
|---|---|---|---|---|
 Giteabot
|
6a27066269 |
fix(deps): update dependency mermaid to v11.15.0 [security], add e2e test (#37662)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [mermaid](https://redirect.github.com/mermaid-js/mermaid) | [`11.14.0` → `11.15.0`](https://renovatebot.com/diffs/npm/mermaid/11.14.0/11.15.0) |  |  | --- ### Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection [CVE-2026-41148](https://nvd.nist.gov/vuln/detail/CVE-2026-41148) / [GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) <details> <summary>More information</summary> #### Details ##### Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures `classDef` values with an unrestricted regex: ```jison // packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83 <CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' } ``` The value passes unsanitized through `addStyleClass()` -> `createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page. ##### PoC ``` stateDiagram-v2 classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif")} ``` Live demo: <https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU> ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102)) ##### Workarounds Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Impact Enables page defacement, user tracking via `url()` callbacks, and DOM attribute exfiltration via CSS `:has()` selectors. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r) - [https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102) - [https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) - [https://github.com/advisories/GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection [CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149) / [GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) <details> <summary>More information</summary> #### Details ##### Impact Under the default configuration, Mermaid state diagram's `classDef` allow DOM injection that escapes the SVG, although `<script>` tags are removed, preventing XSS. ##### Proof-of-concept ``` stateDiagram-v2 classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b [*] --> A:::xss ``` ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3)) ##### Workarounds If you can not update to a patched version, setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Credits Thanks to @​zsxsoft from @​KeenSecurityLab for reporting this vulnerability. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr) - [https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056) - [https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) - [https://github.com/advisories/GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of configuration leads to CSS injection [CVE-2026-41159](https://nvd.nist.gov/vuln/detail/CVE-2026-41159) / [GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) <details> <summary>More information</summary> #### Details ##### Impact Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options. Live demo: [mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg) Example code: ``` %%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%% flowchart LR A --> B ``` The injected CSS exploits stylis's `&` (scope reference) handling. `:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles to all page elements. Global at-rules (`@font-face`, `@keyframes`, `@counter-style`) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS `:has()` selectors. ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76)) ##### Workarounds If you can't upgrade mermaid, you can set the [`secure`](https://mermaid.js.org/config/schema-docs/config.html#secure) config value in the mermaid config to avoid allowing diagrams to modify `fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`. Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will also prevent this. ##### Credits Reported by @​zsxsoft on behalf of @​KeenSecurityLab #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p) - [https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa) - [https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://github.com/advisories/GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS [CVE-2026-41150](https://nvd.nist.gov/vuln/detail/CVE-2026-41150) / [GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) <details> <summary>More information</summary> #### Details ##### Impact Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the [`excludes` attribute](https://mermaid.js.org/syntax/gantt.html?#excludes) to exclude all dates. Example: ``` gantt excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday DoS :2025-01-01, 1d ``` `mermaid.parse` is unaffected, unless you then call the `ganttDb.getTasks()` (which is called when rendering a diagram). ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6)) ##### Workarounds There are no workarounds available without updating to a newer version of mermaid. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh) - [https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6) - [https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://github.com/advisories/GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) This data is provided by the [GitHub Advisory Database](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS [CVE-2026-41150](https://nvd.nist.gov/vuln/detail/CVE-2026-41150) / [GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh) <details> <summary>More information</summary> #### Details ##### Impact Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the [`excludes` attribute](https://mermaid.js.org/syntax/gantt.html?#excludes) to exclude all dates. Example: ``` gantt excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday DoS :2025-01-01, 1d ``` `mermaid.parse` is unaffected, unless you then call the `ganttDb.getTasks()` (which is called when rendering a diagram). ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6)) ##### Workarounds There are no workarounds available without updating to a newer version of mermaid. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh) - [https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6) - [https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6m6c-36f7-fhxh) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of configuration leads to CSS injection [CVE-2026-41159](https://nvd.nist.gov/vuln/detail/CVE-2026-41159) / [GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p) <details> <summary>More information</summary> #### Details ##### Impact Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options. Live demo: [mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg) Example code: ``` %%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%% flowchart LR A --> B ``` The injected CSS exploits stylis's `&` (scope reference) handling. `:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles to all page elements. Global at-rules (`@font-face`, `@keyframes`, `@counter-style`) are also injectable as stylis hoists them to top level. This allows page defacement and DOM attribute exfiltration via CSS `:has()` selectors. ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76)) ##### Workarounds If you can't upgrade mermaid, you can set the [`secure`](https://mermaid.js.org/config/schema-docs/config.html#secure) config value in the mermaid config to avoid allowing diagrams to modify `fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`. Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will also prevent this. ##### Credits Reported by @​zsxsoft on behalf of @​KeenSecurityLab #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p) - [https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa) - [https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-87f9-hvmw-gh4p) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection [CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149) / [GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr) <details> <summary>More information</summary> #### Details ##### Impact Under the default configuration, Mermaid state diagram's `classDef` allow DOM injection that escapes the SVG, although `<script>` tags are removed, preventing XSS. ##### Proof-of-concept ``` stateDiagram-v2 classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b [*] --> A:::xss ``` ##### Patches - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3)) ##### Workarounds If you can not update to a patched version, setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Credits Thanks to @​zsxsoft from @​KeenSecurityLab for reporting this vulnerability. