Register | Log in

node-mermaid

Choose email to subscribe with

general

source: node-mermaid (main)
version: 8.14.0+ds1+~cs11.4.14-1
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Bastien Roucaries [DMD]
arch: all
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 8.7.0+ds+~cs27.17.17-3+deb11u2
exp: 8.14.0+ds1+~cs11.4.14-1

versioned links

8.7.0+ds+~cs27.17.17-3+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.14.0+ds1+~cs11.4.14-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

node-mermaid

action needed

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2022-31108: Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary `CSS` into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted `CSS` selectors. The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the `value` attribute one character at a time. Whenever there is an actual match, an `http` request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character. This issue may lead to `Information Disclosure` via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc. This issue has been resolved in version 9.1.3. Users are advised to upgrade. Users unable to upgrade should ensure that user input is adequately escaped before embedding it in CSS blocks.
CVE-2022-48345: sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via HTML entities.

Created: 2022-07-04 Last update: 2024-08-15 08:30

2 security issues in trixie high

There are 2 open security issues in trixie.

2 important issues:

CVE-2022-31108: Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary `CSS` into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted `CSS` selectors. The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the `value` attribute one character at a time. Whenever there is an actual match, an `http` request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character. This issue may lead to `Information Disclosure` via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc. This issue has been resolved in version 9.1.3. Users are advised to upgrade. Users unable to upgrade should ensure that user input is adequately escaped before embedding it in CSS blocks.
CVE-2022-48345: sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via HTML entities.

Created: 2023-10-22 Last update: 2023-10-22 12:54

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2022-31108: Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary `CSS` into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted `CSS` selectors. The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the `value` attribute one character at a time. Whenever there is an actual match, an `http` request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character. This issue may lead to `Information Disclosure` via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc. This issue has been resolved in version 9.1.3. Users are advised to upgrade. Users unable to upgrade should ensure that user input is adequately escaped before embedding it in CSS blocks.

Created: 2022-07-04 Last update: 2022-07-09 12:05

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 9.1.6+~2.0.0-1, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit b14e5e991c2c51e31c8f7e4d29474015e9c6185a
Author: Bastien Roucariès <rouca@debian.org>
Date:   Thu Jun 11 23:44:31 2026 +0200

    Fix clean

commit 17c5fbd68f820479a5eeda2021209b681a38a37d
Author: Bastien Roucariès <rouca@debian.org>
Date:   Thu Jun 11 23:44:05 2026 +0200

    FIx khorma

commit c1c5f430f3c66394f061a24b5b1a9d2f42416a14
Author: Bastien Roucariès <rouca@debian.org>
Date:   Thu Jun 11 23:35:50 2026 +0200

    Add CVE fixed

commit 277ade444e7114caaebb3fd6a278a9dede35b902
Author: Bastien Roucariès <rouca@debian.org>
Date:   Thu Jun 11 23:20:48 2026 +0200

    New upstream version

commit d6acf590630c2523cd8b6763e68ee12e60459596
Merge: bcc3b59 8fe2fd6
Author: Bastien Roucariès <rouca@debian.org>
Date:   Thu Jun 11 23:19:59 2026 +0200

    Update upstream source from tag 'upstream/9.1.6+_2.0.0'
    
    Update to upstream version '9.1.6+~2.0.0'
    with Debian dir 91c9f23ffeaafc4f60f722fdb309ec3ae11ae7aa

commit 8fe2fd6c14d619b16697bf0e4929f77810f11c3f
Author: Bastien Roucariès <rouca@debian.org>
Date:   Thu Jun 11 23:19:54 2026 +0200

    New upstream version 9.1.6+~2.0.0

commit bcc3b59e61d05082a445a02eea41a885500cb8ad
Author: Bastien Roucariès <rouca@debian.org>
Date:   Thu Jun 11 22:52:55 2026 +0200

    Resfresh patches

commit 8f23f8e3fb02b5f9d79a2387f5c4bdcf56277319
Author: Bastien Roucariès <rouca@debian.org>
Date:   Thu Jun 11 22:39:33 2026 +0200

    New upstream version

commit 71fd6774920b8ce7772e53311d8e351d5ae08a1b
Merge: 5cda598 b8d9972
Author: Bastien Roucariès <rouca@debian.org>
Date:   Thu Jun 11 22:36:47 2026 +0200

    Update upstream source from tag 'upstream/9.1.6+_1.4.1'
    
    Update to upstream version '9.1.6+~1.4.1'
    with Debian dir 1f9ec8312e545b0e2c7930658db72bd19930e34a

commit b8d99728376d254b3023dac52fad443ee3b5c472
Author: Bastien Roucariès <rouca@debian.org>
Date:   Thu Jun 11 22:36:42 2026 +0200

