Giteabot
6a27066269
fix(deps): update dependency mermaid to v11.15.0 [security], add e2e test ( #37662 )
...
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/ ) |
[Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
| [mermaid](https://redirect.github.com/mermaid-js/mermaid ) | [`11.14.0`
→ `11.15.0`](https://renovatebot.com/diffs/npm/mermaid/11.14.0/11.15.0 )
|
|
|
---
### Mermaid: Improper sanitization of `classDefs` in diagrams leads to
CSS injection
[CVE-2026-41148](https://nvd.nist.gov/vuln/detail/CVE-2026-41148 ) /
[GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r )
<details>
<summary>More information</summary>
#### Details
##### Details
The state diagram and any other diagram type that routes user-controlled
style strings through createCssStyles parser for Mermaid v11.14.0 and
earlier captures `classDef` values with an unrestricted regex:
```jison
// packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83
<CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' }
```
The value passes unsanitized through `addStyleClass()` ->
`createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in
the value closes the generated CSS selector, and everything after
becomes a new CSS rule on the page.
##### PoC
```
stateDiagram-v2
classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif ")}
```
Live demo:
<https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU >
##### Patches
This has been patched in:
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[e9b0f34d8d82a6260077764ee45e1d7d90957a0f](e9b0f34d8dhttps://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[8fead23c59166b7bab6a39eac81acebee2859102](8fead23c59https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
will prevent this, by rendering the mermaid diagram in a sandboxed
`<iframe>`.
##### Impact
Enables page defacement, user tracking via `url()` callbacks, and DOM
attribute exfiltration via CSS `:has()` selectors.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r )
-
[8fead23c59e9b0f34d8dhttps://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
-
[https://mermaid.js.org/config/schema-docs/config.html#securitylevel ](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
-
[https://github.com/advisories/GHSA-xcj9-5m2h-648r ](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r )
This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid: Improper sanitization of `classDef` in state diagrams leads
to HTML injection
[CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149 ) /
[GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr )
<details>
<summary>More information</summary>
#### Details
##### Impact
Under the default configuration, Mermaid state diagram's `classDef`
allow DOM injection that escapes the SVG, although `<script>` tags are
removed, preventing XSS.
##### Proof-of-concept
```
stateDiagram-v2
classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b
[*] --> A:::xss
```
##### Patches
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[37ff937f1da2e19f882fd1db01235db4d01f4056](37ff937f1dhttps://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](4e2d512bf5https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
will prevent this, by rendering the mermaid diagram in a sandboxed
`<iframe>`.
##### Credits
Thanks to @​zsxsoft from @​KeenSecurityLab for reporting
this vulnerability.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr )
-
[37ff937f1d4e2d512bf5https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
-
[https://mermaid.js.org/config/schema-docs/config.html#securitylevel ](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
-
[https://github.com/advisories/GHSA-ghcm-xqfw-q4vr ](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr )
This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid: Improper sanitization of configuration leads to CSS
injection
[CVE-2026-41159](https://nvd.nist.gov/vuln/detail/CVE-2026-41159 ) /
[GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p )
<details>
<summary>More information</summary>
#### Details
##### Impact
Mermaid's default configuration allows injecting CSS that applies
outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and
`altFontFamily` configuration options.
Live demo:
[mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg )
Example code:
```
%%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%%
flowchart LR
A --> B
```
The injected CSS exploits stylis's `&` (scope reference) handling.
`:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles
to all page elements. Global at-rules (`@font-face`, `@keyframes`,
`@counter-style`) are also injectable as stylis hoists them to top
level.
This allows page defacement and DOM attribute exfiltration via CSS
`:has()` selectors.
##### Patches
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[64769738d5b59211e1decb471ffbaca8afec51aa](64769738d5https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[a9d9f0d8eb790349121508688cd338253fd80d76](a9d9f0d8ebhttps://mermaid.js.org/config/schema-docs/config.html#secure )
config value in the mermaid config to avoid allowing diagrams to modify
`fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`.
Setting [`"securityLevel":
"sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
will also prevent this.
##### Credits
Reported by @​zsxsoft on behalf of @​KeenSecurityLab
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p )
-
[64769738d5a9d9f0d8ebhttps://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
-
[https://github.com/advisories/GHSA-87f9-hvmw-gh4p ](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p )
This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS
[CVE-2026-41150](https://nvd.nist.gov/vuln/detail/CVE-2026-41150 ) /
[GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh )
<details>
<summary>More information</summary>
#### Details
##### Impact
Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service
attack when rendering gantt charts, if they use the [`excludes`
attribute](https://mermaid.js.org/syntax/gantt.html?#excludes ) to
exclude all dates.
Example:
```
gantt
excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday
DoS :2025-01-01, 1d
```
`mermaid.parse` is unaffected, unless you then call the
`ganttDb.getTasks()` (which is called when rendering a diagram).
##### Patches
This has been patched in:
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[faafb5d49106dd32c367f3882505f2dd625aa30e](faafb5d491https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[a59ea56174712ee5430dfd5bc877cb5151f501a6](a59ea56174https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh )
-
[a59ea56174faafb5d491https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
-
[https://github.com/advisories/GHSA-6m6c-36f7-fhxh ](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh )
This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS
[CVE-2026-41150](https://nvd.nist.gov/vuln/detail/CVE-2026-41150 ) /
[GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh )
<details>
<summary>More information</summary>
#### Details
##### Impact
Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service
attack when rendering gantt charts, if they use the [`excludes`
attribute](https://mermaid.js.org/syntax/gantt.html?#excludes ) to
exclude all dates.
Example:
```
gantt
excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday
DoS :2025-01-01, 1d
```
`mermaid.parse` is unaffected, unless you then call the
`ganttDb.getTasks()` (which is called when rendering a diagram).
##### Patches
This has been patched in:
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[faafb5d49106dd32c367f3882505f2dd625aa30e](faafb5d491https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[a59ea56174712ee5430dfd5bc877cb5151f501a6](a59ea56174https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh )
-
[a59ea56174faafb5d491https://github.com/mermaid-js/mermaid ](https://redirect.github.com/mermaid-js/mermaid )
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-6m6c-36f7-fhxh ) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid: Improper sanitization of configuration leads to CSS
injection
[CVE-2026-41159](https://nvd.nist.gov/vuln/detail/CVE-2026-41159 ) /
[GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p )
<details>
<summary>More information</summary>
#### Details
##### Impact
Mermaid's default configuration allows injecting CSS that applies
outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and
`altFontFamily` configuration options.
Live demo:
[mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg )
Example code:
```
%%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%%
flowchart LR
A --> B
```
The injected CSS exploits stylis's `&` (scope reference) handling.
`:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles
to all page elements. Global at-rules (`@font-face`, `@keyframes`,
`@counter-style`) are also injectable as stylis hoists them to top
level.
This allows page defacement and DOM attribute exfiltration via CSS
`:has()` selectors.
##### Patches
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[64769738d5b59211e1decb471ffbaca8afec51aa](64769738d5https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[a9d9f0d8eb790349121508688cd338253fd80d76](a9d9f0d8ebhttps://mermaid.js.org/config/schema-docs/config.html#secure )
config value in the mermaid config to avoid allowing diagrams to modify
`fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`.
Setting [`"securityLevel":
"sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
will also prevent this.
##### Credits
Reported by @​zsxsoft on behalf of @​KeenSecurityLab
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p )
-
[64769738d5a9d9f0d8ebhttps://github.com/mermaid-js/mermaid ](https://redirect.github.com/mermaid-js/mermaid )
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-87f9-hvmw-gh4p ) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid: Improper sanitization of `classDef` in state diagrams leads
to HTML injection
[CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149 ) /
[GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr )
<details>
<summary>More information</summary>
#### Details
##### Impact
Under the default configuration, Mermaid state diagram's `classDef`
allow DOM injection that escapes the SVG, although `<script>` tags are
removed, preventing XSS.