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr) - [https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056) - [https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-ghcm-xqfw-q4vr) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection [CVE-2026-41148](https://nvd.nist.gov/vuln/detail/CVE-2026-41148) / [GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r) <details> <summary>More information</summary> #### Details ##### Details The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures `classDef` values with an unrestricted regex: ```jison // packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83 <CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' } ``` The value passes unsanitized through `addStyleClass()` -> `createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page. ##### PoC ``` stateDiagram-v2 classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif")} ``` Live demo: <https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU> ##### Patches This has been patched in: - [v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) (see [e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f)) - [v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) (see [8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102)) ##### Workarounds Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`. ##### Impact Enables page defacement, user tracking via `url()` callbacks, and DOM attribute exfiltration via CSS `:has()` selectors. #### Severity - CVSS Score: 5.3 / 10 (Medium) - Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L` #### References - [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r) - [https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102) - [https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f) - [https://github.com/mermaid-js/mermaid](https://redirect.github.com/mermaid-js/mermaid) - [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) - [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6) - [https://mermaid.js.org/config/schema-docs/config.html#securitylevel](https://mermaid.js.org/config/schema-docs/config.html#securitylevel) This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-xcj9-5m2h-648r) and the [GitHub Advisory Database](https://redirect.github.com/github/advisory-database) ([CC-BY 4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md)). </details> --- ### Release Notes <details> <summary>mermaid-js/mermaid (mermaid)</summary> ### [`v11.15.0`](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0) [Compare Source](https://redirect.github.com/mermaid-js/mermaid/compare/mermaid@11.14.0...mermaid@11.15.0) ##### Minor Changes - [#​7174](https://redirect.github.com/mermaid-js/mermaid/pull/7174) [`0aca217`](https://redirect.github.com/mermaid-js/mermaid/commit/0aca21739c0d1fcaaa206e04a6cd574ebc415483) Thanks [@​milesspencer35](https://redirect.github.com/milesspencer35)! - feat(sequence): Add support for decimal start and increment values in the `autonumber` directive - [#​7512](https://redirect.github.com/mermaid-js/mermaid/pull/7512) [`8e17492`](https://redirect.github.com/mermaid-js/mermaid/commit/8e17492f7365ba50896382feb69a23efd9d8a22d) Thanks [@​aruncveli](https://redirect.github.com/aruncveli)! - feat(flowchart): add datastore shape In Data flow diagrams, a datastore/warehouse/file/database is used to represent data persistence. It is denoted by a rectangle with only top and bottom borders, and can be used in flowcharts with `A@{ shape: datastore, label: "Datastore" }`. - [#​6440](https://redirect.github.com/mermaid-js/mermaid/pull/6440) [`9ad8dde`](https://redirect.github.com/mermaid-js/mermaid/commit/9ad8dde6d049adde85d8ed2d476c09b5820f3f4b) Thanks [@​yordis](https://redirect.github.com/yordis), [@​lgazo](https://redirect.github.com/lgazo)! - feat: add Event Modeling diagram - [#​7707](https://redirect.github.com/mermaid-js/mermaid/pull/7707) [`27db774`](https://redirect.github.com/mermaid-js/mermaid/commit/27db774627be1cee881961dfd0d2cb21cd01b79d) Thanks [@​txmxthy](https://redirect.github.com/txmxthy)! - feat(architecture): expose four fcose layout knobs for `architecture-beta` diagrams (`nodeSeparation`, `idealEdgeLengthMultiplier`, `edgeElasticity`, `numIter`) so authors can tune layout density and spread overlapping siblings without changing diagram source - [#​7604](https://redirect.github.com/mermaid-js/mermaid/pull/7604) [`bf9502f`](https://redirect.github.com/mermaid-js/mermaid/commit/bf9502fb6012a4b724679b401ac928f5ee55161c) Thanks [@​M-a-c](https://redirect.github.com/M-a-c)! - feat(class): add nested namespace support for class diagrams via dot notation and syntactic nesting If you have namespaces in class diagrams that use `.`s already and want to render them without nesting (≤v11.14.0 behaviour), you can use set `class.hierarchicalNamespaces=false` in your mermaid config: ```yaml config: class: hierarchicalNamespaces: false ``` - [#​7272](https://redirect.github.com/mermaid-js/mermaid/pull/7272) [`88cdd3d`](https://redirect.github.com/mermaid-js/mermaid/commit/88cdd3dc0aab9577174561b04e14760c565a232b) Thanks [@​xinbenlv](https://redirect.github.com/xinbenlv)! - feat(sankey): add outlined label style, configurable nodeWidth/nodePadding, and custom node colors ##### Patch Changes - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`e9b0f34`](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: prevent unbalanced CSS styles in classDefs - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`37ff937`](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: create CSS styles using the CSSOM This removes some invalid CSS and normalizes some CSS formatting. - [#​7508](https://redirect.github.com/mermaid-js/mermaid/pull/7508) [`bfe60cc`](https://redirect.github.com/mermaid-js/mermaid/commit/bfe60cc67b9a6dec64f9161f58e4d24a06c42b65) Thanks [@​biiab](https://redirect.github.com/biiab)! - fix(stateDiagram): `end note` now only closes a note when used on a new line - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`faafb5d`](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix(gantt): add iteration limit for `excludes` field - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`65f8be2`](https://redirect.github.com/mermaid-js/mermaid/commit/65f8be2a42faf869b811469571983cba7eeeca99) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: disallow some CSS at-rules in custom CSS - [#​7726](https://redirect.github.com/mermaid-js/mermaid/pull/7726) [`1502f32`](https://redirect.github.com/mermaid-js/mermaid/commit/1502f32f3c5fb944925b0c527fbbde3c4f041824) Thanks [@​aloisklink](https://redirect.github.com/aloisklink)! - fix(wardley): fix unnecessary sanitization of text - [#​7578](https://redirect.github.com/mermaid-js/mermaid/pull/7578) [`1f98db8`](https://redirect.github.com/mermaid-js/mermaid/commit/1f98db8e326299ac97a2fa60abfd509d8f5f16e2) Thanks [@​Gaston202](https://redirect.github.com/Gaston202)! - fix(class): self-referential class multiplicity labels no longer rendered multiple times Fixes [#​7560](https://redirect.github.com/mermaid-js/mermaid/issues/7560). Resolves an issue where cardinality labels on self-referential class relationships were rendered three times due to edge splitting in the dagre layout. The fix ensures that each sub-edge only carries its relevant label positions. - [#​7592](https://redirect.github.com/mermaid-js/mermaid/pull/7592) [`2343e38`](https://redirect.github.com/mermaid-js/mermaid/commit/2343e38498a3b31f8ce5e79f1f009e0b56fbe086) Thanks [@​knsv-bot](https://redirect.github.com/knsv-bot)! - fix(sequence): add background box behind alt/else section title labels in sequence diagrams - [#​7589](https://redirect.github.com/mermaid-js/mermaid/pull/7589) [`7fb9509`](https://redirect.github.com/mermaid-js/mermaid/commit/7fb9509b8b5cb1dc48519dc60cf6cdc6afba0462) Thanks [@​NYCU-Chung](https://redirect.github.com/NYCU-Chung)! - fix(block): prevent column widths from shrinking when mixing different column spans - [#​7632](https://redirect.github.com/mermaid-js/mermaid/pull/7632) [`3f9e0f1`](https://redirect.github.com/mermaid-js/mermaid/commit/3f9e0f15bedc1e2c71ddb6b34192d1a21124cfc2) Thanks [@​ekiauhce](https://redirect.github.com/ekiauhce)! - fix(sequence): correct messageAlign label position for right-to-left arrows in sequence diagrams - [#​7642](https://redirect.github.com/mermaid-js/mermaid/pull/7642) [`7a8fb85`](https://redirect.github.com/mermaid-js/mermaid/commit/7a8fb8532c57ecc55b3711454ab0e505a4291445) Thanks [@​tractorjuice](https://redirect.github.com/tractorjuice)! - fix(wardley): allow hyphens in unquoted component names Multi-word names containing hyphens — e.g. `real-time processing`, `end-user`, `on-call engineer` — now parse without quoting, bringing the grammar in line with the OnlineWardleyMaps (OWM) convention. `A->B` (no-space