    New upstream version 9.1.6+~1.4.1

commit 5cda598e3087e2e9f3bc54b48d15c4b8017b8774
Author: Bastien Roucariès <rouca@debian.org>
Date:   Wed Jun 10 22:00:15 2026 +0200

    Reintroduce to experimental

commit 00973e11ed392c8972339ca33759c13d28da3504
Author: Bastien Roucariès <rouca@debian.org>
Date:   Wed Jun 10 21:44:45 2026 +0200

    Fix a typo

commit bf03c7b7572ca623cfee280ac8ac1d56556e67d6
Author: Bastien Roucariès <rouca@debian.org>
Date:   Wed Jun 10 21:25:08 2026 +0200

    Improve packaging

commit ec39449230caf6879842d33ce94cce8aacfac352
Author: Bastien Roucariès <rouca@debian.org>
Date:   Wed Jun 10 21:03:21 2026 +0200

    fixe watch

commit 71c5f2885dea69d16928afae63c41f371cc7ec48
Author: Bastien Roucariès <rouca@debian.org>
Date:   Wed Jun 10 20:38:09 2026 +0200

    Reintroduce

commit 28810e2f76bcd7cc2b86e0873351e0cc7bdc8a92
Merge: 62aeec2 d921ffc
Author: Bastien Roucariès <rouca@debian.org>
Date:   Wed Jun 10 20:27:44 2026 +0200

    Update upstream source from tag 'upstream/8.14.0+ds1+_cs11.4.14'
    
    Update to upstream version '8.14.0+ds1+~cs11.4.14'
    with Debian dir ee6973eddc7764711c2f5fb433f79b43a985764f

commit d921ffcad63e91f5376489a90ee50c47617665e1
Author: Bastien Roucariès <rouca@debian.org>
Date:   Wed Jun 10 20:27:42 2026 +0200

    New upstream version 8.14.0+ds1+~cs11.4.14

commit 62aeec25564ae4c09084a5381495fc0a13f9a513
Author: Bastien Roucariès <rouca@debian.org>
Date:   Wed Jun 10 20:27:12 2026 +0200

    Prepare experimental version

commit cc1c65ffb71010277ee96e414d990a7cf5cdeee0
Author: Yadd <yadd@debian.org>
Date:   Wed May 24 18:50:10 2023 +0400

    Update d/ch

commit f6149e09a4830459f94cfbf24d6b7e058c83d2a1
Author: Yadd <yadd@debian.org>
Date:   Wed May 24 18:49:25 2023 +0400

    Drop component stylis
    
    Closes: #1036688

commit fdef45f32f37b7bf7f08e568dad3cb9bd8de5997
Author: Nilesh Patra <nilesh@debian.org>
Date:   Sat Jan 21 13:54:10 2023 +0530

    Add extlinks for modules not found during webpack operation

commit 75d671a0625d8fab10bb8e0fd4b6eaa6abec468a
Author: Nilesh Patra <nilesh@debian.org>
Date:   Sat Jan 21 12:21:42 2023 +0530

    Add patch to fix bundling failure with rollup3 (Closes: #1022630)

commit 2f8665d21c7f71f0b609066d349433ab750616b5
Merge: dad4279 a9bc4b1
Author: Nilesh Patra <nilesh@nileshpatra.info>
Date:   Sun Nov 20 04:55:24 2022 +0000

    Merge branch 'nilesh-master-patch-50826' into 'master'
    
    Remove myself from uploaders
    
    See merge request js-team/node-mermaid!2

commit a9bc4b15a1b37148baab3d618e080c2a1c45dc28
Author: Nilesh Patra <nilesh@nileshpatra.info>
Date:   Sun Nov 20 04:54:27 2022 +0000

    Remove myself from uploaders

commit dad4279c1474c11b28f2327e135bd3d00a753153
Author: Yadd <yadd@debian.org>
Date:   Sat Jul 2 06:49:58 2022 +0200

    Add missing build dependency on dh-nodejs for command dh_nodejs_autodocs.
    
    Changes-By: lintian-brush
    Fixes: lintian: missing-build-dependency-for-dh_-command
    See-also: https://lintian.debian.org/tags/missing-build-dependency-for-dh_-command.html

commit 9e20d5e121b4a00eb80e73dae0813e234fabd9ce
Author: Yadd <yadd@debian.org>
Date:   Mon May 23 18:57:41 2022 +0200

    Add build dependency to node-path-browserify

commit a254e4a045fb8581e7689ab5bdf9b54cc63de2a4
Author: Yadd <yadd@debian.org>
Date:   Mon May 23 18:51:47 2022 +0200

    Add build dependency to node-webpack-merge

commit 058c568196739aaac08e09c437928633e076a880
Author: Yadd <yadd@debian.org>
Date:   Mon May 23 18:51:23 2022 +0200

