node-mermaid - Debian Package Tracker

general

source: node-mermaid (main)
version: 8.14.0+~cs11.4.14-1
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Nilesh Patra [DMD]
arch: all
std-ver: 4.6.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-bpo: 8.7.0+ds+~cs27.17.17-2~bpo10+1
oldstable: 8.7.0+ds+~cs27.17.17-3+deb11u2
unstable: 8.14.0+~cs11.4.14-1

versioned links

8.7.0+ds+~cs27.17.17-2~bpo10+1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.7.0+ds+~cs27.17.17-3+deb11u2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
8.14.0+~cs11.4.14-1: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

node-mermaid (1 bugs: 1, 0, 0, 0)

action needed

Problems while searching for a new upstream version high

uscan had problems while searching for a new upstream version:

In debian/watch no matching files for watch line
  https://github.com/knsv/mermaid/releases .*/archive/.*/v?([\d\.]+).tar.gz group

Created: 2021-12-03 Last update: 2023-09-28 13:43

2 security issues in sid high

There are 2 open security issues in sid.

2 important issues:

CVE-2022-31108: Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary `CSS` into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted `CSS` selectors. The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the `value` attribute one character at a time. Whenever there is an actual match, an `http` request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character. This issue may lead to `Information Disclosure` via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc. This issue has been resolved in version 9.1.3. Users are advised to upgrade. Users unable to upgrade should ensure that user input is adequately escaped before embedding it in CSS blocks.
CVE-2022-48345: sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via HTML entities.

Created: 2022-07-04 Last update: 2023-06-10 13:34

lintian reports 7 errors and 16 warnings high

Lintian reports 7 errors and 16 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2022-07-30 Last update: 2022-07-30 12:15

1 security issue in bookworm high

There is 1 open security issue in bookworm.

1 important issue:

CVE-2022-31108: Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary `CSS` into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted `CSS` selectors. The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the `value` attribute one character at a time. Whenever there is an actual match, an `http` request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character. This issue may lead to `Information Disclosure` via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc. This issue has been resolved in version 9.1.3. Users are advised to upgrade. Users unable to upgrade should ensure that user input is adequately escaped before embedding it in CSS blocks.

Created: 2022-07-04 Last update: 2022-07-09 12:05

The package has not entered testing even though the delay is over normal

The package has not entered testing even though the 2-day delay is over. Check why.

Created: 2022-07-14 Last update: 2023-09-28 15:08

version in VCS is newer than in repository, is it time to upload? normal

vcswatch reports that this package seems to have a new changelog entry (version 8.14.0+~cs11.4.14-2, distribution UNRELEASED) and new commits in its VCS. You should consider whether it's time to make an upload.

Here are the relevant commit messages:

commit cc1c65ffb71010277ee96e414d990a7cf5cdeee0
Author: Yadd <yadd@debian.org>
Date:   Wed May 24 18:50:10 2023 +0400

    Update d/ch

commit f6149e09a4830459f94cfbf24d6b7e058c83d2a1
Author: Yadd <yadd@debian.org>
Date:   Wed May 24 18:49:25 2023 +0400

    Drop component stylis
    
    Closes: #1036688

commit fdef45f32f37b7bf7f08e568dad3cb9bd8de5997
Author: Nilesh Patra <nilesh@debian.org>
Date:   Sat Jan 21 13:54:10 2023 +0530

    Add extlinks for modules not found during webpack operation

commit 75d671a0625d8fab10bb8e0fd4b6eaa6abec468a
Author: Nilesh Patra <nilesh@debian.org>
Date:   Sat Jan 21 12:21:42 2023 +0530

    Add patch to fix bundling failure with rollup3 (Closes: #1022630)

commit 2f8665d21c7f71f0b609066d349433ab750616b5
Merge: dad4279 a9bc4b1
Author: Nilesh Patra <nilesh@nileshpatra.info>
Date:   Sun Nov 20 04:55:24 2022 +0000

    Merge branch 'nilesh-master-patch-50826' into 'master'
    
    Remove myself from uploaders
    
    See merge request js-team/node-mermaid!2

commit a9bc4b15a1b37148baab3d618e080c2a1c45dc28
Author: Nilesh Patra <nilesh@nileshpatra.info>
Date:   Sun Nov 20 04:54:27 2022 +0000

    Remove myself from uploaders

commit dad4279c1474c11b28f2327e135bd3d00a753153
Author: Yadd <yadd@debian.org>
Date:   Sat Jul 2 06:49:58 2022 +0200

    Add missing build dependency on dh-nodejs for command dh_nodejs_autodocs.
    