arrow) still tokenises correctly. - [#​7523](https://redirect.github.com/mermaid-js/mermaid/pull/7523) [`5144ed4`](https://redirect.github.com/mermaid-js/mermaid/commit/5144ed4b138ae0f4836bab4c163c575e0a767dd3) Thanks [@​darshanr0107](https://redirect.github.com/darshanr0107)! - fix(block): Arrow blocks in block-beta diagrams not spanning the specified number of columns when using `:n` syntax. - [#​7262](https://redirect.github.com/mermaid-js/mermaid/pull/7262) [`13d9bfa`](https://redirect.github.com/mermaid-js/mermaid/commit/13d9bfa4748e845a9eec7d6265ba496d2278f26e) Thanks [@​darshanr0107](https://redirect.github.com/darshanr0107)! - fix(block): Ensure block diagram hexagon blocks respect column spanning syntax - [#​7684](https://redirect.github.com/mermaid-js/mermaid/pull/7684) [`e14bb88`](https://redirect.github.com/mermaid-js/mermaid/commit/e14bb88bdb940124cdb0a107025653bf93745c99) Thanks [@​aloisklink](https://redirect.github.com/aloisklink)! - fix: loosen `uuid` dependency range to allow v14 Mermaid does not use any of the vulnerable code in CVE-2026-41907, but this allows users to silence any `npm audit` alerts on it. - [#​7633](https://redirect.github.com/mermaid-js/mermaid/pull/7633) [`9217c0d`](https://redirect.github.com/mermaid-js/mermaid/commit/9217c0d8b221b423af80e420b7adae901acf6c8c) Thanks [@​Felix-Garci](https://redirect.github.com/Felix-Garci)! - fix(block): add support for all arrow types in block diagrams - [#​7587](https://redirect.github.com/mermaid-js/mermaid/pull/7587) [`5e7eb62`](https://redirect.github.com/mermaid-js/mermaid/commit/5e7eb62e3aba6b5df559f5c839a868e5b7f40e72) Thanks [@​MaddyGuthridge](https://redirect.github.com/MaddyGuthridge)! - chore: drop lodash-es in favour of es-toolkit - [#​7693](https://redirect.github.com/mermaid-js/mermaid/pull/7693) [`afaf306`](https://redirect.github.com/mermaid-js/mermaid/commit/afaf3062381d115d66744413151b642f124dd9ba) Thanks [@​dull-bird](https://redirect.github.com/dull-bird)! - fix(quadrant-chart): allow CJK, emoji, Latin-1 accented characters, and other non-ASCII text in unquoted axis/quadrant/point labels. Previously the lexer only matched ASCII `[A-Za-z]+` for text tokens, even though the grammar referenced `UNICODE_TEXT`. Bare Chinese, Japanese, Korean, emoji, and accented Latin characters in labels caused a parse error. Added a `[^\x00-\x7F]+` lexer rule to emit `UNICODE_TEXT` and included it in the `alphaNumToken` grammar rule. Fixes [#​7120](https://redirect.github.com/mermaid-js/mermaid/issues/7120). - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`4755553`](https://redirect.github.com/mermaid-js/mermaid/commit/4755553d5fb6d1217809e43ffb8fc54d6a73e482) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: improve D3 types for mermaidAPI funcs - [#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737) [`6476973`](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa) Thanks [@​ashishjain0512](https://redirect.github.com/ashishjain0512)! - fix: handle `&` when namespacing CSS rules - [#​7520](https://redirect.github.com/mermaid-js/mermaid/pull/7520) [`8c1a0c1`](https://redirect.github.com/mermaid-js/mermaid/commit/8c1a0c1fd19587c6772d6966fe9d217e5cd1356c) Thanks [@​RodrigojndSantos](https://redirect.github.com/RodrigojndSantos)! - fix(stateDiagram): comments starting with one `%` are no longer treated as comments Switch to using two `%%` if you want to write a comment. - Updated dependencies \[[`7a8fb85`](https://redirect.github.com/mermaid-js/mermaid/commit/7a8fb8532c57ecc55b3711454ab0e505a4291445), [`675a64c`](https://redirect.github.com/mermaid-js/mermaid/commit/675a64ca0e3cde8728ca715991623c3fc055ce88)]: - [@​mermaid-js/parser](https://redirect.github.com/mermaid-js/parser)@​1.1.1 </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - "" - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
Giteabot
|
8cd8291ed0 |
fix(deps): update npm dependencies (#37647)
This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | @​codemirror/autocomplete | [`6.20.1` → `6.20.2`](https://renovatebot.com/diffs/npm/@codemirror%2fautocomplete/6.20.1/6.20.2) |  |  | | @​codemirror/lint | [`6.9.5` → `6.9.6`](https://renovatebot.com/diffs/npm/@codemirror%2flint/6.9.5/6.9.6) |  |  | | @​codemirror/view | [`6.41.1` → `6.42.0`](https://renovatebot.com/diffs/npm/@codemirror%2fview/6.41.1/6.42.0) |  |  | | [vue](https://vuejs.org/) ([source](https://redirect.github.com/vuejs/core)) | [`3.5.33` → `3.5.34`](https://renovatebot.com/diffs/npm/vue/3.5.33/3.5.34) |  |  | --- ### Release Notes <details> <summary>vuejs/core (vue)</summary> ### [`v3.5.34`](https://redirect.github.com/vuejs/core/blob/HEAD/CHANGELOG.md#3534-2026-05-06) [Compare Source](https://redirect.github.com/vuejs/core/compare/v3.5.33...v3.5.34) ##### Bug Fixes - **compiler-sfc:** infer Vue ref wrapper types when source is unresolvable ([#​14758](https://redirect.github.com/vuejs/core/issues/14758)) ([7f46fd4](https://redirect.github.com/vuejs/core/commit/7f46fd411b4e3f75ca755ee1318ea8e9aff43f56)), closes [#​14729](https://redirect.github.com/vuejs/core/issues/14729) - **compiler-sfc:** preserve hash hrefs on `<image>` elements ([#​14756](https://redirect.github.com/vuejs/core/issues/14756)) ([090b2e3](https://redirect.github.com/vuejs/core/commit/090b2e3a5149ec951c5313b270e5400a1fc870ce)) - **compiler-sfc:** resolve type re-exports inside declare global ([#​14766](https://redirect.github.com/vuejs/core/issues/14766)) ([acfffe3](https://redirect.github.com/vuejs/core/commit/acfffe34e7724a84c21bb8e51e8a5bc0da35f350)) - **reactivity:** prevent orphan effect when created in a stopped scope ([#​14778](https://redirect.github.com/vuejs/core/issues/14778)) ([c8e2d4a](https://redirect.github.com/vuejs/core/commit/c8e2d4adc9112d2529de0434acc1188dfc399bf4)), closes [#​14777](https://redirect.github.com/vuejs/core/issues/14777) - **runtime-core:** avoid symbol coercion during props validation ([#​8539](https://redirect.github.com/vuejs/core/issues/8539)) ([23d4fb5](https://redirect.github.com/vuejs/core/commit/23d4fb5a6a070df3d2d4a043f0f62c141e376095)), closes [#​8487](https://redirect.github.com/vuejs/core/issues/8487) - **suspense:** avoid DOM leak with out-in transition in v-if fragment ([#​14762](https://redirect.github.com/vuejs/core/issues/14762)) ([9667e0d](https://redirect.github.com/vuejs/core/commit/9667e0d498ab39273614682986a666c3e73024d9)), closes [#​14761](https://redirect.github.com/vuejs/core/issues/14761) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - Only on Monday (`* * * * 1`) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 👻 **Immortal**: This PR will be recreated if closed unmerged. Get [config help](https://redirect.github.com/renovatebot/renovate/discussions) if that's undesired. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=--> --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
Giteabot
|
a603f89fce |
fix(deps): update npm dependencies (#37636)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[@typescript-eslint/parser](https://typescript-eslint.io/packages/parser)
([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser))
| [`8.59.1` →
`8.59.2`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.59.1/8.59.2)
|
|
|
| [eslint-plugin-vue](https://eslint.vuejs.org)
([source](https://redirect.github.com/vuejs/eslint-plugin-vue)) |
[`10.9.0` →
`10.9.1`](https://renovatebot.com/diffs/npm/eslint-plugin-vue/10.9.0/10.9.1)
|
|
|
| [jiti](https://redirect.github.com/unjs/jiti) | [`2.6.1` →
`2.7.0`](https://renovatebot.com/diffs/npm/jiti/2.6.1/2.7.0) |
|
|
| [postcss](https://postcss.org/)
([source](https://redirect.github.com/postcss/postcss)) | [`8.5.13` →
`8.5.14`](https://renovatebot.com/diffs/npm/postcss/8.5.13/8.5.14) |
|
|
| [stylelint](https://stylelint.io)
([source](https://redirect.github.com/stylelint/stylelint)) | [`17.10.0`
→
`17.11.0`](https://renovatebot.com/diffs/npm/stylelint/17.10.0/17.11.0)
|
|
|
|
[typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint)
([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint))
| [`8.59.1` →
`8.59.2`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.1/8.59.2)
|
|
|
| [updates](https://redirect.github.com/silverwind/updates) | [`17.16.8`
→ `17.16.9`](https://renovatebot.com/diffs/npm/updates/17.16.8/17.16.9)
|
|
|
---
### Release Notes
<details>
<summary>typescript-eslint/typescript-eslint
(@​typescript-eslint/parser)</summary>
###
[`v8.59.2`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#8592-2026-05-04)
[Compare
Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.1...v8.59.2)
This was a version bump only for parser to align it with other projects,
there were no code changes.
