[10] fix: ban version v3.1.7 of DOMPurify

[DOMPurify v3.1.7][1] forbids the use of `<foreignElement>` for HTML inside of an `<svg>` element, which breaks many mermaid diagrams. It is likely that v3.1.8 will add a new option that will allow us to re-enable this behaviour, but v3.1.7 definitely does not work. (cherry picked from commit de2c05cd5463af68d19dd7b6b3f1303d69ddb2dd) [1]: https://github.com/cure53/DOMPurify/releases/tag/3.1.7 See: https://github.com/cure53/DOMPurify/issues/1002 Fix: https://github.com/mermaid-js/mermaid/issues/5904
2025-02-04 07:13:25 +08:00 · 2024-10-01 23:55:36 +09:00 · 2024-10-01 23:55:36 +09:00 · 402abdf883
commit 402abdf883
parent 8d815f878c
2 changed files with 2 additions and 2 deletions
--- a/packages/mermaid/package.json
+++ b/packages/mermaid/package.json
@ -68,7 +68,7 @@
    "d3-sankey": "^0.12.3",
    "dagre-d3-es": "7.0.10",
    "dayjs": "^1.11.7",
-    "dompurify": "^3.0.5",
+    "dompurify": "^3.0.5 <3.1.7",
    "elkjs": "^0.9.0",
    "katex": "^0.16.9",
    "khroma": "^2.0.0",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -227,7 +227,7 @@ importers:
        specifier: ^1.11.7
        version: 1.11.10
      dompurify:
-        specifier: ^3.0.5
+        specifier: ^3.0.5 <3.1.7
        version: 3.0.9
      elkjs:
        specifier: ^0.9.0