chore(deps): update dependency mermaid to v11.15.0 [security]#1745
Merged
Conversation
✅ Deploy Preview for viteplus-preview ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
Contributor
|
✅ Staging deployment successful! Preview: https://viteplus-staging.void.app/ |
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
fengmk2
approved these changes
Jun 2, 2026
Merged
fengmk2
added a commit
that referenced
this pull request
Jun 17, 2026
Release vite-plus v0.2.0. Vite+ now consumes upstream Vitest directly (no wrapper), raises the minimum supported Node.js version to 22.18.0, and ships corepack and devEngines support. ### Highlights - **`vp test` now runs upstream Vitest directly (breaking)**: Vite+ used to ship `@voidzero-dev/vite-plus-test`, a rebundled copy of Vitest that lagged upstream releases. That package is removed; `vp test` now runs the real upstream `vitest`, which is installed automatically as a dependency of `vite-plus` (you no longer add `vitest` or `@vitest/*` yourself, and `vite` still resolves to `@voidzero-dev/vite-plus-core` via package-manager overrides). Your `import ... from 'vite-plus/test'` code keeps working unchanged and `vp migrate` updates existing projects ([#1588](#1588)), by @Brooooooklyn - **Minimum supported Node.js version raised to `^22.18.0 || >=24.11.0` (breaking)**: Node 20 reached end-of-life and the bundled tsdown already required `^22.18.0`, so the published engines range now matches what `vp pack` can actually deliver; `vp exec` / `vp run` / `vp dlx` reject projects resolving an older Node with the existing incompatibility error ([#1813](#1813)), by @fengmk2 - **Corepack now works under Vite+**: `corepack` is a default `vp env setup` shim, resolved managed-global, then Node-bundled (Node <= 24), then auto-installed (Node 25+, which dropped corepack); `corepack enable` / `disable` land their pnpm/yarn launchers on PATH and Vite+-owned shims are restored if corepack replaces them ([#1808](#1808)), by @fengmk2 - **devEngines support for runtime and package-manager selection**: Vite+ reads `devEngines.runtime` (ranked above `engines.node`) and `devEngines.packageManager`; auto-pin and `vp migrate` write `devEngines.packageManager`, `vp env pin` / `unpin` target `devEngines.runtime`, and `vp env doctor` reports conflicts instead of silently resolving them ([#1760](#1760)), by @fengmk2 ### Features - `vp pm approve-builds`: forward to npm's new `approve-scripts` / `deny-scripts` (npm >= 11.16.0) instead of the previous no-op, matching `pnpm approve-builds` / `bun pm trust`; mixed approve+deny is rejected with actionable guidance and npm's advisory-only caveat is surfaced ([#1733](#1733)), by @fengmk2 - `vp create`: support local monorepo templates declared in `create.templates` in `vite.config.ts`; `vp create vite:generator` scaffolds a Bingo generator and auto-registers it in the picker, replacing the old package.json-keyword inference ([#1777](#1777)), by @fengmk2 - `vp create`: detect direct dependencies whose build scripts the package manager gated (e.g. native builds like `better-sqlite3`) and act on them; prompt to approve each (default off) interactively, point at `vp pm approve-builds` non-interactively, or build them with `--approve-builds` ([#1828](#1828)), by @fengmk2 - `vp config`: add `--no-hooks` and `--no-agent` opt-outs to skip git-hook installation and coding-agent instruction updates ([#1842](#1842)), by @leno23 - `vp list -g`: sort the global package list output so entries appear in a stable order ([#1748](#1748)), by @liangmiQwQ - Upgrade upstream dependencies: rolldown `1.0.3 -> 1.1.1`, tsdown `0.22.1 -> 0.22.3`, oxlint `1.67.0 -> 1.70.0`, oxfmt `0.52.0 -> 