Update dependency mermaid to v11.15.0 [SECURITY] (v15.0/forgejo) ( #12531 ) ...
This PR contains the following updates:
| Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/ ) | [Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
| [mermaid](https://github.com/mermaid-js/mermaid ) | [`11.13.0` → `11.15.0`](https://renovatebot.com/diffs/npm/mermaid/11.13.0/11.15.0 ) |  |  |
---
### Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS
[CVE-2026-41150](https://nvd.nist.gov/vuln/detail/CVE-2026-41150 ) / [GHSA-6m6c-36f7-fhxh](https://github.com/advisories/GHSA-6m6c-36f7-fhxh )
<details>
<summary>More information</summary>
#### Details
##### Impact
Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the [`excludes` attribute](https://mermaid.js.org/syntax/gantt.html?#excludes ) to exclude all dates.
Example:
```
gantt
excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday
DoS :2025-01-01, 1d
```
`mermaid.parse` is unaffected, unless you then call the `ganttDb.getTasks()` (which is called when rendering a diagram).
##### Patches
This has been patched in:
- [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ) (see [faafb5d49106dd32c367f3882505f2dd625aa30e](faafb5d491https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ) (see [a59ea56174712ee5430dfd5bc877cb5151f501a6](a59ea56174https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh ](https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh )
- [a59ea56174faafb5d491https://github.com/mermaid-js/mermaid ](https://github.com/mermaid-js/mermaid )
- [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
- [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-6m6c-36f7-fhxh ) and the [GitHub Advisory Database](https://github.com/github/advisory-database ) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid: Improper sanitization of configuration leads to CSS injection
[CVE-2026-41159](https://nvd.nist.gov/vuln/detail/CVE-2026-41159 ) / [GHSA-87f9-hvmw-gh4p](https://github.com/advisories/GHSA-87f9-hvmw-gh4p )
<details>
<summary>More information</summary>
#### Details
##### Impact
Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and `altFontFamily` configuration options.
Live demo: [mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg )
Example code:
```
%%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%%
flowchart LR
A --> B
```
The injected CSS exploits stylis's `&` (scope reference) handling. `:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles to all page elements. Global at-rules (`@font-face`, `@keyframes`, `@counter-style`) are also injectable as stylis hoists them to top level.
This allows page defacement and DOM attribute exfiltration via CSS `:has()` selectors.
##### Patches
- [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ) (see [64769738d5b59211e1decb471ffbaca8afec51aa](64769738d5https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ) (see [a9d9f0d8eb790349121508688cd338253fd80d76](a9d9f0d8ebhttps://mermaid.js.org/config/schema-docs/config.html#secure ) config value in the mermaid config to avoid allowing diagrams to modify `fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`.
Setting [`"securityLevel": "sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel ) will also prevent this.
##### Credits
Reported by @​zsxsoft on behalf of @​KeenSecurityLab
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
- [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p ](https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p )
- [64769738d5a9d9f0d8ebhttps://github.com/mermaid-js/mermaid ](https://github.com/mermaid-js/mermaid )
- [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
- [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-87f9-hvmw-gh4p ) and the [GitHub Advisory Database](https://github.com/github/advisory-database ) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid: Improper sanitization of `classDef` in state diagrams leads to HTML injection
[CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149 ) / [GHSA-ghcm-xqfw-q4vr](https://github.com/advisories/GHSA-ghcm-xqfw-q4vr )
<details>
<summary>More information</summary>
#### Details
##### Impact
Under the default configuration, Mermaid state diagram's `classDef` allow DOM injection that escapes the SVG, although `<script>` tags are removed, preventing XSS.
##### Proof-of-concept
```
stateDiagram-v2
classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b
[*] --> A:::xss
```
##### Patches
- [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ) (see [37ff937f1da2e19f882fd1db01235db4d01f4056](37ff937f1dhttps://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ) (see [4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](4e2d512bf5https://mermaid.js.org/config/schema-docs/config.html#securitylevel ) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`.
##### Credits
Thanks to @​zsxsoft from @​KeenSecurityLab for reporting this vulnerability.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
- [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr ](https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr )
- [37ff937f1d4e2d512bf5https://github.com/mermaid-js/mermaid ](https://github.com/mermaid-js/mermaid )
- [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
- [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
- [https://mermaid.js.org/config/schema-docs/config.html#securitylevel ](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-ghcm-xqfw-q4vr ) and the [GitHub Advisory Database](https://github.com/github/advisory-database ) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid: Improper sanitization of `classDefs` in diagrams leads to CSS injection
[CVE-2026-41148](https://nvd.nist.gov/vuln/detail/CVE-2026-41148 ) / [GHSA-xcj9-5m2h-648r](https://github.com/advisories/GHSA-xcj9-5m2h-648r )
<details>
<summary>More information</summary>
#### Details
##### Details
The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures `classDef` values with an unrestricted regex:
```jison
// packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83
<CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' }
```
The value passes unsanitized through `addStyleClass()` -> `createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page.