##### Proof-of-concept
```
stateDiagram-v2
classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b
[*] --> A:::xss
```
##### Patches
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[37ff937f1da2e19f882fd1db01235db4d01f4056](37ff937f1dhttps://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](4e2d512bf5https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
will prevent this, by rendering the mermaid diagram in a sandboxed
`<iframe>`.
##### Credits
Thanks to @​zsxsoft from @​KeenSecurityLab for reporting
this vulnerability.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr )
-
[37ff937f1d4e2d512bf5https://github.com/mermaid-js/mermaid ](https://redirect.github.com/mermaid-js/mermaid )
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
-
[https://mermaid.js.org/config/schema-docs/config.html#securitylevel ](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-ghcm-xqfw-q4vr ) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid: Improper sanitization of `classDefs` in diagrams leads to
CSS injection
[CVE-2026-41148](https://nvd.nist.gov/vuln/detail/CVE-2026-41148 ) /
[GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r )
<details>
<summary>More information</summary>
#### Details
##### Details
The state diagram and any other diagram type that routes user-controlled
style strings through createCssStyles parser for Mermaid v11.14.0 and
earlier captures `classDef` values with an unrestricted regex:
```jison
// packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83
<CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' }
```
The value passes unsanitized through `addStyleClass()` ->
`createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in
the value closes the generated CSS selector, and everything after
becomes a new CSS rule on the page.
##### PoC
```
stateDiagram-v2
classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif ")}
```
Live demo:
<https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU >
##### Patches
This has been patched in:
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[e9b0f34d8d82a6260077764ee45e1d7d90957a0f](e9b0f34d8dhttps://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[8fead23c59166b7bab6a39eac81acebee2859102](8fead23c59https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
will prevent this, by rendering the mermaid diagram in a sandboxed
`<iframe>`.
##### Impact
Enables page defacement, user tracking via `url()` callbacks, and DOM
attribute exfiltration via CSS `:has()` selectors.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r )
-
[8fead23c59e9b0f34d8dhttps://github.com/mermaid-js/mermaid ](https://redirect.github.com/mermaid-js/mermaid )
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
-
[https://mermaid.js.org/config/schema-docs/config.html#securitylevel ](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-xcj9-5m2h-648r ) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Release Notes
<details>
<summary>mermaid-js/mermaid (mermaid)</summary>
###
[`v11.15.0`](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
[Compare
Source](https://redirect.github.com/mermaid-js/mermaid/compare/mermaid@11.14.0...mermaid@11.15.0 )
##### Minor Changes
-
[#​7174](https://redirect.github.com/mermaid-js/mermaid/pull/7174 )
[`0aca217`](0aca21739chttps://redirect.github.com/milesspencer35 )! -
feat(sequence): Add support for decimal start and increment values in
the `autonumber` directive
-
[#​7512](https://redirect.github.com/mermaid-js/mermaid/pull/7512 )
[`8e17492`](8e17492f73https://redirect.github.com/aruncveli )! -
feat(flowchart): add datastore shape
In Data flow diagrams, a datastore/warehouse/file/database is used to
represent data persistence. It is denoted by a rectangle with only top
and bottom borders, and can be used in flowcharts with `A@{ shape:
datastore, label: "Datastore" }`.
-
[#​6440](https://redirect.github.com/mermaid-js/mermaid/pull/6440 )
[`9ad8dde`](9ad8dde6d0https://redirect.github.com/yordis ),
[@​lgazo](https://redirect.github.com/lgazo )! - feat: add Event
Modeling diagram
-
[#​7707](https://redirect.github.com/mermaid-js/mermaid/pull/7707 )
[`27db774`](27db774627https://redirect.github.com/txmxthy )! -
feat(architecture): expose four fcose layout knobs for
`architecture-beta` diagrams (`nodeSeparation`,
`idealEdgeLengthMultiplier`, `edgeElasticity`, `numIter`) so authors can
tune layout density and spread overlapping siblings without changing
diagram source
-
[#​7604](https://redirect.github.com/mermaid-js/mermaid/pull/7604 )
[`bf9502f`](bf9502fb60https://redirect.github.com/M-a-c )! -
feat(class): add nested namespace support for class diagrams via dot
notation and syntactic nesting
If you have namespaces in class diagrams that use `.`s already and want
to render them without nesting (≤v11.14.0 behaviour), you can use set
`class.hierarchicalNamespaces=false` in your mermaid config:
```yaml
config:
class:
hierarchicalNamespaces: false
```
-
[#​7272](https://redirect.github.com/mermaid-js/mermaid/pull/7272 )
[`88cdd3d`](88cdd3dc0ahttps://redirect.github.com/xinbenlv )! -
feat(sankey): add outlined label style, configurable
nodeWidth/nodePadding, and custom node colors
##### Patch Changes
-
[#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737 )
[`e9b0f34`](e9b0f34d8dhttps://redirect.github.com/ashishjain0512 )! -
fix: prevent unbalanced CSS styles in classDefs
-
[#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737 )
[`37ff937`](37ff937f1dhttps://redirect.github.com/ashishjain0512 )! -
fix: create CSS styles using the CSSOM
This removes some invalid CSS and normalizes some CSS formatting.
-
[#​7508](https://redirect.github.com/mermaid-js/mermaid/pull/7508 )
[`bfe60cc`](bfe60cc67bhttps://redirect.github.com/biiab )! -
fix(stateDiagram): `end note` now only closes a note when used on a new
line
-
[#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737 )
[`faafb5d`](faafb5d491https://redirect.github.com/ashishjain0512 )! -
fix(gantt): add iteration limit for `excludes` field
-
[#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737 )
[`65f8be2`](65f8be2a42https://redirect.github.com/ashishjain0512 )! -
fix: disallow some CSS at-rules in custom CSS
-
[#​7726](https://redirect.github.com/mermaid-js/mermaid/pull/7726 )
[`1502f32`](1502f32f3chttps://redirect.github.com/aloisklink )! -
fix(wardley): fix unnecessary sanitization of text
-
[#​7578](https://redirect.github.com/mermaid-js/mermaid/pull/7578 )
[`1f98db8`](1f98db8e32https://redirect.github.com/Gaston202 )! -
fix(class): self-referential class multiplicity labels no longer
rendered multiple times
Fixes
[#​7560](https://redirect.github.com/mermaid-js/mermaid/issues/7560 ).
Resolves an issue where cardinality labels on self-referential class
relationships were rendered three times due to edge splitting in the
dagre layout. The fix ensures that each sub-edge only carries its
relevant label positions.
-
[#​7592](https://redirect.github.com/mermaid-js/mermaid/pull/7592 )
[`2343e38`](2343e38498https://redirect.github.com/knsv-bot )! -
fix(sequence): add background box behind alt/else section title labels
in sequence diagrams
-
[#​7589](https://redirect.github.com/mermaid-js/mermaid/pull/7589 )
[`7fb9509`](7fb9509b8bhttps://redirect.github.com/NYCU-Chung )! -
fix(block): prevent column widths from shrinking when mixing different
column spans
-
[#​7632](https://redirect.github.com/mermaid-js/mermaid/pull/7632 )
[`3f9e0f1`](3f9e0f15behttps://redirect.github.com/ekiauhce )! -
fix(sequence): correct messageAlign label position for right-to-left
arrows in sequence diagrams
-
[#​7642](https://redirect.github.com/mermaid-js/mermaid/pull/7642 )
[`7a8fb85`](7a8fb8532chttps://redirect.github.com/tractorjuice )!