0.55.0`, vitest `4.1.8 -> 4.1.9`, and the oxc toolchain `0.133.0 -> 0.136.0` ([#1749](#1749), [#1767](#1767), [#1812](#1812), [#1834](#1834), [#1855](#1855)), by @voidzero-guard[bot] ### Fixes & Enhancements - Security: resolve open Rust Dependabot advisories by bumping transitive `openssl` `0.10.76 -> 0.10.80` (`openssl-sys` `0.9.112 -> 0.9.116`), fixing five high-severity rust-openssl issues (buffer overflows in key derivation, AES key wrap, and digest finalization; an unchecked PSK/cookie trampoline length leaking adjacent memory; and OCSP-responder undefined behavior: [GHSA-pqf5-4pqq-29f5](GHSA-pqf5-4pqq-29f5), [GHSA-8c75-8mhr-p7r9](GHSA-8c75-8mhr-p7r9), [GHSA-ghm9-cr32-g9qj](GHSA-ghm9-cr32-g9qj), [GHSA-hppc-g8h3-xhp3](GHSA-hppc-g8h3-xhp3), [GHSA-xp3w-r5p5-63rr](GHSA-xp3w-r5p5-63rr)), and drop the unmaintained, unsound `libyml` ([GHSA-gfxp-f68g-8x78](GHSA-gfxp-f68g-8x78), high) by removing dead `serde_yml` code ([#1742](#1742)), by @fengmk2 - Security (docs site): update `mermaid` `11.13.0 -> 11.15.0` to fix improper `classDef` sanitization in state diagrams that allowed HTML injection ([CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149) / [GHSA-ghcm-xqfw-q4vr](GHSA-ghcm-xqfw-q4vr), medium severity; `<script>` tags are stripped so it does not reach XSS) ([#1745](#1745)), by @renovate[bot] - `vp check --fix` / `vp staged`: create/migrate now wrap inline Vite `plugins: [...]` arrays with `lazyPlugins(...)` so plugin factories aren't eagerly executed (and don't hang on open handles) during lint/format/check config loading ([#1752](#1752)), by @jong-kyung - `vp migrate`: complete pending migration work for projects that already have `vite-plus` installed (scripts, imports, tsconfig types, ESLint/Prettier, legacy hooks, package-manager settings) instead of treating `vite-plus` as migration-complete; fully migrated projects stay idempotent ([#1821](#1821)), by @jong-kyung - `vp create` / `vp migrate`: detect shorthand `fmt,` / `lint,` config keys so a duplicate inline block is no longer injected ([#1843](#1843)), by @fengmk2 - IDE oxlint/oxfmt wrappers: set `VP_COMMAND` so `lazyPlugins()` skips framework plugins during LSP config reads, preventing a stray `.svelte-kit` (and similar) directory at the monorepo root ([#1764](#1764)), by @jong-kyung - `vp lint` / `vp run -r lint` on Windows: keep the absolute `tsgolint` path for workspace lint runs instead of downgrading it to a wrong cwd-relative path ([#1758](#1758)), by @semimikoh - oxlint wrapper: set the `tsgolint` path so type-aware lint resolves it ([#1811](#1811)), by @jong-kyung - `vp install -g`: use a unique backup directory and treat stale-backup cleanup as best-effort so a locked Windows binary no longer fails an otherwise successful reinstall ([#1753](#1753)), by @fengmk2 - `vp install -g`: remove stale managed binary shims when a reinstalled package drops a bin from its `package.json#bin` ([#1765](#1765)), by @liangmiQwQ - `vp create --git`: surface git's actual stdout/stderr when the initial commit fails instead of always blaming `user.name` / `user.email` ([#1819](#1819)), by @fengmk2 - `vp create vite:generator`: reject `--git` / `--no-git`, since adding a generator to an existing monorepo does not initialize git ([#1788](#1788)), by @jong-kyung - Global CLI: harden `find_system_tool` against a self-exec loop (skip the running executable's own bin directory) and fix two `vite_global_cli` tests that could hang ([#1820](#1820)), by @fengmk2 - CLI help: unify alias display ([#1832](#1832)), show supported `run` options ([#1797](#1797)), show `--fail-if-no-match` in `exec` help ([#1798](#1798)), add the `implode` documentation link ([#1796](#1796)), and