See [GitHub
Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.2)
for more information.
You can read about our [versioning
strategy](https://typescript-eslint.io/users/versioning) and
[releases](https://typescript-eslint.io/users/releases) on our website.
</details>
<details>
<summary>vuejs/eslint-plugin-vue (eslint-plugin-vue)</summary>
###
[`v10.9.1`](https://redirect.github.com/vuejs/eslint-plugin-vue/blob/HEAD/CHANGELOG.md#1091)
[Compare
Source](https://redirect.github.com/vuejs/eslint-plugin-vue/compare/v10.9.0...v10.9.1)
##### Patch Changes
- Updated peer dependency version for
[`vue-eslint-parser`](https://redirect.github.com/vuejs/vue-eslint-parser)
to fix parsing errors in Vue SFCs
([#​3075](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3075))
</details>
<details>
<summary>unjs/jiti (jiti)</summary>
###
[`v2.7.0`](https://redirect.github.com/unjs/jiti/blob/HEAD/CHANGELOG.md#v270)
[Compare
Source](https://redirect.github.com/unjs/jiti/compare/v2.6.1...v2.7.0)
[compare
changes](https://redirect.github.com/unjs/jiti/compare/v2.6.1...v2.7.0)
##### 🚀 Enhancements
- Add explicit resource management (using/await using) support
([#​422](https://redirect.github.com/unjs/jiti/pull/422))
- Support opt-in `tsconfigPaths`
([#​427](https://redirect.github.com/unjs/jiti/pull/427))
- Support virtual modules option
([#​428](https://redirect.github.com/unjs/jiti/pull/428))
- Add `jiti/static` export
([#​430](https://redirect.github.com/unjs/jiti/pull/430))
##### 🔥 Performance
- **interopDefault:** Add caching to reduce proxy overhead by \~2x
([#​421](https://redirect.github.com/unjs/jiti/pull/421))
##### 🩹 Fixes
- **require:** Passthrough resolve options
([#​412](https://redirect.github.com/unjs/jiti/pull/412))
- **ci:** Skip `--coverage` flag for node 18
([fe264b4](https://redirect.github.com/unjs/jiti/commit/fe264b4))
- **require:** Fallback to transpilation when `tryNative` fails
([#​413](https://redirect.github.com/unjs/jiti/pull/413))
- Fallback for `ENAMETOOLONG` when evaluating esm
([#​429](https://redirect.github.com/unjs/jiti/pull/429))
##### 📦 Build
- Upgrade rspack
([55194fb](https://redirect.github.com/unjs/jiti/commit/55194fb))
- Experimental rolldown config
([8c0243f](https://redirect.github.com/unjs/jiti/commit/8c0243f))
##### 🏡 Chore
- Fix lint issues
([4045c7a](https://redirect.github.com/unjs/jiti/commit/4045c7a))
- Update deps
([e88ac44](https://redirect.github.com/unjs/jiti/commit/e88ac44))
- Update deps
([498e8d7](https://redirect.github.com/unjs/jiti/commit/498e8d7))
- Add missing prettier dep
([650bc48](https://redirect.github.com/unjs/jiti/commit/650bc48))
- Lint ([058d91a](https://redirect.github.com/unjs/jiti/commit/058d91a))
- Init agents.md
([c49c54e](https://redirect.github.com/unjs/jiti/commit/c49c54e))
- Update agents.md
([4deba16](https://redirect.github.com/unjs/jiti/commit/4deba16))
- Update deps
([
|
||
|
dependabot[bot]
|
73c0239f94 |
build(deps): bump fast-uri from 3.1.0 to 3.1.2 (#37616)
Bumps [fast-uri](https://github.com/fastify/fast-uri) from 3.1.0 to 3.1.2. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/fastify/fast-uri/releases">fast-uri's releases</a>.</em></p> <blockquote> <h2>v3.1.2</h2> <h2>⚠️ Security Release</h2> <ul> <li>Fix for <a href="https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc">https://github.com/fastify/fast-uri/security/advisories/GHSA-v39h-62p7-jpjc</a></li> </ul> <h2>What's Changed</h2> <ul> <li>Handle malformed fragment decoding as a parse error by <a href="https://github.com/mcollina"><code>@mcollina</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/171">fastify/fast-uri#171</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/fastify/fast-uri/compare/v3.1.1...v3.1.2">https://github.com/fastify/fast-uri/compare/v3.1.1...v3.1.2</a></p> <h2>v3.1.1</h2> <h2>⚠️ Security Release</h2> <ul> <li>Fix for <a href="https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6">https://github.com/fastify/fast-uri/security/advisories/GHSA-q3j6-qgpj-74h6</a></li> </ul> <h2>What's Changed</h2> <ul> <li>build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/fastify/fast-uri/pull/148">fastify/fast-uri#148</a></li> <li>build(deps): bump actions/checkout from 4 to 5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/fastify/fast-uri/pull/149">fastify/fast-uri#149</a></li> <li>chore(.npmrc): ignore scripts by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/150">fastify/fast-uri#150</a></li> <li>build(deps-dev): remove <code>@fastify/pre-commit</code> by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/151">fastify/fast-uri#151</a></li> <li>build(deps): bump actions/setup-node from 4 to 5 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/fastify/fast-uri/pull/152">fastify/fast-uri#152</a></li> <li>ci(ci): add concurrency config by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/153">fastify/fast-uri#153</a></li> <li>build(deps): bump actions/setup-node from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/fastify/fast-uri/pull/154">fastify/fast-uri#154</a></li> <li>build(deps): bump actions/checkout from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/fastify/fast-uri/pull/156">fastify/fast-uri#156</a></li> <li>chore(license): standardise license notice by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/159">fastify/fast-uri#159</a></li> <li>style: remove trailing whitespace by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/161">fastify/fast-uri#161</a></li> <li>ci: remove unused github files by <a href="https://github.com/Tony133"><code>@Tony133</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/162">fastify/fast-uri#162</a></li> <li>chore: update readme by <a href="https://github.com/Tony133"><code>@Tony133</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/164">fastify/fast-uri#164</a></li> <li>build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/fastify/fast-uri/pull/165">fastify/fast-uri#165</a></li> <li>build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/fastify/fast-uri/pull/166">fastify/fast-uri#166</a></li> <li>build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by <a href="https://github.com/dependabot"><code>@dependabot</code></a>[bot] in <a href="https://redirect.github.com/fastify/fast-uri/pull/167">fastify/fast-uri#167</a></li> <li>ci: add lock-threads workflow by <a href="https://github.com/Fdawgs"><code>@Fdawgs</code></a> in <a href="https://redirect.github.com/fastify/fast-uri/pull/169">fastify/fast-uri#169</a></li> </ul> <h2>New Contributors</h2> <ul> <li><a href="https://github.com/Tony133"><code>@Tony133</code></a> made their first contribution in <a