- fix(wardley): allow hyphens in unquoted component names
Multi-word names containing hyphens — e.g. `real-time processing`,
`end-user`, `on-call engineer` — now parse without quoting, bringing the
grammar in line with the OnlineWardleyMaps (OWM) convention. `A->B`
(no-space arrow) still tokenises correctly.
-
[#​7523](https://redirect.github.com/mermaid-js/mermaid/pull/7523 )
[`5144ed4`](5144ed4b13https://redirect.github.com/darshanr0107 )!
- fix(block): Arrow blocks in block-beta diagrams not spanning the
specified number of columns when using `:n` syntax.
-
[#​7262](https://redirect.github.com/mermaid-js/mermaid/pull/7262 )
[`13d9bfa`](13d9bfa474https://redirect.github.com/darshanr0107 )!
- fix(block): Ensure block diagram hexagon blocks respect column
spanning syntax
-
[#​7684](https://redirect.github.com/mermaid-js/mermaid/pull/7684 )
[`e14bb88`](e14bb88bdbhttps://redirect.github.com/aloisklink )! -
fix: loosen `uuid` dependency range to allow v14
Mermaid does not use any of the vulnerable code in CVE-2026-41907,
but this allows users to silence any `npm audit` alerts on it.
-
[#​7633](https://redirect.github.com/mermaid-js/mermaid/pull/7633 )
[`9217c0d`](9217c0d8b2https://redirect.github.com/Felix-Garci )! -
fix(block): add support for all arrow types in block diagrams
-
[#​7587](https://redirect.github.com/mermaid-js/mermaid/pull/7587 )
[`5e7eb62`](5e7eb62e3ahttps://redirect.github.com/MaddyGuthridge )! -
chore: drop lodash-es in favour of es-toolkit
-
[#​7693](https://redirect.github.com/mermaid-js/mermaid/pull/7693 )
[`afaf306`](afaf306238https://redirect.github.com/dull-bird )! -
fix(quadrant-chart): allow CJK, emoji, Latin-1 accented characters, and
other non-ASCII text in unquoted axis/quadrant/point labels.
Previously the lexer only matched ASCII `[A-Za-z]+` for text tokens,
even though the grammar referenced `UNICODE_TEXT`. Bare Chinese,
Japanese, Korean, emoji, and accented Latin characters in labels caused
a parse error. Added a `[^\x00-\x7F]+` lexer rule to emit `UNICODE_TEXT`
and included it in the `alphaNumToken` grammar rule.
Fixes
[#​7120](https://redirect.github.com/mermaid-js/mermaid/issues/7120 ).
-
[#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737 )
[`4755553`](4755553d5fhttps://redirect.github.com/ashishjain0512 )! -
fix: improve D3 types for mermaidAPI funcs
-
[#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737 )
[`6476973`](64769738d5https://redirect.github.com/ashishjain0512 )! -
fix: handle `&` when namespacing CSS rules
-
[#​7520](https://redirect.github.com/mermaid-js/mermaid/pull/7520 )
[`8c1a0c1`](8c1a0c1fd1https://redirect.github.com/RodrigojndSantos )!
- fix(stateDiagram): comments starting with one `%` are no longer
treated as comments
Switch to using two `%%` if you want to write a comment.
- Updated dependencies
\[[`7a8fb85`](7a8fb8532c675a64ca0ehttps://redirect.github.com/mermaid-js/parser )@​1.1.1
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- ""
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
---------
Co-authored-by: silverwind <me@silverwind.io >
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com >
2026-05-12 01:34:49 +02:00
Giteabot
8cd8291ed0
fix(deps): update npm dependencies ( #37647 )
...
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/ ) |
[Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
| @​codemirror/autocomplete | [`6.20.1` →
`6.20.2`](https://renovatebot.com/diffs/npm/@codemirror%2fautocomplete/6.20.1/6.20.2 )
|
|
|
| @​codemirror/lint | [`6.9.5` →
`6.9.6`](https://renovatebot.com/diffs/npm/@codemirror%2flint/6.9.5/6.9.6 )
|
|
|
| @​codemirror/view | [`6.41.1` →
`6.42.0`](https://renovatebot.com/diffs/npm/@codemirror%2fview/6.41.1/6.42.0 )
|
|
|
| [vue](https://vuejs.org/ )
([source](https://redirect.github.com/vuejs/core )) | [`3.5.33` →
`3.5.34`](https://renovatebot.com/diffs/npm/vue/3.5.33/3.5.34 ) |
|
|
---
### Release Notes
<details>
<summary>vuejs/core (vue)</summary>
###
[`v3.5.34`](https://redirect.github.com/vuejs/core/blob/HEAD/CHANGELOG.md#3534-2026-05-06 )
[Compare
Source](https://redirect.github.com/vuejs/core/compare/v3.5.33...v3.5.34 )
##### Bug Fixes
- **compiler-sfc:** infer Vue ref wrapper types when source is
unresolvable
([#​14758](https://redirect.github.com/vuejs/core/issues/14758 ))
([7f46fd4](7f46fd411bhttps://redirect.github.com/vuejs/core/issues/14729 )
- **compiler-sfc:** preserve hash hrefs on `<image>` elements
([#​14756](https://redirect.github.com/vuejs/core/issues/14756 ))
([090b2e3](090b2e3a51https://redirect.github.com/vuejs/core/issues/14766 ))
([acfffe3](acfffe34e7https://redirect.github.com/vuejs/core/issues/14778 ))
([c8e2d4a](c8e2d4adc9https://redirect.github.com/vuejs/core/issues/14777 )
- **runtime-core:** avoid symbol coercion during props validation
([#​8539](https://redirect.github.com/vuejs/core/issues/8539 ))
([23d4fb5](23d4fb5a6ahttps://redirect.github.com/vuejs/core/issues/8487 )
- **suspense:** avoid DOM leak with out-in transition in v-if fragment
([#​14762](https://redirect.github.com/vuejs/core/issues/14762 ))
([9667e0d](9667e0d498https://redirect.github.com/vuejs/core/issues/14761 )
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- Only on Monday (`* * * * 1`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
---------
Co-authored-by: silverwind <me@silverwind.io >
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com >
2026-05-11 16:03:11 +00:00
Giteabot
a603f89fce
fix(deps): update npm dependencies ( #37636 )
...
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/ ) |
[Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
|
[@typescript-eslint/parser](https://typescript-eslint.io/packages/parser )
([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/parser ))
| [`8.59.1` →
`8.59.2`](https://renovatebot.com/diffs/npm/@typescript-eslint%2fparser/8.59.1/8.59.2 )
|
|
|
| [eslint-plugin-vue](https://eslint.vuejs.org )
([source](https://redirect.github.com/vuejs/eslint-plugin-vue )) |
[`10.9.0` →
`10.9.1`](https://renovatebot.com/diffs/npm/eslint-plugin-vue/10.9.0/10.9.1 )
|
|
|
| [jiti](https://redirect.github.com/unjs/jiti ) | [`2.6.1` →
`2.7.0`](https://renovatebot.com/diffs/npm/jiti/2.6.1/2.7.0 ) |
|
|
| [postcss](https://postcss.org/ )
([source](https://redirect.github.com/postcss/postcss )) | [`8.5.13` →
`8.5.14`](https://renovatebot.com/diffs/npm/postcss/8.5.13/8.5.14 ) |
|
|
| [stylelint](https://stylelint.io )
([source](https://redirect.github.com/stylelint/stylelint )) | [`17.10.0`
→
`17.11.0`](https://renovatebot.com/diffs/npm/stylelint/17.10.0/17.11.0 )
|
|
|
|
[typescript-eslint](https://typescript-eslint.io/packages/typescript-eslint )
([source](https://redirect.github.com/typescript-eslint/typescript-eslint/tree/HEAD/packages/typescript-eslint ))
| [`8.59.1` →
`8.59.2`](https://renovatebot.com/diffs/npm/typescript-eslint/8.59.1/8.59.2 )
|
|
|
| [updates](https://redirect.github.com/silverwind/updates ) | [`17.16.8`
→ `17.16.9`](https://renovatebot.com/diffs/npm/updates/17.16.8/17.16.9 )
|
|
|
---
### Release Notes
<details>
<summary>typescript-eslint/typescript-eslint
(@​typescript-eslint/parser)</summary>
###
[`v8.59.2`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/parser/CHANGELOG.md#8592-2026-05-04 )
[Compare
Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.1...v8.59.2 )
This was a version bump only for parser to align it with other projects,
there were no code changes.