handle nested-command typo help ([#1803](#1803)), by @jong-kyung ### Docs - Document `vp create` opt-out options ([#1790](#1790)), by @jong-kyung - Document `vp upgrade` options ([#1847](#1847)), by @jong-kyung - Align the config overview with the sidebar ([#1846](#1846)), by @jong-kyung - Sync the documented command lists with the help output ([#1850](#1850)), by @jong-kyung - Clarify lazy plugin side effects ([#1841](#1841)), by @leno23 - Add JongKyung's X profile ([#1844](#1844)) and update Christoph's X profile ([#1845](#1845)) on the team page, by @jong-kyung ### Refactor - Remove the CLI tips system; the shortcuts it printed on `vp install` are already covered by the help system and added unnecessary complexity ([#1799](#1799)), by @cpojer ### Chore - Re-enable Renovate dependency updates with a targeted ignore-list ([#1744](#1744)), by @fengmk2 - Keep generated NAPI bindings during upgrade-deps ([#1759](#1759)), by @fengmk2 - Remove the `vite_glob` dependency from vite-plus ([#1763](#1763)), by @wan9chi - Keep `sync-remote` from churning `pnpm-workspace.yaml` (dedupe `minimumReleaseAgeExclude`, preserve comments) ([#1787](#1787)), by @fengmk2 - Make unix `just test` runnable ([#1755](#1755)), by @situ2001 - CI: reuse `just lint` and `just test` as the single source of truth ([#1809](#1809)), pin `cargo-zigbuild` to a git rev to fix the aarch64-musl link failure ([#1815](#1815)), and keep upgrade-deps green when rolldown bumps oxc ([#1833](#1833)), by @fengmk2 - Update Rust to nightly-2026-06-10 ([#1725](#1725)), typos to v1.47.1 / v1.47.2 ([#1772](#1772), [#1775](#1775)), GitHub Actions ([#1778](#1778), [#1829](#1829)), and npm packages ([#1779](#1779)), by @renovate[bot] - Bump `oxc-project/setup-node` to v1.3.1 ([#1792](#1792)), by @Boshen - Refresh trusted stack stats on the docs homepage ([#1786](#1786), [#1837](#1837)), by @voidzero-guard[bot] ### Bundled Versions | Tool | Version | Source | | --- | --- | --- | | vite | `8.0.16` | [`f94df87`](vitejs/vite@f94df87) | | rolldown | `1.1.1` | [`d7f919c`](rolldown/rolldown@d7f919c) | | tsdown | `0.22.3` | [npm](https://npmx.dev/package/tsdown/v/0.22.3) | | vitest | `4.1.9` | [npm](https://npmx.dev/package/vitest/v/4.1.9) | | oxlint | `1.70.0` | [npm](https://npmx.dev/package/oxlint/v/1.70.0) | | oxlint-tsgolint | `0.23.0` | [npm](https://npmx.dev/package/oxlint-tsgolint/v/0.23.0) | | oxfmt | `0.55.0` | [npm](https://npmx.dev/package/oxfmt/v/0.55.0) | ### Upgrading from 0.1.24 to 0.2.0 This release has two breaking changes. For most projects the upgrade is `vp upgrade`, bump the project's `vite-plus`, then `vp migrate`. #### 1. Update the CLI ```bash vp upgrade ``` #### 2. Node.js 20 is no longer supported The minimum supported Node.js version is now `^22.18.0 || >=24.11.0` (Node 20 reached end-of-life). If you are still on Node 20: - Check your version: `node --version` (or `vp env doctor`) - Move to a supported release: `vp env pin 22.18.0` (or a newer LTS), or update your `.node-version` / `devEngines.runtime` `vp exec` / `vp run` / `vp dlx` now refuse to run against a project that resolves Node < 22.18.0. #### 3. Vitest is now upstream (the wrapper is gone) `@voidzero-dev/vite-plus-test` has been removed; Vite+ consumes upstream `vitest` directly. Bump `vite-plus` first, then migrate: ```bash vp update vite-plus --latest # project's vite-plus -> 0.2.0 (ignores the old range, updates the lockfile); monorepo: add -r vp migrate # local vite-plus is now 0.2.0, so the new migration runs ``` `vp update --latest` re-resolves `vite-plus` to the newest release regardless of the old semver range, so the lockfile cannot pin you back to 0.1.24. The project's local `vite-plus` is then 0.2.0, and since the global `vp` delegates `migrate` to the project's local install, `vp migrate` runs the new migration. - Your `import { vi, ... } from 'vite-plus/test'` code is unchanged. `vp migrate` rewrites any leftover `vitest` / `@vitest/*` imports and normalizes stale `vitest: npm:@voidzero-dev/vite-plus-test@*` aliases. - You no longer add `vitest` or `@vitest/*` yourself; they arrive transitively through `vite-plus`. ### New Contributors Welcome to our new contributor @situ2001! 