fix(deps): update dependency mermaid to v10.9.3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
mermaid	10.9.1 -> 10.9.3

GitHub Vulnerability Alerts

GHSA-m4gq-x24j-jpmf

The following bundled files within the Mermaid NPM package contain a bundled version of DOMPurify that is vulnerable to GHSA-mmhx-hmjr-r674, potentially resulting in an XSS attack.

This affects the built:

• dist/mermaid.min.js
• dist/mermaid.js
• dist/mermaid.esm.mjs
• dist/mermaid.esm.min.mjs

This will also affect users that use the above files via a CDN link, e.g. https://cdn.jsdelivr.net/npm/[email protected]/dist/mermaid.min.js

Users that use the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or the dist/mermaid.core.mjs file, do not use this bundled version of DOMPurify, and can easily update using their package manager with something like npm audit fix.

Patches

• develop branch: 6c785c93166c151d27d328ddf68a13d9d65adc00
• backport to v10: 92a07ffe40aab2769dd1c3431b4eb5beac282b34

---

Release Notes

mermaid-js/mermaid (mermaid)

v10.9.3

Compare Source

Updates the bundled version of dependencies in the following files:

• dist/mermaid.min.js
• dist/mermaid.js
• dist/mermaid.esm.mjs
• dist/mermaid.esm.min.mjs

If you are not using these files (e.g. you are using the default NPM export of mermaid, e.g. import mermaid from 'mermaid', or you are using dist/mermaid.core.mjs), this release is identical to v10.9.2.

This is to avoid potential security issues in KaTeX and DOMPurify, see:

• GHSA-mmhx-hmjr-r674
• GHSA-64fm-8hw2-v72w
• GHSA-cvr6-37gx-v8wc
• GHSA-f98w-7cxr-ff2h
• GHSA-3wc5-fcw2-2329

These dependencies have already been updated in v11.0.0.

Changelog

Chore

• Updates the bundled version of KaTeX to 0.16.11 (2bedd0e)
• Updates the bundled version of DOMPurify to 3.1.6 (92a07ff)

Full Changelog: mermaid-js/mermaid@v10.9.2...v10.9.3

v10.9.2

Compare Source

This release back-ports https://github.com/mermaid-js/mermaid/pull/5914 to the v10 release line to fix #​5904 (an incompatibility between mermaid and DOMPurify v3.1.7)

Patch Changes

• https://github.com/mermaid-js/mermaid/pull/5914 402abdf [10] fix: ban version v3.1.7 of DOMPurify

Full Changelog: mermaid-js/mermaid@v10.9.1...v10.9.2

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for Git ↗︎

Name	Status	Preview	Comments	Updated (UTC)
codefair-docs	✅ Ready (Inspect)	Visit Preview	💬 Add feedback	May 19, 2025 4:46pm

[sourcery-ai]

🧙 Sourcery has finished reviewing your pull request!

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time. You can also use
  this command to specify where the summary should be inserted.

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

We have skipped reviewing this pull request. It seems to have been created by a bot (hey, renovate[bot]!). We assume it knows what it's doing!