Skip to content

fix(docs-site): bump mermaid 11.14.0 → 11.15.0 (CVE-2026-41148/49/59)#521

Merged
userFRM merged 1 commit into
mainfrom
fix/mermaid-cve-bump
May 12, 2026
Merged

fix(docs-site): bump mermaid 11.14.0 → 11.15.0 (CVE-2026-41148/49/59)#521
userFRM merged 1 commit into
mainfrom
fix/mermaid-cve-bump

Conversation

@userFRM
Copy link
Copy Markdown
Owner

@userFRM userFRM commented May 12, 2026

Summary

Closes three GitHub Dependabot security alerts on `docs-site/package-lock.json`:

Alert CVE GHSA Type
#4 CVE-2026-41148 GHSA-xcj9-5m2h-648r CSS injection via `classDefs` in diagrams
#5 CVE-2026-41159 GHSA-87f9-hvmw-gh4p CSS injection via diagram configuration
#6 CVE-2026-41149 GHSA-ghcm-xqfw-q4vr HTML injection via `classDef` in state diagrams

All fixed upstream in mermaid 11.15.0. Vulnerable range: `>= 11.0.0-alpha.1, <= 11.14.0`. We pinned `^11.14.0`; bump to `^11.15.0`.

Change

  • `docs-site/package.json` mermaid pin: `^11.14.0` → `^11.15.0`.
  • `docs-site/package-lock.json` regenerated.

Test plan

  • `npm install` reports `found 0 vulnerabilities`.
  • `npx vitepress build docs` succeeds (16.93s).
  • Mermaid-diagram-bearing pages (architecture / streaming / quickstart) render after the bump.

@userFRM
fix(docs-site): bump mermaid 11.14.0 → 11.15.0 (CVE-2026-41148/49/59)
12a456f 
Three GitHub Dependabot alerts on `docs-site/package-lock.json`:

- CVE-2026-41148 / GHSA-xcj9-5m2h-648r — CSS injection via
  `classDefs` in diagram definitions.
- CVE-2026-41149 / GHSA-ghcm-xqfw-q4vr — HTML injection via
  `classDef` in state diagrams.
- CVE-2026-41159 / GHSA-87f9-hvmw-gh4p — CSS injection via
  diagram configuration.

All fixed upstream in mermaid 11.15.0. `docs-site/package.json` was
pinned to `^11.14.0`; bump to `^11.15.0`. `npm audit` after the bump
reports `found 0 vulnerabilities`. `npx vitepress build docs` still
renders every page (16.93s) so no regression in the diagram surface
the docs use.
@userFRM userFRM merged commit c57bea2 into main May 12, 2026
33 checks passed
@userFRM userFRM deleted the fix/mermaid-cve-bump branch May 12, 2026 10:33
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@userFRM