Upgrade mermaid to 8.12 or even 9?

[rethab]

Hi, in package.json, you're saying mermaid needs to be lower than 8.12. Is there a reason for that?

The reason I'd like to avoid mermaid 8.11.X is that it brings @percy/migrate as a regular dependency, which in turn depends on colors at version 1.4.2.

With 8.12 that dependency was moved to devDependencies: mermaid-js/mermaid#2260

If you need help with this, I'd be happy to assist.

[marikaner]

@sjwall This would be much appreciated because mermaid has two security vulnerabilities before version 9.1.2.

[BenjaminEHowe]

This issue seems to be related to #51.

[austince]

As @marikaner mentioned, there's a couple security issues:

• cross-site scripting vulnerability: GHSA-p3rp-vmj9-gv6v
  • HIGH severity
  • 8.13.8 is the first version to contain a fix
• CSS injection GHSA-x3vm-38hw-55wf
  • medium severity
  • 9.1.2 is the first version to contain a fix

Perhaps we can target 8.13.8 first? What is necessary for the fix, upgrading the tsc config?

[rethab]

Until this gets upgraded, or even integrated into docusaurus officially, this is how you can force a new version of mermaid in your package.json:

  "overrides": {
    "mermaid": "^8.12.0"
  },

[sjwall]

This will be fixed by #18 and I am looking into getting this out in the next couple of weeks

The reason for the mermaid version selection is documented here https://sjwall.github.io/mdx-mermaid/docs/mermaid-versions/

[sjwall]

This is resolved with release v2.0.0-rc1. I'll promote to v2.0.0 in a week or so if there are no bugs reported

[sjwall]

For use with Docusaurus this is resolved in v1.3.0