See [GitHub
Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.2 )
for more information.
You can read about our [versioning
strategy](https://typescript-eslint.io/users/versioning ) and
[releases](https://typescript-eslint.io/users/releases ) on our website.
</details>
<details>
<summary>vuejs/eslint-plugin-vue (eslint-plugin-vue)</summary>
###
[`v10.9.1`](https://redirect.github.com/vuejs/eslint-plugin-vue/blob/HEAD/CHANGELOG.md#1091 )
[Compare
Source](https://redirect.github.com/vuejs/eslint-plugin-vue/compare/v10.9.0...v10.9.1 )
##### Patch Changes
- Updated peer dependency version for
[`vue-eslint-parser`](https://redirect.github.com/vuejs/vue-eslint-parser )
to fix parsing errors in Vue SFCs
([#​3075](https://redirect.github.com/vuejs/eslint-plugin-vue/pull/3075 ))
</details>
<details>
<summary>unjs/jiti (jiti)</summary>
###
[`v2.7.0`](https://redirect.github.com/unjs/jiti/blob/HEAD/CHANGELOG.md#v270 )
[Compare
Source](https://redirect.github.com/unjs/jiti/compare/v2.6.1...v2.7.0 )
[compare
changes](https://redirect.github.com/unjs/jiti/compare/v2.6.1...v2.7.0 )
##### 🚀 Enhancements
- Add explicit resource management (using/await using) support
([#​422](https://redirect.github.com/unjs/jiti/pull/422 ))
- Support opt-in `tsconfigPaths`
([#​427](https://redirect.github.com/unjs/jiti/pull/427 ))
- Support virtual modules option
([#​428](https://redirect.github.com/unjs/jiti/pull/428 ))
- Add `jiti/static` export
([#​430](https://redirect.github.com/unjs/jiti/pull/430 ))
##### 🔥 Performance
- **interopDefault:** Add caching to reduce proxy overhead by \~2x
([#​421](https://redirect.github.com/unjs/jiti/pull/421 ))
##### 🩹 Fixes
- **require:** Passthrough resolve options
([#​412](https://redirect.github.com/unjs/jiti/pull/412 ))
- **ci:** Skip `--coverage` flag for node 18
([fe264b4](https://redirect.github.com/unjs/jiti/commit/fe264b4 ))
- **require:** Fallback to transpilation when `tryNative` fails
([#​413](https://redirect.github.com/unjs/jiti/pull/413 ))
- Fallback for `ENAMETOOLONG` when evaluating esm
([#​429](https://redirect.github.com/unjs/jiti/pull/429 ))
##### 📦 Build
- Upgrade rspack
([55194fb](https://redirect.github.com/unjs/jiti/commit/55194fb ))
- Experimental rolldown config
([8c0243f](https://redirect.github.com/unjs/jiti/commit/8c0243f ))
##### 🏡 Chore
- Fix lint issues
([4045c7a](https://redirect.github.com/unjs/jiti/commit/4045c7a ))
- Update deps
([e88ac44](https://redirect.github.com/unjs/jiti/commit/e88ac44 ))
- Update deps
([498e8d7](https://redirect.github.com/unjs/jiti/commit/498e8d7 ))
- Add missing prettier dep
([650bc48](https://redirect.github.com/unjs/jiti/commit/650bc48 ))
- Lint ([058d91a](https://redirect.github.com/unjs/jiti/commit/058d91a ))
- Init agents.md
([c49c54e](https://redirect.github.com/unjs/jiti/commit/c49c54e ))
- Update agents.md
([4deba16](https://redirect.github.com/unjs/jiti/commit/4deba16 ))
- Update deps
([08fc868https://redirect.github.com/unjs/jiti/commit/08fc868 ))
- Update tsconfig
([8c7822e](https://redirect.github.com/unjs/jiti/commit/8c7822e ))
- Update release script
([27fe3f2](https://redirect.github.com/unjs/jiti/commit/27fe3f2 ))
##### ✅ Tests
- Ignore jsx test for bun/cjs
([3a744ca](https://redirect.github.com/unjs/jiti/commit/3a744ca ))
- Update
([9ee314f](https://redirect.github.com/unjs/jiti/commit/9ee314f ))
##### 🤖 CI
- Update node test matrix
([0abda72](https://redirect.github.com/unjs/jiti/commit/0abda72 ))
##### ❤️ Contributors
- Pooya Parsa ([@​pi0](https://redirect.github.com/pi0 ))
- Kricsleo ([@​kricsleo](https://redirect.github.com/kricsleo ))
- Espen Hovlandsdal
([@​rexxars](https://redirect.github.com/rexxars ))
- Rintaro Itokawa
([@​re-taro](https://redirect.github.com/re-taro ))
- Matteo Collina
([@​mcollina](https://redirect.github.com/mcollina ))
</details>
<details>
<summary>postcss/postcss (postcss)</summary>
###
[`v8.5.14`](https://redirect.github.com/postcss/postcss/blob/HEAD/CHANGELOG.md#8514 )
[Compare
Source](https://redirect.github.com/postcss/postcss/compare/8.5.13...8.5.14 )
- Fixed custom syntax regression (by
[@​43081j](https://redirect.github.com/43081j )).
</details>
<details>
<summary>stylelint/stylelint (stylelint)</summary>
###
[`v17.11.0`](https://redirect.github.com/stylelint/stylelint/blob/HEAD/CHANGELOG.md#17110---2026-05-05 )
[Compare
Source](https://redirect.github.com/stylelint/stylelint/compare/17.10.0...17.11.0 )
It adds 2 features, including a `loader` property to `referenceFiles:
{}` for when the order of appearance in the reference styles matters.
- Added: `loader` to experimental `referenceFiles: {}`
([#​9251](https://redirect.github.com/stylelint/stylelint/pull/9251 ))
([@​romainmenke](https://redirect.github.com/romainmenke )).
- Added: `autofixed` to the result object
([#​8771](https://redirect.github.com/stylelint/stylelint/pull/8771 ))
([@​Rob--W](https://redirect.github.com/Rob--W )).
</details>
<details>
<summary>typescript-eslint/typescript-eslint
(typescript-eslint)</summary>
###
[`v8.59.2`](https://redirect.github.com/typescript-eslint/typescript-eslint/blob/HEAD/packages/typescript-eslint/CHANGELOG.md#8592-2026-05-04 )
[Compare
Source](https://redirect.github.com/typescript-eslint/typescript-eslint/compare/v8.59.1...v8.59.2 )
This was a version bump only for typescript-eslint to align it with
other projects, there were no code changes.
See [GitHub
Releases](https://redirect.github.com/typescript-eslint/typescript-eslint/releases/tag/v8.59.2 )
for more information.
You can read about our [versioning
strategy](https://typescript-eslint.io/users/versioning ) and
[releases](https://typescript-eslint.io/users/releases ) on our website.