🎉 **Full Changelog**: v0.1.24...v0.2.0 --- Merging this PR will trigger the release workflow. --------- Co-authored-by: voidzero-guard[bot] <278573678+voidzero-guard[bot]@users.noreply.github.com> Co-authored-by: MK <fengmk2@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
11.13.0→11.15.0Mermaid: Improper sanitization of
classDefin state diagrams leads to HTML injectionCVE-2026-41149 / GHSA-ghcm-xqfw-q4vr
More information
Details
Impact
Under the default configuration, Mermaid state diagram's
classDefallow DOM injection that escapes the SVG, although<script>tags are removed, preventing XSS.Proof-of-concept
Patches
Workarounds
If you can not update to a patched version, setting
"securityLevel": "sandbox"will prevent this, by rendering the mermaid diagram in a sandboxed<iframe>.Credits
Thanks to @zsxsoft from @KeenSecurityLab for reporting this vulnerability.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Mermaid: Improper sanitization of
classDefsin diagrams leads to CSS injectionCVE-2026-41148 / GHSA-xcj9-5m2h-648r
More information
Details
Details
The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures
classDefvalues with an unrestricted regex:The value passes unsanitized through
addStyleClass()->createCssStyles()->style.innerHTML(mermaidAPI.ts:418). A}in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page.PoC
Live demo:
https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU
Patches
This has been patched in:
Workarounds
Setting
"securityLevel": "sandbox"will prevent this, by rendering the mermaid diagram in a sandboxed<iframe>.Impact
Enables page defacement, user tracking via
url()callbacks, and DOM attribute exfiltration via CSS:has()selectors.Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Mermaid: Improper sanitization of configuration leads to CSS injection
CVE-2026-41159 / GHSA-87f9-hvmw-gh4p
More information
Details
Impact
Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the
fontFamily,themeCSS, andaltFontFamilyconfiguration options.Live demo: mermaid.live
Example code:
The injected CSS exploits stylis's
&(scope reference) handling.:not(&)escapes the#mermaid-xxxautomatic scoping, applying styles to all page elements. Global at-rules (@font-face,@keyframes,@counter-style) are also injectable as stylis hoists them to top level.This allows page defacement and DOM attribute exfiltration via CSS
:has()selectors.Patches
Workarounds
If you can't upgrade mermaid, you can set the
secureconfig value in the mermaid config to avoid allowing diagrams to modifyfontFamily,themeCSS,altFontFamily, andthemeVariables.Setting
"securityLevel": "sandbox"will also prevent this.Credits
Reported by @zsxsoft on behalf of @KeenSecurityLab
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS
CVE-2026-41150 / GHSA-6m6c-36f7-fhxh
More information
Details
Impact
Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the
excludesattribute to exclude all dates.Example:
mermaid.parseis unaffected, unless you then call theganttDb.getTasks()(which is called when rendering a diagram).Patches
This has been patched in:
Workarounds
There are no workarounds available without updating to a newer version of mermaid.