href="https://redirect.github.com/fastify/fast-uri/pull/162">fastify/fast-uri#162</a></li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/fastify/fast-uri/compare/v3.1.0...v3.1.1">https://github.com/fastify/fast-uri/compare/v3.1.0...v3.1.1</a></p> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/fastify/fast-uri/commit/919dd8ea7689fcc220d0d9b71307f5095e723ef9"><code>919dd8e</code></a> Bumped v3.1.2</li> <li><a href="https://github.com/fastify/fast-uri/commit/c65ba573714af6b8e19e481d9444c27bc4355d07"><code>c65ba57</code></a> fixup: linting</li> <li><a href="https://github.com/fastify/fast-uri/commit/6c86c17c3d76fb93aa3700ec6c0fa00faeb97293"><code>6c86c17</code></a> Merge commit from fork</li> <li><a href="https://github.com/fastify/fast-uri/commit/a95158ad308df4d92bbde4eba699ce5165e9f796"><code>a95158a</code></a> Handle malformed fragment decoding without throwing (<a href="https://redirect.github.com/fastify/fast-uri/issues/171">#171</a>)</li> <li><a href="https://github.com/fastify/fast-uri/commit/cea547c91c6aae610041b17b75792ca4aa035a6d"><code>cea547c</code></a> Bumped v3.1.1</li> <li><a href="https://github.com/fastify/fast-uri/commit/876ce79b662c3e5015e4e7dffe6f37752ad34f35"><code>876ce79</code></a> Merge commit from fork</li> <li><a href="https://github.com/fastify/fast-uri/commit/dcdf690b71a7bb3a19887ada65a9ab160d83bcc0"><code>dcdf690</code></a> ci: add lock-threads workflow (<a href="https://redirect.github.com/fastify/fast-uri/issues/169">#169</a>)</li> <li><a href="https://github.com/fastify/fast-uri/commit/c860e6589b1ac346f66e114b4eadb9613768108c"><code>c860e65</code></a> build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (<a href="https://redirect.github.com/fastify/fast-uri/issues/167">#167</a>)</li> <li><a href="https://github.com/fastify/fast-uri/commit/9b4c6dc82fde0ca44e674403ece9185d85bb6d5f"><code>9b4c6dc</code></a> build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (<a href="https://redirect.github.com/fastify/fast-uri/issues/166">#166</a>)</li> <li><a href="https://github.com/fastify/fast-uri/commit/85d09a9f7aa76b32c2bb005a90a71e144c361d24"><code>85d09a9</code></a> build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...</li> <li>Additional commits viewable in <a href="https://github.com/fastify/fast-uri/compare/v3.1.0...v3.1.2">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/go-gitea/gitea/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
Sebastian Ertz
|
89a49de0fd |
Update go js py dependencies (#37525)
| go | from | to | | --- | --- | --- | | connectrpc.com/connect | `1.19.1 ` | `1.19.2` | | github.com/Azure/go-ntlmssp | `0.1.0` | `0.1.1` | | github.com/alecthomas/chroma/v2 | `2.23.1` | `2.24.1` | | github.com/aws/aws-sdk-go-v2/credentials | `1.19.15` | `1.19.16` | | github.com/aws/aws-sdk-go-v2/service/codecommit | `1.33.13` | `1.33.14` | | github.com/blevesearch/bleve/v2 | `2.5.7` | `2.6.0` | | github.com/caddyserver/certmagic | `0.25.2` | `0.25.3` | | github.com/fsnotify/fsnotify | `1.9.0` | `1.10.1` | | github.com/getkin/kin-openapi | `0.134.0` | `0.137.0` | | github.com/go-co-op/gocron/v2 | `2.21.0` | `2.21.1` | | github.com/go-sql-driver/mysql | `1.9.3` | `1.10.0` | | github.com/go-webauthn/webauthn | `0.16.5` | `0.17.2` | | github.com/klauspost/compress | `1.18.5` | `1.18.6` | | github.com/mattn/go-isatty | `0.0.21` | `0.0.22` | | github.com/mattn/go-sqlite3 | `1.14.42` | `1.14.44` | | github.com/minio/minio-go/v7 | `7.0.100` | `7.1.0` | | github.com/redis/go-redis/v9 | `9.18.0` | `9.19.0` | | google.golang.org/grpc | `1.80.0` | `1.81.0` | | gopkg.in/ini.v1 | `1.67.1` | `1.67.2` | | js | from | to | | --- | --- | --- | | @codemirror/search | `6.6.0` | `6.7.0` | | @primer/octicons | `19.24.1` | `19.25.0` | | clippie | `4.1.14` | `4.1.15` | | easymde | `2.20.0` | `2.21.0` | | postcss | `8.5.10` | `8.5.13` | | rolldown-license-plugin | `3.0.1` | `3.0.4` | | swagger-ui-dist | `5.32.4` | `5.32.5` | | vite | `8.0.9` | `8.0.10` | | vite-string-plugin | `2.0.2` | `2.0.4` | | vue | `3.5.32` | `3.5.33` | | @typescript-eslint/parser | `8.59.0` | `8.59.1` | | eslint | `10.2.1` | `10.3.0` | | eslint-plugin-vue | `10.8.0` | `10.9.0` | | globals | `17.5.0` | `17.6.0` | | material-icon-theme | `5.33.1` | `5.34.0` | | spectral-cli-bundle | `1.0.7` | `1.0.8` | | stylelint | `17.8.0` | `17.10.0` | | typescript-eslint | `8.59.0` | `8.59.1` | | updates | `17.16.3` | `17.16.8` | | vitest | `4.1.4` | `4.1.5` | | vue-tsc | `3.2.7` | `3.2.8` | | pnpm | `10.33.0` | `10.33.2` | | py | from | to | | --- | --- | --- | | click | `8.3.2` | `8.3.3` | | pathspec | `1.0.4` | `1.1.1` | --------- Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
rootful
|
3d838ef96a |
Fix mCaptcha broken after Vite migration (#37492)
After the Webpack-to-Vite migration (#37002), mCaptcha stopped working entirely on the registration page, throwing an error: `TypeError: setting getter-only property "INPUT_NAME"` This fix stops trying to mutate the read-only INPUT_NAME export. Instead it probes for the Widget constructor at module.default (direct) or module.default.default (CJS-wrapped), constructs the widget, and then renames the hidden input element it creates to m-captcha-response which is the field name Gitea's backend reads from the submitted form. Generative AI was used to help with making this PR. --------- Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
silverwind
|
99cd4f6b22 |
Integrate renovate bot for all dependency updates (#37050)
Replaces Dependabot with Renovate. The new setup: - One PR per ecosystem (GitHub Actions, Go modules + Makefile go-tool pins, npm, Python via uv, Nix flake), opened weekly on Mondays with a 5-day release-age cooldown. Vulnerability PRs ship next-day via daily cron + Renovate's `vulnerabilityAlerts` schedule bypass. - All `uses:` action refs SHA-pinned with patch-level version comments (same format as #36971, which this supersedes); `helpers:pinGitHubActionDigests` keeps future bumps in that format. - `renovatebot/github-action` runtime image pinned via the upstream-recommended `RENOVATE_VERSION` env + magic comment + `customManagers:githubActionsVersions` preset, so Renovate keeps the pin updated. - Custom regex manager tracks the `*_PACKAGE ?= <import-path>@<version>` lines in `Makefile` (golangci-lint, swagger, actionlint, etc.) and groups them into the same Go PR via `matchDatasources: ["go"]`. - Post-upgrade tasks regenerate `assets/go-licenses.json` (`make tidy`) and the SVG sprite (`make svg`), gated by an env-level command allowlist. - Replaces the standalone `cron-flake-updater` workflow — Renovate's nix manager tracks `flake.nix` inputs and produces the same `flake.lock` bump PRs on the regular weekly schedule. - npm and gomod-replace pins live in `renovate.json5` only; `updates@17.16.3` reads them from there too, so the standalone `updates.config.ts` is gone and one source of truth covers both tools. Fixes: https://github.com/go-gitea/gitea/issues/33386 Signed-off-by: silverwind <me@silverwind.io> Signed-off-by: TheFox0x7 <thefox0x7@gmail.com> Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> Co-authored-by: TheFox0x7 <thefox0x7@gmail.com> Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