    Changes-By: lintian-brush
    Fixes: lintian: missing-build-dependency-for-dh_-command
    See-also: https://lintian.debian.org/tags/missing-build-dependency-for-dh_-command.html

commit 9e20d5e121b4a00eb80e73dae0813e234fabd9ce
Author: Yadd <yadd@debian.org>
Date:   Mon May 23 18:57:41 2022 +0200

    Add build dependency to node-path-browserify

commit a254e4a045fb8581e7689ab5bdf9b54cc63de2a4
Author: Yadd <yadd@debian.org>
Date:   Mon May 23 18:51:47 2022 +0200

    Add build dependency to node-webpack-merge

commit 058c568196739aaac08e09c437928633e076a880
Author: Yadd <yadd@debian.org>
Date:   Mon May 23 18:51:23 2022 +0200

    Drop use-webpack-config-from-8.13.3.patch

commit de9eeed3ff52893e39b72330e1d336e51237e45a
Author: Yadd <yadd@debian.org>
Date:   Mon May 23 18:05:36 2022 +0200

    Update d/ch

commit 27025177061878c7db312b3eb5991e35c626b7eb
Author: Yadd <yadd@debian.org>
Date:   Mon May 23 18:04:38 2022 +0200

    Declare compliance with policy 4.6.1

commit 68d48992dd963e126d3e4b16049c04c87c98043b
Author: Pirate Praveen <praveen@debian.org>
Date:   Mon May 23 13:26:29 2022 +0530

    webpack.config.babel.js now need @babel/register in node_modules

commit 8ded85ef50ea5445c93ec3fa39bcb54c9145c802
Author: Pirate Praveen <praveen@debian.org>
Date:   Mon May 23 13:25:47 2022 +0530

    webpack 5 don't have --colors option

Created: 2022-05-23 Last update: 2023-09-22 04:38

O: This package has been orphaned and needs a maintainer. normal

This package has been orphaned. This means that it does not have a real maintainer at the moment. Please consider adopting this package if you are interested in it. Please see bug number #1012551 for more information.

Created: 2022-06-09 Last update: 2022-06-09 04:09

Multiarch hinter reports 1 issue(s) low

There are issues with the multiarch metadata for this package.

node-mermaid could be marked Multi-Arch: foreign

Created: 2020-10-19 Last update: 2023-09-28 13:49

2 low-priority security issues in bullseye low

There are 2 open security issues in bullseye.

2 issues left for the package maintainer to handle:

CVE-2022-31108: (needs triaging) Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. An attacker is able to inject arbitrary `CSS` into the generated graph allowing them to change the styling of elements outside of the generated graph, and potentially exfiltrate sensitive information by using specially crafted `CSS` selectors. The following example shows how an attacker can exfiltrate the contents of an input field by bruteforcing the `value` attribute one character at a time. Whenever there is an actual match, an `http` request will be made by the browser in order to "load" a background image that will let an attacker know what's the value of the character. This issue may lead to `Information Disclosure` via CSS selectors and functions able to generate HTTP requests. This also allows an attacker to change the document in ways which may lead a user to perform unintended actions, such as clicking on a link, etc. This issue has been resolved in version 9.1.3. Users are advised to upgrade. Users unable to upgrade should ensure that user input is adequately escaped before embedding it in CSS blocks.
CVE-2022-48345: (needs triaging) sanitize-url (aka @braintree/sanitize-url) before 6.0.2 allows XSS via HTML entities.

You can find information about how to handle these issues in the security team's documentation.

Created: 2022-07-04 Last update: 2023-06-10 13:34

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.6.2 instead of 4.6.0).