Severity
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:LReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
mermaid-js/mermaid (mermaid)
v11.15.0Compare Source
Minor Changes
#7174
0aca217Thanks @milesspencer35! - feat(sequence): Add support for decimal start and increment values in theautonumberdirective#7512
8e17492Thanks @aruncveli! - feat(flowchart): add datastore shapeIn Data flow diagrams, a datastore/warehouse/file/database is used to represent data persistence. It is denoted by a rectangle with only top and bottom borders, and can be used in flowcharts with
A@{ shape: datastore, label: "Datastore" }.#6440
9ad8ddeThanks @yordis, @lgazo! - feat: add Event Modeling diagram#7707
27db774Thanks @txmxthy! - feat(architecture): expose four fcose layout knobs forarchitecture-betadiagrams (nodeSeparation,idealEdgeLengthMultiplier,edgeElasticity,numIter) so authors can tune layout density and spread overlapping siblings without changing diagram source#7604
bf9502fThanks @M-a-c! - feat(class): add nested namespace support for class diagrams via dot notation and syntactic nestingIf you have namespaces in class diagrams that use
.s already and want to render them without nesting (≤v11.14.0 behaviour), you can use setclass.hierarchicalNamespaces=falsein your mermaid config:#7272
88cdd3dThanks @xinbenlv! - feat(sankey): add outlined label style, configurable nodeWidth/nodePadding, and custom node colorsPatch Changes
#7737
e9b0f34Thanks @ashishjain0512! - fix: prevent unbalanced CSS styles in classDefs#7737
37ff937Thanks @ashishjain0512! - fix: create CSS styles using the CSSOMThis removes some invalid CSS and normalizes some CSS formatting.
#7508
bfe60ccThanks @biiab! - fix(stateDiagram):end notenow only closes a note when used on a new line#7737
faafb5dThanks @ashishjain0512! - fix(gantt): add iteration limit forexcludesfield#7737
65f8be2Thanks @ashishjain0512! - fix: disallow some CSS at-rules in custom CSS#7726
1502f32Thanks @aloisklink! - fix(wardley): fix unnecessary sanitization of text#7578
1f98db8Thanks @Gaston202! - fix(class): self-referential class multiplicity labels no longer rendered multiple timesFixes #7560. Resolves an issue where cardinality labels on self-referential class relationships were rendered three times due to edge splitting in the dagre layout. The fix ensures that each sub-edge only carries its relevant label positions.
#7592
2343e38Thanks @knsv-bot! - fix(sequence): add background box behind alt/else section title labels in sequence diagrams#7589
7fb9509Thanks @NYCU-Chung! - fix(block): prevent column widths from shrinking when mixing different column spans#7632
3f9e0f1Thanks @ekiauhce! - fix(sequence): correct messageAlign label position for right-to-left arrows in sequence diagrams#7642
7a8fb85Thanks @tractorjuice! - fix(wardley): allow hyphens in unquoted component namesMulti-word names containing hyphens — e.g.
real-time processing,end-user,on-call engineer— now parse without quoting, bringing the grammar in line with the OnlineWardleyMaps (OWM) convention.A->B(no-space arrow) still tokenises correctly.#7523
5144ed4Thanks @darshanr0107! - fix(block): Arrow blocks in block-beta diagrams not spanning the specified number of columns when using:nsyntax.#7262
13d9bfaThanks @darshanr0107! - fix(block): Ensure block diagram hexagon blocks respect column spanning syntax#7684
e14bb88Thanks @aloisklink! - fix: loosenuuiddependency range to allow v14Mermaid does not use any of the vulnerable code in CVE-2026-41907,
but this allows users to silence any
npm auditalerts on it.#7633
9217c0dThanks @Felix-Garci! - fix(block): add support for all arrow types in block diagrams#7587
5e7eb62Thanks @MaddyGuthridge! - chore: drop lodash-es in favour of es-toolkit#7693
afaf306Thanks @dull-bird! - fix(quadrant-chart): allow CJK, emoji, Latin-1 accented characters, and other non-ASCII text in unquoted axis/quadrant/point labels.Previously the lexer only matched ASCII
[A-Za-z]+for text tokens, even though the grammar referencedUNICODE_TEXT. Bare Chinese, Japanese, Korean, emoji, and accented Latin characters in labels caused a parse error. Added a[^\x00-\x7F]+lexer rule to emitUNICODE_TEXTand included it in thealphaNumTokengrammar rule.Fixes #7120.
#7737
4755553Thanks @ashishjain0512! - fix: improve D3 types for mermaidAPI funcs#7737
6476973Thanks @ashishjain0512! - fix: handle&when namespacing CSS rules#7520
8c1a0c1Thanks @RodrigojndSantos! - fix(stateDiagram): comments starting with one%are no longer treated as commentsSwitch to using two
%%if you want to write a comment.Updated dependencies [
7a8fb85,675a64c]:v11.14.0Compare Source
Thanks to our awesome mermaid community that contributed to this release: @ashishjain0512, @tractorjuice, @autofix-ci[bot], @aloisklink, @knsv, @kibanana, @chandershekhar22, @khalil, @ytatsuno, @sidharthv96, @github-actions[bot], @dripcoding, @knsv-bot, @jeroensmink98, @Alex9583, @GhassenS, @omkarht, @darshanr0107, @leentaylor, @lee-treehouse, @veeceey, @turntrout, @Mermaid-Chart, @BambioGaming, Claude
Releases
@mermaid-js/examples@1.2.0
Minor Changes
efe218a- add new TreeView diagrammermaid@11.14.0
Minor Changes
#7526
efe218a- Add Wardley Maps diagram type (beta)Adds Wardley Maps as a new diagram type to Mermaid (available as
wardley-beta). Wardley Maps are visual representations of business strategy that help map value chains and component evolution.Features:
Implementation includes parser, D3.js renderer, unit tests, E2E tests, and comprehensive documentation.
#7526
efe218a- feat: implement neo look styling for state diagrams#7526
efe218a- feat: implement neo look support for sequence diagrams with drop shadows, and enhanced styling#7526
efe218a- feat: addrandomizeconfig option for architecture diagrams, defaulting tofalsefor deterministic layout#7526
efe218a- feat: Add option to change timeline direction#7526
efe218a- Fix duplicate SVG element IDs when rendering multiple diagrams on the same page. Internal element IDs (nodes, edges, markers, clusters) are now prefixed with the diagram's SVG element ID across all diagram types. Custom CSS or JS using exact ID selectors like#arrowheadshould use attribute-ending selectors like[id$="-arrowhead"]instead.#7526
efe218a- feat: implement neo look styling for ER diagrams#7526
efe218a- feat: implement neo look styling for requirement diagrams#7526
efe218a- feat: add theme support for data label colour in xy chart#7526
efe218a- feat: implement neo look styling for mindmap diagrams#7526
efe218a- feat: implement neo look for mermaid flowchart diagrams#7526
efe218a- feat: implement neo look and themes for class diagram#7526
efe218a- feat: add showDataLabelOutsideBar option for xy chart#7526
efe218a- feat: implement neo look support for timeline diagram with drop shadows, additoinal redux themes and enhanced styling#7526
efe218a- feat: implement neo look and themes for gitGraph diagram#7526
efe218a- add new TreeView diagramPatch Changes
#7526
efe218a- add link to ishikawa diagram on mermaid.js.org#7526
efe218a- docs: document valid duration token formats in gantt.md#7526
efe218a- fix: ER diagram parsing when using "1" as entity identifier on right sideThe parser was incorrectly tokenizing the second "1" in patterns like
a many to 1 1:because the lookahead rule only checked for alphabetic characters after whitespace, not digits. Added a new lookahead pattern"1"(?=\s+[0-9])to correctly identify the cardinality alias before a numeric entity name.Fixes #7472
#7526
efe218a- fix: scope cytoscape label style mapping to edges with labels to prevent console warnings#7526
efe218a- fix: support inline annotation syntax in class diagrams (class Shape <>)#7526
efe218a- fix: Align branch label background with text for multi-line labels in LR GitGraph layout#7526
efe218a- fix: preserve cause hierarchy when ishikawa effect is indented more than causes#7526
efe218a- refactor: remove unused createGraphWithElements function and add regression test for open edge arrowheads#7526
efe218a- fix: Prevent long pie chart titles from being clipped by expanding the viewBox#7526
efe218a- fix: prevent sequence diagram hang when "as" is used without a trailing space in participant declarations#7526
efe218a- fix: warn whenstylestatement targets a non-existent node in flowcharts#7526
efe218a- fix: group state diagram SVG children under single root element#7526
efe218a- fix: Allow :::className syntax inside composite state blocks#7526
efe218aThanks @aloisklink, @BambioGaming! - fix: prevent escaping<and&whenhtmlLabels: false#7526
efe218a- fix: treemap title and labels use theme-aware colors for dark backgroundsUpdated dependencies [
efe218a]:@mermaid-js/parser@1.1.0
Minor Changes
efe218a- add new TreeView diagram@mermaid-js/tiny@11.14.0
Minor Changes
#7526
efe218a- Add Wardley Maps diagram type (beta)Adds Wardley Maps as a new diagram type to Mermaid (available as
wardley-beta). Wardley Maps are visual representations of business strategy that help map value chains and component evolution.Features:
Implementation includes parser, D3.js renderer, unit tests, E2E tests, and comprehensive documentation.