Sebastian Ertz
|
3f3bebda0d |
Update go js dependencies (#37312)
| go | from | to | | --- | --- | --- | | github.com/aws/aws-sdk-go-v2/credentials | `1.19.14` | `1.19.15` | | github.com/aws/aws-sdk-go-v2/service/codecommit | `1.33.12` | `1.33.13` | | github.com/dlclark/regexp2 | `1.11.5` | `1.12.0` | | github.com/go-co-op/gocron/v2 | `2.20.0` | `2.21.0` | | github.com/go-webauthn/webauthn | `0.16.4` | `0.16.5` | | js | from | to | | --- | --- | --- | | @codemirror/view | `6.41.0` | `6.41.1` | | @primer/octicons | `19.24.0` | `19.24.1` | | clippie | `4.1.10` | `4.1.14` | | postcss | `8.5.9` | `8.5.10` | | rolldown-license-plugin | `2.2.5` | `3.0.1` | | swagger-ui-dist | `5.32.2` | `5.32.4` | | vite | `8.0.8` | `8.0.9` | | @typescript-eslint/parser | `8.58.2` | `8.59.0` | | @vitest/eslint-plugin | `1.6.15` | `1.6.16` | | eslint | `10.2.0` | `10.2.1` | | eslint-plugin-playwright | `2.10.1` | `2.10.2` | | eslint-plugin-sonarjs | `4.0.2` | `4.0.3` | | happy-dom | `20.8.9` | `20.9.0` | | stylelint | `17.7.0` | `17.8.0` | | typescript | `6.0.2` | `6.0.3` | | typescript-eslint | `8.58.2` | `8.59.0` | | updates | `17.15.3` | `17.15.5` | | vue-tsc | `3.2.6` | `3.2.7` | Co-authored-by: Nicolas <bircni@icloud.com> Co-authored-by: silverwind <me@silverwind.io> Co-authored-by: silverwind <silv3rwind@gmail.com> Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> |
||
|
silverwind
|
1d25bb22f4 |
Move heatmap to first-party code (#37262)
Replaces `@silverwind/vue3-calendar-heatmap` with an inlined SVG implementation. Renders pixel-identically to `main`, drops the `onMounted` legend viewBox workaround, and uses tippy's `createSingleton` for the hover tooltip. Adds an e2e test for tooltip display. This is a prereq for migrating tippy.js to [floating-ui](https://github.com/floating-ui/floating-ui) to avoid having two tooltip libs active. <img width="861" height="168" alt="image" src="https://github.com/user-attachments/assets/99343cf6-6e09-42c7-a80d-63dbf33cf56a" /> --- This PR was written with the help of Claude Opus 4.7 --------- Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com> Co-authored-by: Nicolas <bircni@icloud.com> |
||
|
PineBale
|
2bfaa33347 |
Replace dropzone with @deltablot/dropzone (#37237)
Fix #37228. Using NicolasCARPi/dropzone as short-term solution |
||
|
wxiaoguang
|
2644bb8490 |
Remove htmx (#37224)
Close #35059 Slightly improved the "fetch action" framework and started adding tests for it. --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: silverwind <me@silverwind.io> |
||
|
Sebastian Ertz
|
b55528b1a2 |
Update go js py dependencies (#37204)
| go | from | to | | --- | --- | --- | | github.com/go-webauthn/webauthn | `0.16.3` | `0.16.4` | | github.com/meilisearch/meilisearch-go | `0.36.1` | `0.36.2` | | golang.org/x/crypto | `0.49.0` | `0.50.0` | | golang.org/x/image | `0.38.0` | `0.39.0` | | golang.org/x/net | `0.52.0` | `0.53.0` | | golang.org/x/text | `0.35.0` | `0.36.0` | | js | from | to | | --- | --- | --- | | @primer/octicons | `19.23.1` | `19.24.0` | | @vitejs/plugin-vue | `6.0.5` | `6.0.6` | | rolldown-license-plugin | `2.2.0` | `2.2.5` | | vite | `8.0.7` | `8.0.8` | | @types/node | `25.5.2` | `25.6.0` | | @typescript-eslint/parser | `8.58.1` | `8.58.2` | | @vitest/eslint-plugin | `1.6.14` | `1.6.15` | | globals | `17.4.0` | `17.5.0` | | stylelint | `17.6.0` | `17.7.0` | | typescript-eslint | `8.58.1` | `8.58.2` | | updates | `17.13.5` | `17.15.3` | | vitest | `4.1.3` | `4.1.4` | | py | from | to | | --- | --- | --- | | click | `8.3.1` | `8.3.2` | | json5 | `0.13.0` | `0.14.0` | | regex | `2026.2.19` | `2026.4.4` | | tomli | `2.4.0` | `2.4.1` | |
||
|
silverwind
|
04fb6f1c0b |
Replace rollup-plugin-license with rolldown-license-plugin (#37130)
Replace `rollup-plugin-license` and `wrap-ansi` with [`rolldown-license-plugin`](https://github.com/silverwind/rolldown-license-plugin), a zero-dependency plugin with async parallel I/O and built-in word wrapping. - Removes `rollup-plugin-license` (pulls in `lodash`, `moment`) and `wrap-ansi` from the dependency tree - License build time reduced by ~40% (370ms vs 640ms) - Added e2e test for `licenses.txt` Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> |
||
|
Sebastian Ertz
|
714f4207d9 |
Update javascript dependencies (#37142)
--- | | from | to | | --- | ---- | --- | | esbuild | `0.27.4` | `0.28.0` | | katex | `0.16.44` | `0.16.45` | | postcss | `8.5.8` | `8.5.9` | | swagger-ui-dist | `5.32.1` | `5.32.2` | | vite | `8.0.5` | `8.0.7` | | vue | `3.5.31` | `3.5.32` | |
||
|
Lunny Xiao
|
290edc1614 | upgrade vite (#37126) | ||
|
silverwind
|
3a9cab034b |
Update JS dependencies and misc tweaks (#37064)
- Update all JS deps - Regenerate SVGs - Add new eslint rules from unicorn - Update typescript config for 6.0, remove deprecated options in favor of `strict` with disablements, remove implicit dom libs. - Set vite log level during `watch-frontend` to `warn` to avoid confusing URLs or HMR spam from the dev server to keep the log concise. Overridable via `FRONTEND_DEV_LOG_LEVEL`. Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> |
||
|
silverwind
|
e2e8509239 |
Replace Monaco with CodeMirror (#36764)
- Replace monaco-editor with CodeMirror 6 - Add `--color-syntax-*` CSS variables for all syntax token types, shared by CodeMirror, Chroma and EasyMDE - Consolidate chroma CSS into a single theme-independent file (`modules/chroma.css`) - Syntax colors in the code editor now match the code view and light/dark themes - Code editor is now 12px instead of 14px font size to match code view and GitHub - Use a global style for kbd elements - When editing existing files, focus will be on codemirror instead of filename input. - Keyboard shortcuts are roughtly the same as VSCode - Add a "Find" button, useful for mobile - Add context menu similar to Monaco - Add a command palette (Ctrl/Cmd+Shift+P or F1) or via button - Add clickable URLs via Ctrl/Cmd+click - Add e2e test for the code editor - Remove `window.codeEditors` global - The main missing Monaco features are hover types and semantic rename but these were not fully working because monaco operated only on single files and only for JS/TS/HTML/CSS/JSON. | | Monaco (main) | CodeMirror (cm) | Delta | |---|---|---|---| | **Build time** | 7.8s | 5.3s | **-32%** | | **JS output** | 25 MB | 14 MB | **-44%** | | **CSS output** | 1.2 MB | 1012 KB | **-17%** | | **Total (no maps)** | 23.3 MB | 12.1 MB | **-48%** | Fixes: #36311 Fixes: #14776 Fixes: #12171 <img width="1333" height="555" alt="image" src="https://github.com/user-attachments/assets/f0fe3a28-1ed9-4f22-bf25-2b161501d7ce" /> --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