##### PoC
```
stateDiagram-v2
classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif ")}
```
Live demo:
<https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU >
##### Patches
This has been patched in:
- [v11.15.0](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ) (see [e9b0f34d8d82a6260077764ee45e1d7d90957a0f](e9b0f34d8dhttps://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ) (see [8fead23c59166b7bab6a39eac81acebee2859102](8fead23c59https://mermaid.js.org/config/schema-docs/config.html#securitylevel ) will prevent this, by rendering the mermaid diagram in a sandboxed `<iframe>`.
##### Impact
Enables page defacement, user tracking via `url()` callbacks, and DOM attribute exfiltration via CSS `:has()` selectors.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String: `CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
- [https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r ](https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r )
- [8fead23c59e9b0f34d8dhttps://github.com/mermaid-js/mermaid ](https://github.com/mermaid-js/mermaid )
- [https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
- [https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
- [https://mermaid.js.org/config/schema-docs/config.html#securitylevel ](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
This data is provided by [OSV](https://osv.dev/vulnerability/GHSA-xcj9-5m2h-648r ) and the [GitHub Advisory Database](https://github.com/github/advisory-database ) ([CC-BY 4.0](https://github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Release Notes
<details>
<summary>mermaid-js/mermaid (mermaid)</summary>
### [`v11.15.0`](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
[Compare Source](https://github.com/mermaid-js/mermaid/compare/mermaid@11.14.0...mermaid@11.15.0 )
##### Minor Changes
- [#​7174](https://github.com/mermaid-js/mermaid/pull/7174 ) [`0aca217`](0aca21739chttps://github.com/milesspencer35 )! - feat(sequence): Add support for decimal start and increment values in the `autonumber` directive
- [#​7512](https://github.com/mermaid-js/mermaid/pull/7512 ) [`8e17492`](8e17492f73https://github.com/aruncveli )! - feat(flowchart): add datastore shape
In Data flow diagrams, a datastore/warehouse/file/database is used to represent data persistence. It is denoted by a rectangle with only top and bottom borders, and can be used in flowcharts with `A@{ shape: datastore, label: "Datastore" }`.
- [#​6440](https://github.com/mermaid-js/mermaid/pull/6440 ) [`9ad8dde`](9ad8dde6d0https://github.com/yordis ), [@​lgazo](https://github.com/lgazo )! - feat: add Event Modeling diagram
- [#​7707](https://github.com/mermaid-js/mermaid/pull/7707 ) [`27db774`](27db774627https://github.com/txmxthy )! - feat(architecture): expose four fcose layout knobs for `architecture-beta` diagrams (`nodeSeparation`, `idealEdgeLengthMultiplier`, `edgeElasticity`, `numIter`) so authors can tune layout density and spread overlapping siblings without changing diagram source
- [#​7604](https://github.com/mermaid-js/mermaid/pull/7604 ) [`bf9502f`](bf9502fb60https://github.com/M-a-c )! - feat(class): add nested namespace support for class diagrams via dot notation and syntactic nesting
If you have namespaces in class diagrams that use `.`s already and want to render them without nesting (≤v11.14.0 behaviour), you can use set `class.hierarchicalNamespaces=false` in your mermaid config:
```yaml
config:
class:
hierarchicalNamespaces: false
```
- [#​7272](https://github.com/mermaid-js/mermaid/pull/7272 ) [`88cdd3d`](88cdd3dc0ahttps://github.com/xinbenlv )! - feat(sankey): add outlined label style, configurable nodeWidth/nodePadding, and custom node colors
##### Patch Changes
- [#​7737](https://github.com/mermaid-js/mermaid/pull/7737 ) [`e9b0f34`](e9b0f34d8dhttps://github.com/ashishjain0512 )! - fix: prevent unbalanced CSS styles in classDefs
- [#​7737](https://github.com/mermaid-js/mermaid/pull/7737 ) [`37ff937`](37ff937f1dhttps://github.com/ashishjain0512 )! - fix: create CSS styles using the CSSOM
This removes some invalid CSS and normalizes some CSS formatting.