</details>
<details>
<summary>silverwind/updates (updates)</summary>
###
[`v17.16.9`](https://redirect.github.com/silverwind/updates/releases/tag/17.16.9 )
[Compare
Source](https://redirect.github.com/silverwind/updates/compare/17.16.8...17.16.9 )
- update deps (silverwind)
- Resolve config per-file when `-f` is used
([#​136](https://redirect.github.com/silverwind/updates/issues/136 ))
(silverwind)
- Honor config pin in docker mode (silverwind)
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- Only on Monday (`* * * * 1`)
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
👻 **Immortal**: This PR will be recreated if closed unmerged. Get
[config
help](https://redirect.github.com/renovatebot/renovate/discussions ) if
that's undesired.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
---------
Co-authored-by: silverwind <me@silverwind.io >
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com >
2026-05-11 05:01:34 +00:00
silverwind
b4085c7e3c
build: update pnpm to v11 ( #37591 )
...
Update to https://github.com/pnpm/pnpm/releases/tag/v11.0.0
- move all pnpm settings to `pnpm-workspace.yaml`, pnpm v11 only reads
that file
- drop redundant or no-op settings
- disable `strictDepBuilds` to avoid having to manually specify deps
with build scripts, this is equivalent to v10 where it will not execute
and warn.
- add workarounds for https://github.com/SukkaW/nolyfill/issues/119
- remove dead eslintrc entry
---
This PR was written with the help of Claude Opus 4.7
---------
Signed-off-by: silverwind <me@silverwind.io >
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com >
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com >
2026-05-08 04:17:20 +00:00
Sebastian Ertz
89a49de0fd
Update go js py dependencies ( #37525 )
...
| go | from | to |
| --- | --- | --- |
| connectrpc.com/connect | `1.19.1 ` | `1.19.2` |
| github.com/Azure/go-ntlmssp | `0.1.0` | `0.1.1` |
| github.com/alecthomas/chroma/v2 | `2.23.1` | `2.24.1` |
| github.com/aws/aws-sdk-go-v2/credentials | `1.19.15` | `1.19.16` |
| github.com/aws/aws-sdk-go-v2/service/codecommit | `1.33.13` |
`1.33.14` |
| github.com/blevesearch/bleve/v2 | `2.5.7` | `2.6.0` |
| github.com/caddyserver/certmagic | `0.25.2` | `0.25.3` |
| github.com/fsnotify/fsnotify | `1.9.0` | `1.10.1` |
| github.com/getkin/kin-openapi | `0.134.0` | `0.137.0` |
| github.com/go-co-op/gocron/v2 | `2.21.0` | `2.21.1` |
| github.com/go-sql-driver/mysql | `1.9.3` | `1.10.0` |
| github.com/go-webauthn/webauthn | `0.16.5` | `0.17.2` |
| github.com/klauspost/compress | `1.18.5` | `1.18.6` |
| github.com/mattn/go-isatty | `0.0.21` | `0.0.22` |
| github.com/mattn/go-sqlite3 | `1.14.42` | `1.14.44` |
| github.com/minio/minio-go/v7 | `7.0.100` | `7.1.0` |
| github.com/redis/go-redis/v9 | `9.18.0` | `9.19.0` |
| google.golang.org/grpc | `1.80.0` | `1.81.0` |
| gopkg.in/ini.v1 | `1.67.1` | `1.67.2` |
| js | from | to |
| --- | --- | --- |
| @codemirror/search | `6.6.0` | `6.7.0` |
| @primer/octicons | `19.24.1` | `19.25.0` |
| clippie | `4.1.14` | `4.1.15` |
| easymde | `2.20.0` | `2.21.0` |
| postcss | `8.5.10` | `8.5.13` |
| rolldown-license-plugin | `3.0.1` | `3.0.4` |
| swagger-ui-dist | `5.32.4` | `5.32.5` |
| vite | `8.0.9` | `8.0.10` |
| vite-string-plugin | `2.0.2` | `2.0.4` |
| vue | `3.5.32` | `3.5.33` |
| @typescript-eslint/parser | `8.59.0` | `8.59.1` |
| eslint | `10.2.1` | `10.3.0` |
| eslint-plugin-vue | `10.8.0` | `10.9.0` |
| globals | `17.5.0` | `17.6.0` |
| material-icon-theme | `5.33.1` | `5.34.0` |
| spectral-cli-bundle | `1.0.7` | `1.0.8` |
| stylelint | `17.8.0` | `17.10.0` |
| typescript-eslint | `8.59.0` | `8.59.1` |
| updates | `17.16.3` | `17.16.8` |
| vitest | `4.1.4` | `4.1.5` |
| vue-tsc | `3.2.7` | `3.2.8` |
| pnpm | `10.33.0` | `10.33.2` |
| py | from | to |
| --- | --- | --- |
| click | `8.3.2` | `8.3.3` |
| pathspec | `1.0.4` | `1.1.1` |
---------
Co-authored-by: silverwind <me@silverwind.io >
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com >
2026-05-04 19:27:47 +00:00
rootful
3d838ef96a
Fix mCaptcha broken after Vite migration ( #37492 )
...
After the Webpack-to-Vite migration (#37002 ), mCaptcha stopped working
entirely on the registration page, throwing an error:
`TypeError: setting getter-only property "INPUT_NAME"`
This fix stops trying to mutate the read-only INPUT_NAME export. Instead
it probes for the Widget constructor at module.default (direct) or
module.default.default (CJS-wrapped), constructs the widget, and then
renames the hidden input element it creates to m-captcha-response which
is the field name Gitea's backend reads from the submitted form.
Generative AI was used to help with making this PR.
---------
Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com >
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com >
Co-authored-by: Giteabot <teabot@gitea.io >
2026-05-02 17:21:56 +02:00
silverwind
99cd4f6b22
Integrate renovate bot for all dependency updates ( #37050 )
...
Replaces Dependabot with Renovate. The new setup:
- One PR per ecosystem (GitHub Actions, Go modules + Makefile go-tool
pins, npm, Python via uv, Nix flake), opened weekly on Mondays with a
5-day release-age cooldown. Vulnerability PRs ship next-day via daily
cron + Renovate's `vulnerabilityAlerts` schedule bypass.
- All `uses:` action refs SHA-pinned with patch-level version comments
(same format as #36971 , which this supersedes);
`helpers:pinGitHubActionDigests` keeps future bumps in that format.
- `renovatebot/github-action` runtime image pinned via the
upstream-recommended `RENOVATE_VERSION` env + magic comment +
`customManagers:githubActionsVersions` preset, so Renovate keeps the pin
updated.
- Custom regex manager tracks the `*_PACKAGE ?= <import-path>@<version>`
lines in `Makefile` (golangci-lint, swagger, actionlint, etc.) and
groups them into the same Go PR via `matchDatasources: ["go"]`.
- Post-upgrade tasks regenerate `assets/go-licenses.json` (`make tidy`)
and the SVG sprite (`make svg`), gated by an env-level command
allowlist.
- Replaces the standalone `cron-flake-updater` workflow — Renovate's nix
manager tracks `flake.nix` inputs and produces the same `flake.lock`
bump PRs on the regular weekly schedule.
- npm and gomod-replace pins live in `renovate.json5` only;
`updates@17.16 .3` reads them from there too, so the standalone
`updates.config.ts` is gone and one source of truth covers both tools.