|
silverwind
|
0ec66b5380 |
Migrate from webpack to vite (#37002)
Replace webpack with Vite 8 as the frontend bundler. Frontend build is around 3-4 times faster than before. Will work on all platforms including riscv64 (via wasm). `iife.js` is a classic render-blocking script in `<head>` (handles web components/early DOM setup). `index.js` is loaded as a `type="module"` script in the footer. All other JS chunks are also module scripts (supported in all browsers since 2018). Entry filenames are content-hashed (e.g. `index.C6Z2MRVQ.js`) and resolved at runtime via the Vite manifest, eliminating the `?v=` cache busting (which was unreliable in some scenarios like vscode dev build). Replaces: https://github.com/go-gitea/gitea/pull/36896 Fixes: https://github.com/go-gitea/gitea/issues/17793 Signed-off-by: silverwind <me@silverwind.io> Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
silverwind
|
b3c6917463 |
Update JS dependencies (#37001)
- Update all JS dependencies via `make update-js` - `webpack-cli` 6 to 7: remove `--disable-interpret` from Makefile - Fix lint: remove unnecessary type args, `toThrowError` to `toThrow` - Fix duplicate CSS selector detected by `stylelint` 17.6.0 - Change `updates.config.ts` to use `pin`, needed for `tailwindcss` - Pin `typescript` pending typescript-eslint/typescript-eslint#12123 --------- Co-authored-by: Claude (claude-opus-4-6) <noreply@anthropic.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
silverwind
|
ae0bc0222a |
Update to eslint 10 (#36925)
- Enable a few more rules, fix issues. The 2 `value` issues are false-positives. - Add exact types for `window.pageData` and `window.notificationSettings`. - peerDependencyRules for eslint-plugin-github unrestricted, the plugin works in v10, but does not declare compatibility, pending https://github.com/github/eslint-plugin-github/issues/680. - Added [eslint-plugin-de-morgan](https://github.com/azat-io/eslint-plugin-de-morgan), no violations. --------- Signed-off-by: silverwind <me@silverwind.io> Signed-off-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
|
silverwind
|
28e09ffc67 |
Vendor relative-time-element as local web component (#36853)
Replace the `@github/relative-time-element` npm dependency with a vendored, simplified implementation. - Support 24h format rendering [PR 329](https://github.com/github/relative-time-element/pull/329) - Enable `::selection` styling in Firefox [PR 341](https://github.com/github/relative-time-element/pull/341) - Remove timezone from tooltips (It's always local timezone) - Clean up previous `title` workaround in tippy - Remove unused features - Use native `Intl.DurationFormat` with fallback for older browsers, remove dead polyfill - Add MIT license header to vendored file - Add unit tests - Add dedicated devtest page for all component variants --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude claude-opus-4-6 20250630 <noreply@anthropic.com> |
||
|
silverwind
|
6e7bc1e635 |
Update JS deps (#36850)
Gets rid of all open vulns except https://github.com/microsoft/monaco-editor/issues/5248. Cursorly tested, works. --------- Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
Lunny Xiao
|
9c2c9c5a00 | upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 (#36837) | ||
|
Théo LUDWIG
|
9fe5b70e3e |
build(deps): update material-icon-theme v5.32.0 (#36832)
Updated https://github.com/material-extensions/vscode-material-icon-theme to v5.32.0 and ran `make svg && git add --all` |
||
|
Lunny Xiao
|
553277b0be | upgrade minimatch (#36760) | ||
|
silverwind
|
fed2d81e88 |
Update JS and PY deps (#36708)
`colord` reordered in package.json, otherwise just maintenance updates. |
||
|
silverwind
|
91dc737a35 |
Replace tinycolor2 with colord (#36673)
[`colord`](https://github.com/omgovich/colord) is significantly smaller than [`tinycolor2`](https://github.com/bgrins/TinyColor) (~4KB vs ~29KB minified) and ships its own TypeScript types, removing the need for `@types/tinycolor2`. Behaviour is exactly the same for our use cases. By using `.alpha(1)` we force the function to always output 6-digit hex format (it would output 8-digit for non-opaque colors). --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> |
||
|
silverwind
|
5e9b9b33d1 |
Clean up Makefile, tests and legacy code (#36638)
This simplifies the Makefile by removing the whole-file wrapping that creates a tempdir introduced by https://github.com/go-gitea/gitea/pull/11126. REPO_TEST_DIR is removed as well. Also clean up a lot of legacy code: unnecessary XSS test, incorrect test env init, unused "_old_uid" hack, etc Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
silverwind
|
ddacefa5d6 |
Update JS deps (#36656)
Fixes a [security issue in mermaid](https://github.com/mermaid-js/mermaid/issues/7345), tested mermaid and asciinema. |
||
|
silverwind
|
2d70d37bff |
Update JS and PY deps (#36576)
eslint v10 is excluded from updates because the plugins are not compatible yet. |
||
|
silverwind
|
49e6d5f6d6 |
Add elk layout support to mermaid (#36486)
Fixes: https://github.com/go-gitea/gitea/issues/34769 This allows the user to opt-in to using `elk` layouts using either YAML frontmatter or `%%{ init` directives inside the markup code block. The default layout is not changed. --------- Signed-off-by: silverwind <me@silverwind.io> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
silverwind
|
7292ae1ed5 |
Update JS deps, remove knip, misc tweaks (#36499)
- Update all JS deps - Enable a few more stylelint stylistic rules and fix issues - Remove knip, it raised another false-positive, this tool is not worth it when you have to babysit it like that - Exclude @eslint/json from updating as it requires unreleased eslint 10 ([ref](https://github.com/eslint/json/issues/207)) - Update labeler config for new eslint filenames - Adjust `make help` output - Add type checking in `stylelint.config.ts` |
||
|
wxiaoguang
|
4c8f6dfa4e |
Support rendering OpenAPI spec (#36449)
Fix #20852 |
||
|
silverwind
|
12a81d38c1 |
Add knip linter (#36442)