Created: 2022-05-11 Last update: 2022-12-17 19:17

testing migrations

excuses:
- Migration status for node-mermaid (- to 8.14.0+~cs11.4.14-1): BLOCKED: Rejected/violates migration policy/introduces a regression
- Issues preventing migration:
- ∙ ∙ Updating node-mermaid would introduce bugs in testing: #1001549, #1022630, #1036688
- Additional info:
- ∙ ∙ Piuparts tested OK - https://piuparts.debian.org/sid/source/n/node-mermaid.html
- ∙ ∙ autopkgtest for node-mermaid/8.14.0+~cs11.4.14-1: amd64: Pass, arm64: Pass, armel: Pass, armhf: Pass, i386: Pass, ppc64el: Pass, s390x: Pass
- ∙ ∙ Required age reduced by 3 days because of autopkgtest
- ∙ ∙ 556 days old (needed 2 days)
- Not considered

news

[rss feed]

[2022-07-15] node-mermaid REMOVED from testing (Debian testing watch)
[2022-07-15] node-mermaid REMOVED from testing (Debian testing watch)
[2022-07-02] Accepted node-mermaid 8.7.0+ds+~cs27.17.17-3+deb11u2 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-05-29] Accepted node-mermaid 8.7.0+ds+~cs27.17.17-3+deb11u1 (source) into proposed-updates->stable-new, proposed-updates (Debian FTP Masters) (signed by: Xavier Guimard)
[2022-03-23] node-mermaid 8.14.0+~cs11.4.14-1 MIGRATED to testing (Debian testing watch)
[2022-03-21] Accepted node-mermaid 8.14.0+~cs11.4.14-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-01-11] node-mermaid 8.13.8+~cs10.4.16-1 MIGRATED to testing (Debian testing watch)
[2022-01-09] Accepted node-mermaid 8.13.8+~cs10.4.16-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-12-05] node-mermaid 8.13.3+ds+~cs26.13.21-2 MIGRATED to testing (Debian testing watch)
[2021-12-02] Accepted node-mermaid 8.13.3+ds+~cs26.13.21-2 (source) into unstable (Jonas Smedegaard)
[2021-10-18] node-mermaid 8.13.3+ds+~cs26.13.21-1 MIGRATED to testing (Debian testing watch)
[2021-10-15] Accepted node-mermaid 8.13.3+ds+~cs26.13.21-1 (source) into unstable (Nilesh Patra)
[2021-10-15] Accepted node-mermaid 8.13.2+ds+~cs30.13.21-1.1 (source) into unstable (Andrej Shadura) (signed by: Andrew Shadura)
[2021-10-13] node-mermaid 8.13.2+ds+~cs30.13.21-1 MIGRATED to testing (Debian testing watch)
[2021-10-11] Accepted node-mermaid 8.13.2+ds+~cs30.13.21-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-07-05] node-mermaid 8.7.0+ds+~cs27.17.17-3 MIGRATED to testing (Debian testing watch)
[2021-06-29] Accepted node-mermaid 8.11.0+ds+~cs29.13.22-1 (source) into experimental (Yadd) (signed by: Xavier Guimard)
[2021-06-29] Accepted node-mermaid 8.7.0+ds+~cs27.17.17-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-04-28] Accepted node-mermaid 8.9.3+ds+~cs29.13.19-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2021-03-11] Accepted node-mermaid 8.9.1+ds+~cs26.20.25-1 (source) into experimental (Pirate Praveen) (signed by: Praveen Arimbrathodiyil)
[2020-12-14] Accepted node-mermaid 8.7.0+ds+~cs27.17.17-2~bpo10+1 (source all) into buster-backports, buster-backports (Debian FTP Masters) (signed by: Praveen Arimbrathodiyil)
[2020-10-21] node-mermaid 8.7.0+ds+~cs27.17.17-2 MIGRATED to testing (Debian testing watch)
[2020-10-19] Accepted node-mermaid 8.7.0+ds+~cs27.17.17-2 (source) into unstable (Nilesh Patra)
[2020-10-18] Accepted node-mermaid 8.7.0+ds+~cs27.17.17-1 (source all) into unstable, unstable (Debian FTP Masters) (signed by: Xavier Guimard)

bugs [bug history graph]

all: 5
RC: 1
I&N: 2
M&W: 0
F&P: 2
patch: 0

links

homepage
lintian (7, 16)
buildd: logs
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci