Update Mermaid to v8.4.5

This fixes a problem rendering multiple graphs on the same page (https://github.com/mermaid-js/mermaid/pull/1190). Full list of changes: https://github.com/mermaid-js/mermaid/releases Mermaid v8.4.4 also fixes an HTML escaping issue (https://github.com/mermaid-js/mermaid/issues/903). Since HTML labels are disabled, the HTML content can remain as-is, and we just need to ensure the XSS doesn't actually get run. Closes https://gitlab.com/gitlab-org/gitlab/issues/195802

Update Mermaid to v8.4.5
This fixes a problem rendering multiple graphs on the same page (https://github.com/mermaid-js/mermaid/pull/1190). Full list of changes: https://github.com/mermaid-js/mermaid/releases Mermaid v8.4.4 also fixes an HTML escaping issue (https://github.com/mermaid-js/mermaid/issues/903). Since HTML labels are disabled, the HTML content can remain as-is, and we just need to ensure the XSS doesn't actually get run. Closes https://gitlab.com/gitlab-org/gitlab/issues/195802
d2ac3871 · Stan Hu · 035fd458 · d2ac3871 · d2ac3871 · d2ac3871
Commit d2ac3871 authored Jan 11, 2020 by Stan Hu
4 changed files
--- a/changelogs/unreleased/sh-update-mermaid-8-4-5.yml
+++ b/changelogs/unreleased/sh-update-mermaid-8-4-5.yml
+---
+title: Update Mermaid to v8.4.5
+merge_request: 22830
+author:
+type: fixed
--- a/package.json
+++ b/package.json
@@ -94,7 +94,7 @@
    "jszip-utils": "^0.0.2",
    "katex": "^0.10.0",
    "marked": "^0.3.12",
-    "mermaid": "^8.4.2",
+    "mermaid": "^8.4.5",
    "monaco-editor": "^0.18.1",
    "monaco-editor-webpack-plugin": "^1.7.0",
    "mousetrap": "^1.4.6",

--- a/spec/features/issues/user_comments_on_issue_spec.rb
+++ b/spec/features/issues/user_comments_on_issue_spec.rb
@@ -43,17 +43,17 @@ describe "User comments on issue", :js do
      expect(page.find('pre code').text).to eq code_block_content
    end

-    it "renders escaped HTML content in Mermaid" do
+    it "renders HTML content as text in Mermaid" do
      html_content = "<img onerror=location=`javascript\\u003aalert\\u0028document.domain\\u0029` src=x>"
      mermaid_content = "graph LR\n  B-->D(#{html_content});"
-      escaped_content = CGI.escapeHTML(html_content).gsub('=', "&equals;")
      comment = "```mermaid\n#{mermaid_content}\n```"

      add_note(comment)

      wait_for_requests

-      expect(page.find('svg.mermaid')).to have_content escaped_content
+      expect(page.find('svg.mermaid')).to have_content html_content
+      within('svg.mermaid') { expect(page).not_to have_selector('img') }
    end

    it 'opens autocomplete menu for quick actions and have `/label` first choice' do

--- a/yarn.lock
+++ b/yarn.lock
@@ -3512,10 +3512,10 @@ d3@^4.13.0:
    d3-voronoi "1.1.2"
    d3-zoom "1.7.1"

-d3@^5.12, d3@^5.7.0:
-  version "5.12.0"
-  resolved "https://registry.yarnpkg.com/d3/-/d3-5.12.0.tgz#0ddeac879c28c882317cd439b495290acd59ab61"
-  integrity sha512-flYVMoVuhPFHd9zVCe2BxIszUWqBcd5fvQGMNRmSiBrgdnh6Vlruh60RJQTouAK9xPbOB0plxMvBm4MoyODXNg==
+d3@^5.14, d3@^5.7.0:
+  version "5.15.0"
+  resolved "https://registry.yarnpkg.com/d3/-/d3-5.15.0.tgz#ffd44958e6a3cb8a59a84429c45429b8bca5677a"
+  integrity sha512-C+E80SL2nLLtmykZ6klwYj5rPqB5nlfN5LdWEAVdWPppqTD8taoJi2PxLZjPeYT8FFRR2yucXq+kBlOnnvZeLg==
  dependencies:
    d3-array "1"
    d3-axis "1"
@@ -3549,22 +3549,23 @@ d3@^5.12, d3@^5.7.0:
    d3-voronoi "1"
    d3-zoom "1"

-dagre-d3@dagrejs/dagre-d3:
-  version "0.6.4-pre"
-  resolved "https://codeload.github.com/dagrejs/dagre-d3/tar.gz/e1a00e5cb518f5d2304a35647e024f31d178e55b"
+dagre-d3@^0.6.4:
+  version "0.6.4"
+  resolved "https://registry.yarnpkg.com/dagre-d3/-/dagre-d3-0.6.4.tgz#0728d5ce7f177ca2337df141ceb60fbe6eeb7b29"
+  integrity sha512-e/6jXeCP7/ptlAM48clmX4xTZc5Ek6T6kagS7Oz2HrYSdqcLZFLqpAfh7ldbZRFfxCZVyh61NEPR08UQRVxJzQ==
  dependencies:
-    d3 "^5.12"
-    dagre "^0.8.4"
-    graphlib "^2.1.7"
+    d3 "^5.14"
+    dagre "^0.8.5"
+    graphlib "^2.1.8"
    lodash "^4.17.15"