This adds [knip](https://github.com/webpro-nl/knip), a tool to find unused files, dependencies and exports in JS. Fixed all discovered issues. 1. knip apparently has some issue resolving imports from `d.ts` to `.ts` so I worked around it by moving the two affected types to where they are used. 2. I don't know why `modules/fomantic/dropdown.ts` had a new typescript error, but I fixed it. 3. Use named export for `EsbuildPlugin`, I think this was added recently. |
||
|
silverwind
|
5925433fe6 |
Update JS dependencies, adjust webpack config, misc fixes (#36431)
1. Upgrade to [jQuery 4.0](https://blog.jquery.com/2026/01/17/jquery-4-0-0/). Two of the removed APIs are in use by fomantic, but there are [polyfills present](https://github.com/go-gitea/gitea/blob/a3a3e581aa387969ce6410ab54c4775e9023ec40/web_src/fomantic/build/components/dropdown.js#L15-L17) so it continues to work. 2. Remove manual naming of webpack chunks. I was running into below webpack error and I see no reason for this manual chunk naming which is prone to naming collisions. Also, the webpack build now shows all output assets. This change will result in longer asset filenames, but webpack should now be able to guarentee that the names are without collisions. ```` ERROR in SplitChunksPlugin Cache group "defaultVendors" conflicts with existing chunk. Both have the same name "--------" and existing chunk is not a parent of the selected modules. Use a different name for the cache group or make sure that the existing chunk is a parent (e. g. via dependOn). HINT: You can omit "name" to automatically create a name. BREAKING CHANGE: webpack < 5 used to allow to use an entrypoint as splitChunk. This is no longer allowed when the entrypoint is not a parent of the selected modules. Remove this entrypoint and add modules to cache group's 'test' instead. If you need modules to be evaluated on startup, add them to the existing entrypoints (make them arrays). See migration guide of more info. 3. Fix test issue related to `p > div` which is invalid as per HTML spec because `div` is not [phrasing content](https://html.spec.whatwg.org/multipage/dom.html#phrasing-content-2) and therefor can not be a descendant of `p`. This is related to https://github.com/capricorn86/happy-dom/pull/2007. 4. Add webpack globals 5. Remove obsolete docs glob 6. fix security issue for `seroval` package 7. disable [vitest isolate](https://vitest.dev/config/isolate.html) for 30% faster JS tests, which are all pure. |
||
|
Bart van der Braak
|
2f377e8552 | Update material-icon-theme to v5.31.0 (#36427) | ||
|
silverwind
|
49edbbbc2e |
Update JS and PY deps (#36383)
- Update JS and PY dependencies - Workaround https://github.com/stylelint/stylelint/issues/8893 by moving the stylint config file to JS - Regenerate SVGs - Bump to python 3.14 in devcontainer and actions - Verified `@github/text-expander-element` - Removed obsolete type stub |
||
|
silverwind
|
2859b0602a |
Update JS deps (#36354)
- Update all JS deps - Regenerate SVGs - Enable new lint rules and fix issues - Tested affected dependencies |
||
|
silverwind
|
16aa0fcc98 |
Add date to "No Contributions" tooltip (#36190)
Fixes https://github.com/go-gitea/gitea/issues/36188 via https://github.com/silverwind/vue3-calendar-heatmap/commit/52bbfd7a15bb3ebbedcaae4d1f792dc3e4acc221. Before: <img width="183" height="92" alt="Screenshot 2025-12-18 at 16 50 18" src="https://github.com/user-attachments/assets/f06ca7d6-a141-499f-b6da-e46064a44846" /> After: <img width="292" height="78" alt="Screenshot 2025-12-18 at 17 08 36" src="https://github.com/user-attachments/assets/b80f7391-7960-44ad-8184-ffab4c9a4ea7" /> If there will be more changes in the future, we should vendor this module. Co-authored-by: Giteabot <teabot@gitea.io> |
||
|
silverwind
|
b915e6908c |
Add JSON linting (#36192)
Uses https://github.com/eslint/json to lint all JSON and JSONC files in the repo. |
||
|
silverwind
|
ad49b7bf31 |
Update JS deps and eslint enhancements (#36147)
- Update all JS deps - Tested affected `dependencies` - Replace eslint `unstable_native_nodejs_ts_config` with optional `jiti` dependency. This will be more compatible with editor integrations that may not pass this flag. - Enable additional eslint rules, no new issues - Move `typescript` to `devDependencies` because `make frontend` works without it |
||
|
Dawid Góra
|
0e916c67cc |
Automatic generation of release notes (#35977)
Similar to GitHub, release notes can now be generated automatically. The generator is server-side and gathers the merged PRs and contributors and returns the corresponding Markdown text. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> |
||
|
silverwind
|
ca8c4ebecd |
Update JS deps (#36091)
Result of `make update-js svg && git add --all`. Tested Mermaid. Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com> |
||
|
silverwind
|
9668913d76 |
Update JS deps, fix deprecations (#36040)
- Update JS deps - Regenerate SVGs - Fix air `bin` deprecation - Fix `monaco.languages.typescript` deprecation - Remove `eslint-plugin-no-use-extend-native`, it's unnecessary with typescript - Enable new `@typescript-eslint` rules - Disable `@typescript-eslint/no-redundant-type-constituents`, this rule has bugs when not running under `strictNullChecks` (pending in https://github.com/go-gitea/gitea/pull/35843). |
||
|
silverwind
|
1baca49870 |
Update JS deps (#35978)
Update JS deps, regenerate SVGs, fixed lint issues and did cursory testing of UI. |
||
|
silverwind
|
d69eede59b |
Update JS dependencies (#35759)
- Update all JS dependencies - Added new unicorn rules - `updates` now also supports updating `packageManager` and `engines`, and I see no reason not to do that, so I think we can try keeping these updated as well. If something in the build breaks because of this, I will revert and exclude `pnpm` from updating further, but as far as I understand, only corepack respects this field and pnpm itself does not care about it. - Regenerate SVGs. |
||
|
silverwind
|
cab35ff17a |
Update dependencies (#35733)
- Update all JS, Python and Makefile dependencies - Fixed two new go lint issues - Tested the affected JS dependencies. |
||
|
dependabot[bot]
|
990201dc93 |
Bump happy-dom from 20.0.0 to 20.0.2 (#35677)
Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com> |
||
|
silverwind
|
49a0a11f55 |
Update JS deps, misc tweaks (#35643)
- Update all JS dependencies - Enable eslint `no-useless-assignment` and fix 2 discovered issues - Replace `gitea-vscode` svg with new `octicon-vscode` - Remove now-unused `@ts-expect-error` comments - Change Monaco wrapping behaviour to match the wrapping in code view: no wrapping indent and break on any character. |
||
|
dependabot[bot]
|
24a595c3fc | Bump happy-dom from 19.0.2 to 20.0.0 (#35625) |