#7526
efe218a- feat: implement neo look styling for state diagrams#7526
efe218a- feat: implement neo look support for sequence diagrams with drop shadows, and enhanced styling#7526
efe218a- feat: addrandomizeconfig option for architecture diagrams, defaulting tofalsefor deterministic layout#7526
efe218a- feat: Add option to change timeline direction#7526
efe218a- Fix duplicate SVG element IDs when rendering multiple diagrams on the same page. Internal element IDs (nodes, edges, markers, clusters) are now prefixed with the diagram's SVG element ID across all diagram types. Custom CSS or JS using exact ID selectors like#arrowheadshould use attribute-ending selectors like[id$="-arrowhead"]instead.#7526
efe218a- feat: implement neo look styling for ER diagrams#7526
efe218a- feat: implement neo look styling for requirement diagrams#7526
efe218a- feat: add theme support for data label colour in xy chart#7526
efe218a- feat: implement neo look styling for mindmap diagrams#7526
efe218a- feat: implement neo look for mermaid flowchart diagrams#7526
efe218a- feat: implement neo look and themes for class diagram#7526
efe218a- feat: add showDataLabelOutsideBar option for xy chart#7526
efe218a- feat: implement neo look support for timeline diagram with drop shadows, additoinal redux themes and enhanced styling#7526
efe218a- feat: implement neo look and themes for gitGraph diagram#7526
efe218a- add new TreeView diagramPatch Changes
#7526
efe218a- add link to ishikawa diagram on mermaid.js.org#7526
efe218a- docs: document valid duration token formats in gantt.md#7526
efe218a- fix: ER diagram parsing when using "1" as entity identifier on right sideThe parser was incorrectly tokenizing the second "1" in patterns like
a many to 1 1:because the lookahead rule only checked for alphabetic characters after whitespace, not digits. Added a new lookahead pattern"1"(?=\s+[0-9])to correctly identify the cardinality alias before a numeric entity name.Fixes #7472
#7526
efe218a- fix: scope cytoscape label style mapping to edges with labels to prevent console warnings#7526
efe218a- fix: support inline annotation syntax in class diagrams (class Shape <>)#7526
efe218a- fix: Align branch label background with text for multi-line labels in LR GitGraph layout#7526
efe218a- fix: preserve cause hierarchy when ishikawa effect is indented more than causes#7526
efe218a- refactor: remove unused createGraphWithElements function and add regression test for open edge arrowheads#7526
efe218a- fix: Prevent long pie chart titles from being clipped by expanding the viewBox#7526
efe218a- fix: prevent sequence diagram hang when "as" is used without a trailing space in participant declarations#7526
efe218a- fix: warn whenstylestatement targets a non-existent node in flowcharts#7526
efe218a- fix: group state diagram SVG children under single root element#7526
efe218a- fix: Allow :::className syntax inside composite state blocks#7526
efe218aThanks @aloisklink, @BambioGaming! - fix: prevent escaping<and&whenhtmlLabels: false#7526
efe218a- fix: treemap title and labels use theme-aware colors for dark backgroundsUpdated dependencies [
efe218a]:Configuration
📅 Schedule: (in timezone Asia/Shanghai)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.