-dagre@^0.8.4:
-  version "0.8.4"
-  resolved "https://registry.yarnpkg.com/dagre/-/dagre-0.8.4.tgz#26b9fb8f7bdc60c6110a0458c375261836786061"
-  integrity sha512-Dj0csFDrWYKdavwROb9FccHfTC4fJbyF/oJdL9LNZJ8WUvl968P6PAKEriGqfbdArVJEmmfA+UyumgWEwcHU6A==
+dagre@^0.8.4, dagre@^0.8.5:
+  version "0.8.5"
+  resolved "https://registry.yarnpkg.com/dagre/-/dagre-0.8.5.tgz#ba30b0055dac12b6c1fcc247817442777d06afee"
+  integrity sha512-/aTqmnRta7x7MCCpExk7HQL2O4owCT2h8NT//9I1OQ9vt29Pa0BzSAkR5lwFUcQ7491yVi/3CXU9jQ5o0Mn2Sw==
  dependencies:
-    graphlib "^2.1.7"
-    lodash "^4.17.4"
+    graphlib "^2.1.8"
+    lodash "^4.17.15"

 dashdash@^1.12.0:
  version "1.14.1"
@@ -5321,12 +5322,12 @@ graceful-fs@^4.1.11, graceful-fs@^4.1.15, graceful-fs@^4.1.2, graceful-fs@^4.1.6
  resolved "https://registry.yarnpkg.com/graceful-readlink/-/graceful-readlink-1.0.1.tgz#4cafad76bc62f02fa039b2f94e9a3dd3a391a725"
  integrity sha1-TK+tdrxi8C+gObL5Tpo906ORpyU=

-graphlib@^2.1.7:
-  version "2.1.7"
-  resolved "https://registry.yarnpkg.com/graphlib/-/graphlib-2.1.7.tgz#b6a69f9f44bd9de3963ce6804a2fc9e73d86aecc"
-  integrity sha512-TyI9jIy2J4j0qgPmOOrHTCtpPqJGN/aurBwc6ZT+bRii+di1I+Wv3obRhVrmBEXet+qkMaEX67dXrwsd3QQM6w==
+graphlib@^2.1.7, graphlib@^2.1.8:
+  version "2.1.8"
+  resolved "https://registry.yarnpkg.com/graphlib/-/graphlib-2.1.8.tgz#5761d414737870084c92ec7b5dbcb0592c9d35da"
+  integrity sha512-jcLLfkpoVGmH7/InMC/1hIvOPSUh38oJtGhvrOFGzioE1DZ+0YW16RgmOJhHiuWTvGiJQ9Z1Ik43JvkRPRvE+A==
  dependencies:
-    lodash "^4.17.5"
+    lodash "^4.17.15"

 graphql-tag@^2.10.0:
  version "2.10.0"
@@ -7628,22 +7629,21 @@ merge2@^1.2.3:
  resolved "https://registry.yarnpkg.com/merge2/-/merge2-1.2.3.tgz#7ee99dbd69bb6481689253f018488a1b902b0ed5"
  integrity sha512-gdUU1Fwj5ep4kplwcmftruWofEFt6lfpkkr3h860CXbAB9c3hGb55EOL2ali0Td5oebvW0E1+3Sr+Ur7XfKpRA==

-mermaid@^8.4.2:
-  version "8.4.2"
-  resolved "https://registry.yarnpkg.com/mermaid/-/mermaid-8.4.2.tgz#91d3d8e9541e72eed7a78d0e882db11564fab3bb"
-  integrity sha512-vYSCP2u4XkOnjliWz/QIYwvzF/znQAq22vWJJ3YV40SnwV2JQyHblnwwNYXCprkXw7XfwBKDpSNaJ3HP4WfnZw==
+mermaid@^8.4.5:
+  version "8.4.5"
+  resolved "https://registry.yarnpkg.com/mermaid/-/mermaid-8.4.5.tgz#48d5722cbc72be2ad01002795835d7ca1b48e000"
+  integrity sha512-oJWgZBtT2rvAdmqHvKjDwb3tOut1+ksfgDdZrVhhNcdzNibzGPjCsmMPpVXjkFYzKZCVunIbAkfxltSuaGIhaw==
  dependencies:
    "@braintree/sanitize-url" "^3.1.0"
    crypto-random-string "^3.0.1"
    d3 "^5.7.0"
    dagre "^0.8.4"
-    dagre-d3 dagrejs/dagre-d3
+    dagre-d3 "^0.6.4"
    graphlib "^2.1.7"
    he "^1.2.0"
    lodash "^4.17.11"
    minify "^4.1.1"
    moment-mini "^2.22.1"
-    prettier "^1.18.2"
    scope-css "^1.2.1"

 methods@~1.1.2:
@@ -8984,7 +8984,7 @@ prettier@1.16.3:
  resolved "https://registry.yarnpkg.com/prettier/-/prettier-1.16.3.tgz#8c62168453badef702f34b45b6ee899574a6a65d"
  integrity sha512-kn/GU6SMRYPxUakNXhpP0EedT/KmaPzr0H5lIsDogrykbaxOpOfAFfk5XA7DZrJyMAv1wlMV3CPcZruGXVVUZw==

-prettier@1.18.2, prettier@^1.18.2:
+prettier@1.18.2:
  version "1.18.2"
  resolved "https://registry.yarnpkg.com/prettier/-/prettier-1.18.2.tgz#6823e7c5900017b4bd3acf46fe9ac4b4d7bda9ea"
  integrity sha512-OeHeMc0JhFE9idD4ZdtNibzY0+TPHSpSSb9h8FqtP+YnoZZ1sl8Vc9b1sasjfymH3SonAF4QcA2+mzHPhMvIiw==