- [#​7508](https://github.com/mermaid-js/mermaid/pull/7508 ) [`bfe60cc`](bfe60cc67bhttps://github.com/biiab )! - fix(stateDiagram): `end note` now only closes a note when used on a new line
- [#​7737](https://github.com/mermaid-js/mermaid/pull/7737 ) [`faafb5d`](faafb5d491https://github.com/ashishjain0512 )! - fix(gantt): add iteration limit for `excludes` field
- [#​7737](https://github.com/mermaid-js/mermaid/pull/7737 ) [`65f8be2`](65f8be2a42https://github.com/ashishjain0512 )! - fix: disallow some CSS at-rules in custom CSS
- [#​7726](https://github.com/mermaid-js/mermaid/pull/7726 ) [`1502f32`](1502f32f3chttps://github.com/aloisklink )! - fix(wardley): fix unnecessary sanitization of text
- [#​7578](https://github.com/mermaid-js/mermaid/pull/7578 ) [`1f98db8`](1f98db8e32https://github.com/Gaston202 )! - fix(class): self-referential class multiplicity labels no longer rendered multiple times
Fixes [#​7560](https://github.com/mermaid-js/mermaid/issues/7560 ). Resolves an issue where cardinality labels on self-referential class relationships were rendered three times due to edge splitting in the dagre layout. The fix ensures that each sub-edge only carries its relevant label positions.
- [#​7592](https://github.com/mermaid-js/mermaid/pull/7592 ) [`2343e38`](2343e38498https://github.com/knsv-bot )! - fix(sequence): add background box behind alt/else section title labels in sequence diagrams
- [#​7589](https://github.com/mermaid-js/mermaid/pull/7589 ) [`7fb9509`](7fb9509b8bhttps://github.com/NYCU-Chung )! - fix(block): prevent column widths from shrinking when mixing different column spans
- [#​7632](https://github.com/mermaid-js/mermaid/pull/7632 ) [`3f9e0f1`](3f9e0f15behttps://github.com/ekiauhce )! - fix(sequence): correct messageAlign label position for right-to-left arrows in sequence diagrams
- [#​7642](https://github.com/mermaid-js/mermaid/pull/7642 ) [`7a8fb85`](7a8fb8532chttps://github.com/tractorjuice )! - fix(wardley): allow hyphens in unquoted component names
Multi-word names containing hyphens — e.g. `real-time processing`, `end-user`, `on-call engineer` — now parse without quoting, bringing the grammar in line with the OnlineWardleyMaps (OWM) convention. `A->B` (no-space arrow) still tokenises correctly.
- [#​7523](https://github.com/mermaid-js/mermaid/pull/7523 ) [`5144ed4`](5144ed4b13https://github.com/darshanr0107 )! - fix(block): Arrow blocks in block-beta diagrams not spanning the specified number of columns when using `:n` syntax.
- [#​7262](https://github.com/mermaid-js/mermaid/pull/7262 ) [`13d9bfa`](13d9bfa474https://github.com/darshanr0107 )! - fix(block): Ensure block diagram hexagon blocks respect column spanning syntax
- [#​7684](https://github.com/mermaid-js/mermaid/pull/7684 ) [`e14bb88`](e14bb88bdbhttps://github.com/aloisklink )! - fix: loosen `uuid` dependency range to allow v14
Mermaid does not use any of the vulnerable code in CVE-2026-41907,
but this allows users to silence any `npm audit` alerts on it.
- [#​7633](https://github.com/mermaid-js/mermaid/pull/7633 ) [`9217c0d`](9217c0d8b2https://github.com/Felix-Garci )! - fix(block): add support for all arrow types in block diagrams
- [#​7587](https://github.com/mermaid-js/mermaid/pull/7587 ) [`5e7eb62`](5e7eb62e3ahttps://github.com/MaddyGuthridge )! - chore: drop lodash-es in favour of es-toolkit
- [#​7693](https://github.com/mermaid-js/mermaid/pull/7693 ) [`afaf306`](afaf306238https://github.com/dull-bird )! - fix(quadrant-chart): allow CJK, emoji, Latin-1 accented characters, and other non-ASCII text in unquoted axis/quadrant/point labels.
Previously the lexer only matched ASCII `[A-Za-z]+` for text tokens, even though the grammar referenced `UNICODE_TEXT`. Bare Chinese, Japanese, Korean, emoji, and accented Latin characters in labels caused a parse error. Added a `[^\x00-\x7F]+` lexer rule to emit `UNICODE_TEXT` and included it in the `alphaNumToken` grammar rule.
Fixes [#​7120](https://github.com/mermaid-js/mermaid/issues/7120 ).