Fixes: https://github.com/go-gitea/gitea/issues/33386
Signed-off-by: silverwind <me@silverwind.io >
Signed-off-by: TheFox0x7 <thefox0x7@gmail.com >
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com >
Co-authored-by: TheFox0x7 <thefox0x7@gmail.com >
Co-authored-by: Nicolas <bircni@icloud.com >
Co-authored-by: Giteabot <teabot@gitea.io >
2026-04-26 14:25:22 +00:00
Sebastian Ertz
3f3bebda0d
Update go js dependencies ( #37312 )
...
| go | from | to |
| --- | --- | --- |
| github.com/aws/aws-sdk-go-v2/credentials | `1.19.14` | `1.19.15` |
| github.com/aws/aws-sdk-go-v2/service/codecommit | `1.33.12` |
`1.33.13` |
| github.com/dlclark/regexp2 | `1.11.5` | `1.12.0` |
| github.com/go-co-op/gocron/v2 | `2.20.0` | `2.21.0` |
| github.com/go-webauthn/webauthn | `0.16.4` | `0.16.5` |
| js | from | to |
| --- | --- | --- |
| @codemirror/view | `6.41.0` | `6.41.1` |
| @primer/octicons | `19.24.0` | `19.24.1` |
| clippie | `4.1.10` | `4.1.14` |
| postcss | `8.5.9` | `8.5.10` |
| rolldown-license-plugin | `2.2.5` | `3.0.1` |
| swagger-ui-dist | `5.32.2` | `5.32.4` |
| vite | `8.0.8` | `8.0.9` |
| @typescript-eslint/parser | `8.58.2` | `8.59.0` |
| @vitest/eslint-plugin | `1.6.15` | `1.6.16` |
| eslint | `10.2.0` | `10.2.1` |
| eslint-plugin-playwright | `2.10.1` | `2.10.2` |
| eslint-plugin-sonarjs | `4.0.2` | `4.0.3` |
| happy-dom | `20.8.9` | `20.9.0` |
| stylelint | `17.7.0` | `17.8.0` |
| typescript | `6.0.2` | `6.0.3` |
| typescript-eslint | `8.58.2` | `8.59.0` |
| updates | `17.15.3` | `17.15.5` |
| vue-tsc | `3.2.6` | `3.2.7` |
Co-authored-by: Nicolas <bircni@icloud.com >
Co-authored-by: silverwind <me@silverwind.io >
Co-authored-by: silverwind <silv3rwind@gmail.com >
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com >
2026-04-20 22:32:45 +00:00
silverwind
1d25bb22f4
Move heatmap to first-party code ( #37262 )
...
Replaces `@silverwind/vue3-calendar-heatmap` with an inlined SVG
implementation. Renders pixel-identically to `main`, drops the
`onMounted` legend viewBox workaround, and uses tippy's
`createSingleton` for the hover tooltip. Adds an e2e test for tooltip
display.
This is a prereq for migrating tippy.js to
[floating-ui](https://github.com/floating-ui/floating-ui ) to avoid
having two tooltip libs active.
<img width="861" height="168" alt="image"
src="https://github.com/user-attachments/assets/99343cf6-6e09-42c7-a80d-63dbf33cf56a "
/>
---
This PR was written with the help of Claude Opus 4.7
---------
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com >
Co-authored-by: Nicolas <bircni@icloud.com >
2026-04-20 20:15:45 +02:00
PineBale
2bfaa33347
Replace dropzone with @deltablot/dropzone ( #37237 )
...
Fix #37228 .
Using NicolasCARPi/dropzone as short-term solution
2026-04-17 08:16:42 +00:00
wxiaoguang
2644bb8490
Remove htmx ( #37224 )
...
Close #35059
Slightly improved the "fetch action" framework and started adding tests for it.
---------
Signed-off-by: silverwind <me@silverwind.io >
Co-authored-by: silverwind <me@silverwind.io >
2026-04-15 17:26:26 +00:00
Sebastian Ertz
b55528b1a2
Update go js py dependencies ( #37204 )
...
| go | from | to |
| --- | --- | --- |
| github.com/go-webauthn/webauthn | `0.16.3` | `0.16.4` |
| github.com/meilisearch/meilisearch-go | `0.36.1` | `0.36.2` |
| golang.org/x/crypto | `0.49.0` | `0.50.0` |
| golang.org/x/image | `0.38.0` | `0.39.0` |
| golang.org/x/net | `0.52.0` | `0.53.0` |
| golang.org/x/text | `0.35.0` | `0.36.0` |
| js | from | to |
| --- | --- | --- |
| @primer/octicons | `19.23.1` | `19.24.0` |
| @vitejs/plugin-vue | `6.0.5` | `6.0.6` |
| rolldown-license-plugin | `2.2.0` | `2.2.5` |
| vite | `8.0.7` | `8.0.8` |
| @types/node | `25.5.2` | `25.6.0` |
| @typescript-eslint/parser | `8.58.1` | `8.58.2` |
| @vitest/eslint-plugin | `1.6.14` | `1.6.15` |
| globals | `17.4.0` | `17.5.0` |
| stylelint | `17.6.0` | `17.7.0` |
| typescript-eslint | `8.58.1` | `8.58.2` |
| updates | `17.13.5` | `17.15.3` |
| vitest | `4.1.3` | `4.1.4` |
| py | from | to |
| --- | --- | --- |
| click | `8.3.1` | `8.3.2` |
| json5 | `0.13.0` | `0.14.0` |
| regex | `2026.2.19` | `2026.4.4` |
| tomli | `2.4.0` | `2.4.1` |
2026-04-14 12:45:54 +02:00
silverwind
04fb6f1c0b
Replace rollup-plugin-license with rolldown-license-plugin ( #37130 )
...
Replace `rollup-plugin-license` and `wrap-ansi` with
[`rolldown-license-plugin`](https://github.com/silverwind/rolldown-license-plugin ),
a zero-dependency plugin with async parallel I/O and built-in word
wrapping.
- Removes `rollup-plugin-license` (pulls in `lodash`, `moment`) and
`wrap-ansi` from the dependency tree
- License build time reduced by ~40% (370ms vs 640ms)
- Added e2e test for `licenses.txt`
Signed-off-by: silverwind <me@silverwind.io >
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com >
2026-04-09 09:31:05 +00:00
Sebastian Ertz
714f4207d9
Update javascript dependencies ( #37142 )
...
---
| | from | to |
| --- | ---- | --- |
| esbuild | `0.27.4` | `0.28.0` |
| katex | `0.16.44` | `0.16.45` |
| postcss | `8.5.8` | `8.5.9` |
| swagger-ui-dist | `5.32.1` | `5.32.2` |
| vite | `8.0.5` | `8.0.7` |
| vue | `3.5.31` | `3.5.32` |
2026-04-08 16:45:02 +00:00
Lunny Xiao
290edc1614
upgrade vite ( #37126 )
2026-04-07 09:16:22 +00:00
silverwind
3a9cab034b
Update JS dependencies and misc tweaks ( #37064 )
...
- Update all JS deps
- Regenerate SVGs
- Add new eslint rules from unicorn
- Update typescript config for 6.0, remove deprecated options in favor
of `strict` with disablements, remove implicit dom libs.
- Set vite log level during `watch-frontend` to `warn` to avoid
confusing URLs or HMR spam from the dev server to keep the log concise.
Overridable via `FRONTEND_DEV_LOG_LEVEL`.
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com >
2026-04-01 20:15:02 +02:00
silverwind
e2e8509239
Replace Monaco with CodeMirror ( #36764 )
...
- Replace monaco-editor with CodeMirror 6
- Add `--color-syntax-*` CSS variables for all syntax token types,
shared by CodeMirror, Chroma and EasyMDE
- Consolidate chroma CSS into a single theme-independent file
(`modules/chroma.css`)
- Syntax colors in the code editor now match the code view and
light/dark themes
- Code editor is now 12px instead of 14px font size to match code view
and GitHub
- Use a global style for kbd elements
- When editing existing files, focus will be on codemirror instead of
filename input.