    Drop use-webpack-config-from-8.13.3.patch

commit de9eeed3ff52893e39b72330e1d336e51237e45a
Author: Yadd <yadd@debian.org>
Date:   Mon May 23 18:05:36 2022 +0200

    Update d/ch

commit 27025177061878c7db312b3eb5991e35c626b7eb
Author: Yadd <yadd@debian.org>
Date:   Mon May 23 18:04:38 2022 +0200

    Declare compliance with policy 4.6.1

commit 68d48992dd963e126d3e4b16049c04c87c98043b
Author: Pirate Praveen <praveen@debian.org>
Date:   Mon May 23 13:26:29 2022 +0530

    webpack.config.babel.js now need @babel/register in node_modules

commit 8ded85ef50ea5445c93ec3fa39bcb54c9145c802
Author: Pirate Praveen <praveen@debian.org>
Date:   Mon May 23 13:25:47 2022 +0530

    webpack 5 don't have --colors option

Created: 2026-06-11 Last update: 2026-06-12 00:01

news

[2026-06-11] Accepted node-mermaid 8.14.0+ds1+~cs11.4.14-1 (source all) into experimental (Debian FTP Masters) (signed by: Bastien ROUCARIÈS)
[2024-11-04] Removed 8.14.0+~cs11.4.14-1 from unstable (Debian FTP Masters)
[2022-07-15] node-mermaid REMOVED from testing (Debian testing watch)
[2022-07-15] node-mermaid REMOVED from testing (Debian testing watch)
[2022-07-02] Accepted node-mermaid 8.7.0+ds+~cs27.17.17-3+deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-05-29] Accepted node-mermaid 8.7.0+ds+~cs27.17.17-3+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-03-23] node-mermaid 8.14.0+~cs11.4.14-1 MIGRATED to testing (Debian testing watch)
[2022-03-21] Accepted node-mermaid 8.14.0+~cs11.4.14-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-01-11] node-mermaid 8.13.8+~cs10.4.16-1 MIGRATED to testing (Debian testing watch)
[2022-01-09] Accepted node-mermaid 8.13.8+~cs10.4.16-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-12-05] node-mermaid 8.13.3+ds+~cs26.13.21-2 MIGRATED to testing (Debian testing watch)
[2021-12-02] Accepted node-mermaid 8.13.3+ds+~cs26.13.21-2 (source) into unstable (Jonas Smedegaard)
[2021-10-18] node-mermaid 8.13.3+ds+~cs26.13.21-1 MIGRATED to testing (Debian testing watch)
[2021-10-15] Accepted node-mermaid 8.13.3+ds+~cs26.13.21-1 (source) into unstable (Nilesh Patra)
[2021-10-15] Accepted node-mermaid 8.13.2+ds+~cs30.13.21-1.1 (source) into unstable (Andrej Shadura) (signed by: Andrew Shadura)
[2021-10-13] node-mermaid 8.13.2+ds+~cs30.13.21-1 MIGRATED to testing (Debian testing watch)
[2021-10-11] Accepted node-mermaid 8.13.2+ds+~cs30.13.21-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-07-05] node-mermaid 8.7.0+ds+~cs27.17.17-3 MIGRATED to testing (Debian testing watch)
[2021-06-29] Accepted node-mermaid 8.11.0+ds+~cs29.13.22-1 (source) into experimental (Yadd) (signed by: Xavier Guimard)
[2021-06-29] Accepted node-mermaid 8.7.0+ds+~cs27.17.17-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-04-28] Accepted node-mermaid 8.9.3+ds+~cs29.13.19-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-03-11] Accepted node-mermaid 8.9.1+ds+~cs26.20.25-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-12-14] Accepted node-mermaid 8.7.0+ds+~cs27.17.17-2~bpo10+1 (source all) into buster-backports, buster-backports (Debian FTP Masters) (signed by: Praveen Arimbrathodiyil)
[2020-10-21] node-mermaid 8.7.0+ds+~cs27.17.17-2 MIGRATED to testing (Debian testing watch)
[2020-10-19] Accepted node-mermaid 8.7.0+ds+~cs27.17.17-2 (source) into unstable (Nilesh Patra)
[2020-10-18] Accepted node-mermaid 8.7.0+ds+~cs27.17.17-1 (source all) into unstable, unstable (Debian FTP Masters) (signed by: Xavier Guimard)

bugs [bug history graph]

all: 0

links

homepage
buildd: logs, exp
popcon
browse source code
other distros
security tracker
debci

Debian Package Tracker — Copyright 2013-2025 The Distro Tracker Developers

Report problems to the tracker.debian.org pseudo-package in the Debian BTS.

Documentation — Bugs — Git Repository — Contributing