fix: ban version v3.1.7 of DOMPurify

[DOMPurify v3.1.7][1] forbids the use of `<foreignElement>` for HTML inside of an `<svg>` element, which breaks many mermaid diagrams. It is likely that v3.1.8 will add a new option that will allow us to re-enable this behaviour, but v3.1.7 definitely does not work. [1]: https://github.com/cure53/DOMPurify/releases/tag/3.1.7 See: https://github.com/cure53/DOMPurify/issues/1002 Fix: https://github.com/mermaid-js/mermaid/issues/5904
2025-01-14 06:43:25 +08:00 · 2024-10-01 23:55:36 +09:00 · 2024-10-01 23:55:36 +09:00 · de2c05cd54
commit de2c05cd54
parent b3dee343d1
3 changed files with 7 additions and 2 deletions
--- a/.changeset/witty-rabbits-hunt.md
+++ b/.changeset/witty-rabbits-hunt.md
@ -0,0 +1,5 @@
+---
+'mermaid': patch
+---
+
+Ban DOMPurify v3.1.7 as a dependency
--- a/packages/mermaid/package.json
+++ b/packages/mermaid/package.json
@ -77,7 +77,7 @@
    "d3-sankey": "^0.12.3",
    "dagre-d3-es": "7.0.10",
    "dayjs": "^1.11.10",
-    "dompurify": "^3.0.11",
+    "dompurify": "^3.0.11 <3.1.7",
    "katex": "^0.16.9",
    "khroma": "^2.1.0",
    "lodash-es": "^4.17.21",
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@ -237,7 +237,7 @@ importers:
        specifier: ^1.11.10
        version: 1.11.13
      dompurify:
-        specifier: ^3.0.11
+        specifier: ^3.0.11 <3.1.7
        version: 3.1.6
      katex:
        specifier: ^0.16.9