- Keyboard shortcuts are roughtly the same as VSCode
- Add a "Find" button, useful for mobile
- Add context menu similar to Monaco
- Add a command palette (Ctrl/Cmd+Shift+P or F1) or via button
- Add clickable URLs via Ctrl/Cmd+click
- Add e2e test for the code editor
- Remove `window.codeEditors` global
- The main missing Monaco features are hover types and semantic rename
but these were not fully working because monaco operated only on single
files and only for JS/TS/HTML/CSS/JSON.
| | Monaco (main) | CodeMirror (cm) | Delta |
|---|---|---|---|
| **Build time** | 7.8s | 5.3s | **-32%** |
| **JS output** | 25 MB | 14 MB | **-44%** |
| **CSS output** | 1.2 MB | 1012 KB | **-17%** |
| **Total (no maps)** | 23.3 MB | 12.1 MB | **-48%** |
Fixes : #36311
Fixes : #14776
Fixes : #12171
<img width="1333" height="555" alt="image"
src="https://github.com/user-attachments/assets/f0fe3a28-1ed9-4f22-bf25-2b161501d7ce "
/>
---------
Signed-off-by: silverwind <me@silverwind.io >
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com >
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com >
Co-authored-by: Giteabot <teabot@gitea.io >
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com >
2026-03-31 21:50:45 +00:00
silverwind
e15219d810
Raise minimum Node.js version to 22.18.0 ( #37058 )
...
Remove the experimental strip types check and `NODE_VARS` mechanism from
the Makefile, as Node.js 22.18.0+ has native TypeScript type stripping
support.
https://nodejs.org/en/blog/release/v22.18.0 was released 8 months ago
and has now trickled into all major Linux distros like Alpine 3.23+.
---
This PR was written with the help of Claude Opus 4.6
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com >
2026-03-31 16:50:51 +00:00
silverwind
0ec66b5380
Migrate from webpack to vite ( #37002 )
...
Replace webpack with Vite 8 as the frontend bundler. Frontend build is
around 3-4 times faster than before. Will work on all platforms
including riscv64 (via wasm).
`iife.js` is a classic render-blocking script in `<head>` (handles web
components/early DOM setup). `index.js` is loaded as a `type="module"`
script in the footer. All other JS chunks are also module scripts
(supported in all browsers since 2018).
Entry filenames are content-hashed (e.g. `index.C6Z2MRVQ.js`) and
resolved at runtime via the Vite manifest, eliminating the `?v=` cache
busting (which was unreliable in some scenarios like vscode dev build).
Replaces: https://github.com/go-gitea/gitea/pull/36896
Fixes: https://github.com/go-gitea/gitea/issues/17793
Signed-off-by: silverwind <me@silverwind.io >
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com >
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com >
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com >
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com >
2026-03-29 10:24:30 +00:00
silverwind
b3c6917463
Update JS dependencies ( #37001 )
...
- Update all JS dependencies via `make update-js`
- `webpack-cli` 6 to 7: remove `--disable-interpret` from Makefile
- Fix lint: remove unnecessary type args, `toThrowError` to `toThrow`
- Fix duplicate CSS selector detected by `stylelint` 17.6.0
- Change `updates.config.ts` to use `pin`, needed for `tailwindcss`
- Pin `typescript` pending typescript-eslint/typescript-eslint#12123
---------
Co-authored-by: Claude (claude-opus-4-6) <noreply@anthropic.com >
Co-authored-by: Giteabot <teabot@gitea.io >
2026-03-27 04:39:24 +01:00
silverwind
ae0bc0222a
Update to eslint 10 ( #36925 )
...
- Enable a few more rules, fix issues. The 2 `value` issues are
false-positives.
- Add exact types for `window.pageData` and
`window.notificationSettings`.
- peerDependencyRules for eslint-plugin-github unrestricted, the plugin
works in v10, but does not declare compatibility, pending
https://github.com/github/eslint-plugin-github/issues/680 .
- Added
[eslint-plugin-de-morgan](https://github.com/azat-io/eslint-plugin-de-morgan ),
no violations.
---------
Signed-off-by: silverwind <me@silverwind.io >
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com >
Co-authored-by: Claude (Opus 4.6) <noreply@anthropic.com >
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com >
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com >
2026-03-23 07:49:25 +00:00
silverwind
28e09ffc67
Vendor relative-time-element as local web component ( #36853 )
...
Replace the `@github/relative-time-element` npm dependency with a
vendored, simplified implementation.
- Support 24h format rendering [PR
329](https://github.com/github/relative-time-element/pull/329 )
- Enable `::selection` styling in Firefox [PR
341](https://github.com/github/relative-time-element/pull/341 )
- Remove timezone from tooltips (It's always local timezone)
- Clean up previous `title` workaround in tippy
- Remove unused features
- Use native `Intl.DurationFormat` with fallback for older browsers,
remove dead polyfill
- Add MIT license header to vendored file
- Add unit tests
- Add dedicated devtest page for all component variants
---------
Signed-off-by: silverwind <me@silverwind.io >
Co-authored-by: Claude claude-opus-4-6 20250630 <noreply@anthropic.com >
2026-03-13 10:43:17 +00:00
silverwind
6e7bc1e635
Update JS deps ( #36850 )
...
Gets rid of all open vulns except
https://github.com/microsoft/monaco-editor/issues/5248 . Cursorly tested,
works.
---------
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com >
Co-authored-by: Giteabot <teabot@gitea.io >
2026-03-08 07:29:27 +01:00
Lunny Xiao
9c2c9c5a00
upgrade to github.com/cloudflare/circl 1.6.3, svgo 4.0.1, markdownlint-cli 0.48.0 ( #36837 )
2026-03-05 13:42:47 -08:00
Théo LUDWIG
9fe5b70e3e
build(deps): update material-icon-theme v5.32.0 ( #36832 )
...
Updated https://github.com/material-extensions/vscode-material-icon-theme to
v5.32.0 and ran `make svg && git add --all`
2026-03-05 11:51:26 -08:00
silverwind
fed2d81e88
Update JS and PY deps ( #36708 )
...
`colord` reordered in package.json, otherwise just maintenance updates.
2026-02-22 19:56:45 +00:00
silverwind
91dc737a35
Replace tinycolor2 with colord ( #36673 )
...
[`colord`](https://github.com/omgovich/colord ) is significantly smaller
than [`tinycolor2`](https://github.com/bgrins/TinyColor ) (~4KB vs ~29KB
minified) and ships its own TypeScript types, removing the need for
`@types/tinycolor2`.
Behaviour is exactly the same for our use cases. By using `.alpha(1)` we
force the function to always output 6-digit hex format (it would output
8-digit for non-opaque colors).
---------
Signed-off-by: silverwind <me@silverwind.io >
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com >
2026-02-20 15:43:01 +00:00
silverwind
5e9b9b33d1
Clean up Makefile, tests and legacy code ( #36638 )
...
This simplifies the Makefile by removing the whole-file wrapping that
creates a tempdir introduced by
https://github.com/go-gitea/gitea/pull/11126 . REPO_TEST_DIR is removed
as well.
Also clean up a lot of legacy code: unnecessary XSS test, incorrect test
env init, unused "_old_uid" hack, etc
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com >
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com >
2026-02-19 01:23:32 +00:00
silverwind
ddacefa5d6
Update JS deps ( #36656 )
...
Fixes a [security issue in
mermaid](https://github.com/mermaid-js/mermaid/issues/7345 ), tested
mermaid and asciinema.
2026-02-17 19:35:37 +01:00
silverwind
2d70d37bff
Update JS and PY deps ( #36576 )
...
eslint v10 is excluded from updates because the plugins are not compatible yet.
