Skip to content

fix: bump mermaid to ^11.15.0 to address 4 security advisories#33

Open
polvallverdu wants to merge 1 commit into
beynar:masterfrom
polvallverdu:fix/mermaid-security-vulnerabilities
Open

fix: bump mermaid to ^11.15.0 to address 4 security advisories#33
polvallverdu wants to merge 1 commit into
beynar:masterfrom
polvallverdu:fix/mermaid-security-vulnerabilities

Conversation

@polvallverdu

@polvallverdu polvallverdu commented Jun 17, 2026

Copy link
Copy Markdown

Closes #32

What

Bumps the mermaid dependency lower bound from ^11.11.0 to ^11.15.0, which resolves four moderate-severity security advisories:

Advisory Description
GHSA-ghcm-xqfw-q4vr classDef in state diagrams → HTML injection
GHSA-xcj9-5m2h-648r classDefs → CSS injection
GHSA-87f9-hvmw-gh4p Configuration sanitization → CSS injection
GHSA-6m6c-36f7-fhxh Gantt Charts infinite loop DoS

All four are patched in mermaid ≥ 11.15.0. The lockfile has been updated accordingly.

Why this matters

Because mermaid is shipped as a direct (non-peer) dependency, downstream consumers inherit the vulnerability and cannot easily override it. Running pnpm audit in any project that depends on svelte-streamdown currently surfaces all four advisories.

Summary by CodeRabbit

  • Chores
    • Updated mermaid dependency to the latest compatible version for enhanced stability and performance.

@coderabbitai

coderabbitai Bot commented Jun 17, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 25fc44e9-f059-4c5c-b018-dd983bd90b13

📥 Commits

Reviewing files that changed from the base of the PR and between 91519f7 and af6f16c.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • package.json

📝 Walkthrough

Walkthrough

The mermaid dependency in package.json is bumped from ^11.11.0 to ^11.15.0. This is a single-line change with no other modifications to package metadata, scripts, or other dependency entries.

Changes

Mermaid Dependency Bump

Layer / File(s) Summary
Bump mermaid ^11.11.0 → ^11.15.0
package.json
The mermaid semver range is updated to exclude versions below 11.15.0, which carry four moderate CVEs (HTML injection, CSS injection, and Gantt chart DoS).

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐇 A bunny hopped through the dependency tree,
Spotted some CVEs — oh, how scary!
"Bump mermaid up high!" the rabbit did say,
From .11.0 to .15.0 today.
No more injections, no infinite loops —
Secure little diagrams, hip-hip-hoops! 🎉

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title directly matches the main change: bumping mermaid to ^11.15.0 to fix security vulnerabilities.
Linked Issues check ✅ Passed The PR fulfills issue #32 by updating package.json mermaid dependency from ^11.11.0 to ^11.15.0, addressing all four documented CVEs.
Out of Scope Changes check ✅ Passed The PR contains only the scoped change of updating the mermaid version constraint; no unrelated modifications are present.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Security: mermaid dependency has 4 moderate CVEs (upgrade to >=11.15.0)

1 participant