Update packages to fix vulnerabilities #3712
Conversation
github-actions
bot
added
the
Discussion
CalebUsadi
force-pushed
the
fix/3705_package_updates
branch
2 times, most recently
from
447215f to
309a137
Compare
|
Thanks, this is an important fix, if this can be merged, that would be great |
|
@CalebUsadi can you resolve the conflicts? |
There was a problem hiding this comment.
This won't fix the npm audit security warnings for people that npm install mermaid, e.g. #3705 will NOT be fixed.
To fix that, we'd need to replace dagre-d3 with a version that has updated dependencies (maybe https://www.npmjs.com/package/dagre-d3-es ?). This is because downstream users won't see the pnpm.overrides bit in our package.json, or even if they do, npm/yarn will ignore it.
However, this PR should still fix bundle vulnerabilities.
|
Seems like
Raised tbo47/dagre-es#5 |
* develop: (62 commits) chore(docs): Update live editor links update user story link chore(deps): update all non-major dependencies chore(deps): update all non-major dependencies docs(git): Regenerate docs(git): Add a quoted branch name example feat(gantt): Add option 'tickInterval' for custom tick interval chore: Update bug report template fix(git): Support quoted branch names Convert attr to classed Convert attr to style Ensure example code and rendered output are synced Change fill attribute to style. chore(deps): update all non-major dependencies chore(deps): pin dependencies fix: Add default arg to options Color fix for default nodes in mindmap, line uses inv color add basic render (cypress) test for classDiagram-v2 too add basic render (cypress test for notes add renedering (cypress) tests ...
…fix/3705_package_updates
I've just tested it, and it does export all the functions we need, although the import paths are a bit different. See #3809 for a working version. We have to import each function individually, which is actually better, since then ESM/tree-shaking can occur to reduce our bundle sizes. E.g.: // before
import dagreD3 from 'dagre-d3';
dagreD3.intersect.polygon(node, points, point);
// after
import { intersectPolygon } from 'dagre-d3-es/src/dagre-js/intersect/intersect-polygon';
intersectPolygon(node, points, point); |
I think it will solve your problem https://github.com/tbo47/dagre-es/pull/6/files Do you mind testing by manually copy and paste the modifications in my PR into your local If it solves your problem I will merge and release a new version. This should work: import dagreD3 from 'dagre-d3-es';
dagreD3.intersect.polygon(node, points, point); |
📑 Summary
Update
parse-urlandd3packages to fix security vulnerabilities.Resolves #3705