2026-02-10 15:39:17 +00:00
silverwind
49e6d5f6d6
Add elk layout support to mermaid ( #36486 )
...
Fixes: https://github.com/go-gitea/gitea/issues/34769
This allows the user to opt-in to using `elk` layouts using either YAML
frontmatter or `%%{ init` directives inside the markup code block. The
default layout is not changed.
---------
Signed-off-by: silverwind <me@silverwind.io >
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com >
2026-02-07 02:22:57 +00:00
silverwind
7292ae1ed5
Update JS deps, remove knip, misc tweaks ( #36499 )
...
- Update all JS deps
- Enable a few more stylelint stylistic rules and fix issues
- Remove knip, it raised another false-positive, this tool is not worth
it when you have to babysit it like that
- Exclude @eslint/json from updating as it requires unreleased eslint 10
([ref](https://github.com/eslint/json/issues/207 ))
- Update labeler config for new eslint filenames
- Adjust `make help` output
- Add type checking in `stylelint.config.ts`
2026-01-31 20:58:23 +08:00
wxiaoguang
4c8f6dfa4e
Support rendering OpenAPI spec ( #36449 )
...
Fix #20852
2026-01-26 10:34:38 +08:00
silverwind
12a81d38c1
Add knip linter ( #36442 )
...
This adds [knip](https://github.com/webpro-nl/knip ), a tool to find
unused files, dependencies and exports in JS. Fixed all discovered
issues.
1. knip apparently has some issue resolving imports from `d.ts` to `.ts`
so I worked around it by moving the two affected types to where they are
used.
2. I don't know why `modules/fomantic/dropdown.ts` had a new typescript
error, but I fixed it.
3. Use named export for `EsbuildPlugin`, I think this was added
recently.
2026-01-24 12:52:13 +00:00
silverwind
5925433fe6
Update JS dependencies, adjust webpack config, misc fixes ( #36431 )
...
1. Upgrade to [jQuery
4.0](https://blog.jquery.com/2026/01/17/jquery-4-0-0/ ). Two of the
removed APIs are in use by fomantic, but there are [polyfills
present](a3a3e581aa/web_src/fomantic/build/components/dropdown.js (L15-L17)https://html.spec.whatwg.org/multipage/dom.html#phrasing-content-2 )
and therefor can not be a descendant of `p`. This is related to
https://github.com/capricorn86/happy-dom/pull/2007 .
4. Add webpack globals
5. Remove obsolete docs glob
6. fix security issue for `seroval` package
7. disable [vitest isolate](https://vitest.dev/config/isolate.html ) for
30% faster JS tests, which are all pure.
2026-01-24 07:35:46 +00:00
Bart van der Braak
2f377e8552
Update material-icon-theme to v5.31.0 ( #36427 )
2026-01-22 00:25:14 +01:00
silverwind
49edbbbc2e
Update JS and PY deps ( #36383 )
...
- Update JS and PY dependencies
- Workaround https://github.com/stylelint/stylelint/issues/8893 by
moving the stylint config file to JS
- Regenerate SVGs
- Bump to python 3.14 in devcontainer and actions
- Verified `@github/text-expander-element`
- Removed obsolete type stub
2026-01-16 11:00:16 +00:00
silverwind
2859b0602a
Update JS deps ( #36354 )
...
- Update all JS deps
- Regenerate SVGs
- Enable new lint rules and fix issues
- Tested affected dependencies
2026-01-13 04:06:58 +00:00
silverwind
16aa0fcc98
Add date to "No Contributions" tooltip ( #36190 )
...
Fixes https://github.com/go-gitea/gitea/issues/36188 via
52bbfd7a15https://github.com/user-attachments/assets/f06ca7d6-a141-499f-b6da-e46064a44846 "
/>
After:
<img width="292" height="78" alt="Screenshot 2025-12-18 at 17 08 36"
src="https://github.com/user-attachments/assets/b80f7391-7960-44ad-8184-ffab4c9a4ea7 "
/>
If there will be more changes in the future, we should vendor this
module.
Co-authored-by: Giteabot <teabot@gitea.io >
2025-12-19 09:48:53 +01:00
silverwind
b915e6908c
Add JSON linting ( #36192 )
...
Uses https://github.com/eslint/json to lint all JSON and JSONC files in the repo.
2025-12-19 06:27:21 +00:00
silverwind
ad49b7bf31
Update JS deps and eslint enhancements ( #36147 )
...
- Update all JS deps
- Tested affected `dependencies`
- Replace eslint `unstable_native_nodejs_ts_config` with optional `jiti`
dependency. This will be more compatible with editor integrations that
may not pass this flag.
- Enable additional eslint rules, no new issues
- Move `typescript` to `devDependencies` because `make frontend` works
without it
2025-12-17 17:35:33 +00:00
Dawid Góra
0e916c67cc
Automatic generation of release notes ( #35977 )
...
Similar to GitHub, release notes can now be generated automatically.
The generator is server-side and gathers the merged PRs and contributors
and returns the corresponding Markdown text.
---------
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com >
2025-12-17 02:01:19 +00:00
silverwind
ca8c4ebecd
Update JS deps ( #36091 )
...
Result of `make update-js svg && git add --all`. Tested Mermaid.
Co-authored-by: Lunny Xiao <xiaolunwen@gmail.com >
2025-12-05 06:30:59 +01:00
silverwind
9668913d76
Update JS deps, fix deprecations ( #36040 )
...
- Update JS deps
- Regenerate SVGs
- Fix air `bin` deprecation
- Fix `monaco.languages.typescript` deprecation
- Remove `eslint-plugin-no-use-extend-native`, it's unnecessary with
typescript
- Enable new `@typescript-eslint` rules
- Disable `@typescript-eslint/no-redundant-type-constituents`, this rule
has bugs when not running under `strictNullChecks` (pending in
https://github.com/go-gitea/gitea/pull/35843 ).
2025-11-27 23:58:10 +00:00
silverwind
1baca49870
Update JS deps ( #35978 )
...
Update JS deps, regenerate SVGs, fixed lint issues and did cursory
testing of UI.
2025-11-20 21:53:44 +00:00
silverwind
d69eede59b
Update JS dependencies ( #35759 )
...
- Update all JS dependencies
- Added new unicorn rules
- `updates` now also supports updating `packageManager` and `engines`,
and I see no reason not to do that, so I think we can try keeping these
updated as well. If something in the build breaks because of this, I
will revert and exclude `pnpm` from updating further, but as far as I
understand, only corepack respects this field and pnpm itself does not
care about it.
- Regenerate SVGs.
2025-10-28 17:32:11 +00:00
silverwind
cab35ff17a
Update dependencies ( #35733 )
...
- Update all JS, Python and Makefile dependencies
- Fixed two new go lint issues
- Tested the affected JS dependencies.
2025-10-23 08:35:48 +00:00
dependabot[bot]
990201dc93
Bump happy-dom from 20.0.0 to 20.0.2 ( #35677 )
...
Signed-off-by: dependabot[bot] <support@github.com >
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2025-10-15 19:07:40 -04:00
silverwind
49a0a11f55
Update JS deps, misc tweaks ( #35643 )
...
- Update all JS dependencies
- Enable eslint `no-useless-assignment` and fix 2 discovered issues
- Replace `gitea-vscode` svg with new `octicon-vscode`
- Remove now-unused `@ts-expect-error` comments
- Change Monaco wrapping behaviour to match the wrapping in code view:
no wrapping indent and break on any character.
2025-10-12 21:07:15 +00:00
dependabot[bot]
24a595c3fc
Bump happy-dom from 19.0.2 to 20.0.0 ( #35625 )
2025-10-12 01:52:03 +00:00