- [#​7737](https://github.com/mermaid-js/mermaid/pull/7737 ) [`4755553`](4755553d5fhttps://github.com/ashishjain0512 )! - fix: improve D3 types for mermaidAPI funcs
- [#​7737](https://github.com/mermaid-js/mermaid/pull/7737 ) [`6476973`](64769738d5https://github.com/ashishjain0512 )! - fix: handle `&` when namespacing CSS rules
- [#​7520](https://github.com/mermaid-js/mermaid/pull/7520 ) [`8c1a0c1`](8c1a0c1fd1https://github.com/RodrigojndSantos )! - fix(stateDiagram): comments starting with one `%` are no longer treated as comments
Switch to using two `%%` if you want to write a comment.
- Updated dependencies \[[`7a8fb85`](7a8fb8532c675a64ca0ehttps://github.com/mermaid-js/parser )@​1.1.1
### [`v11.14.0`](https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.14.0 )
[Compare Source](https://github.com/mermaid-js/mermaid/compare/mermaid@11.13.0...mermaid@11.14.0 )
Thanks to our awesome mermaid community that contributed to this release: [@​ashishjain0512](https://github.com/ashishjain0512 ), [@​tractorjuice](https://github.com/tractorjuice ), [@​autofix-ci\[bot\]](https://github.com/autofix-ci%5Bbot%5D ), [@​aloisklink](https://github.com/aloisklink ), [@​knsv](https://github.com/knsv ), [@​kibanana](https://github.com/kibanana ), [@​chandershekhar22](https://github.com/chandershekhar22 ), [@​khalil](https://github.com/khalil ), [@​ytatsuno](https://github.com/ytatsuno ), [@​sidharthv96](https://github.com/sidharthv96 ), [@​github-actions\[bot\]](https://github.com/github-actions%5Bbot%5D ), [@​dripcoding](https://github.com/dripcoding ), [@​knsv-bot](https://github.com/knsv-bot ), [@​jeroensmink98](https://github.com/jeroensmink98 ), [@​Alex9583](https://github.com/Alex9583 ), [@​GhassenS](https://github.com/GhassenS ), [@​omkarht](https://github.com/omkarht ), [@​darshanr0107](https://github.com/darshanr0107 ), [@​leentaylor](https://github.com/leentaylor ), [@​lee-treehouse](https://github.com/lee-treehouse ), [@​veeceey](https://github.com/veeceey ), [@​turntrout](https://github.com/turntrout ), [@​Mermaid-Chart](https://github.com/Mermaid-Chart ), [@​BambioGaming](https://github.com/BambioGaming ), Claude
### Releases
#### [@​mermaid-js/examples](https://github.com/mermaid-js/examples )@​1.2.0
##### Minor Changes
- [#​7526](https://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/boundary ) notation
- Pipeline components with visibility inheritance
- Annotations, notes, and visual elements
- Source strategy markers: build, buy, outsource, market
- Inertia indicators
- Theme integration
Implementation includes parser, D3.js renderer, unit tests, E2E tests, and comprehensive documentation.
- [#​7526](https://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/issues/7472 )
- [#​7526](https://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/aloisklink ), [@​BambioGaming](https://github.com/BambioGaming )! - fix: prevent escaping `<` and `&` when `htmlLabels: false`
- [#​7526](https://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fefe218a47fhttps://github.com/mermaid-js/parser )@​1.1.0
#### [@​mermaid-js/parser](https://github.com/mermaid-js/parser )@​1.1.0
##### Minor Changes
- [#​7526](https://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/tiny )@​11.14.0
##### Minor Changes
- [#​7526](https://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/boundary ) notation
- Pipeline components with visibility inheritance
- Annotations, notes, and visual elements
- Source strategy markers: build, buy, outsource, market
- Inertia indicators
- Theme integration
Implementation includes parser, D3.js renderer, unit tests, E2E tests, and comprehensive documentation.
- [#​7526](https://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/issues/7472 )
- [#​7526](https://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fhttps://github.com/aloisklink ), [@​BambioGaming](https://github.com/BambioGaming )! - fix: prevent escaping `<` and `&` when `htmlLabels: false`
- [#​7526](https://github.com/mermaid-js/mermaid/pull/7526 ) [`efe218a`](efe218a47fefe218a47fhttps://github.com/mermaid-js/parser )@​1.1.0
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- ""
- Automerge
- Between 12:00 AM and 03:59 AM (`* 0-3 * * *`)
🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box
---
This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzAuMjAiLCJ1cGRhdGVkSW5WZXIiOiI0My4xNzAuMjAiLCJ0YXJnZXRCcmFuY2giOiJ2MTUuMC9mb3JnZWpvIiwibGFiZWxzIjpbImRlcGVuZGVuY3ktdXBncmFkZSIsInRlc3Qvbm90LW5lZWRlZCJdfQ==-->
Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/12531
Reviewed-by: Mathieu Fenniak <mfenniak@noreply.codeberg.org>
3330f75a2e
