Update dependency mermaid to v11.15.0 [SECURITY]

[renovate]

ℹ️ Note

This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
mermaid	11.9.0 → 11.15.0

---

Mermaid does not properly sanitize architecture diagram iconText leading to XSS

CVE-2025-54880 / GHSA-8gwm-58g9-j8pw

More information

Details

Summary

In the default configuration of mermaid 11.9.0, user supplied input for architecture diagram icons is passed to the d3 html() method, creating a sink for cross site scripting.

Details

Architecture diagram service iconText values are passed to the d3 html() method, allowing malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration.

The vulnerability lies here:

export const drawServices = async function (
  db: ArchitectureDB,
  elem: D3Element,
  services: ArchitectureService[]
): Promise<number> {
  for (const service of services) {
    /** ... **/
    } else if (service.iconText) {
      bkgElem.html(
        `<g>${await getIconSVG('blank', { height: iconSize, width: iconSize, fallbackPrefix: architectureIcons.prefix })}</g>`
      );
      const textElemContainer = bkgElem.append('g');
      const fo = textElemContainer
        .append('foreignObject')
        .attr('width', iconSize)
        .attr('height', iconSize);
      const divElem = fo
        .append('div')
        .attr('class', 'node-icon-text')
        .attr('style', `height: ${iconSize}px;`)
        .append('div')
        .html(service.iconText); // <- iconText passed into innerHTML
       /** ... **/
};
};

This issue was introduced with 734bde38777c9190a5a72e96421c83424442d4e4, around 15 months ago, which was released in v11.1.0.

PoC

Render the following diagram and observe the modified DOM.

architecture-beta
    group api(cloud)[API]
    service db "<img src=x onerror=\"document.write(`xss on ${document.domain}`)\">" [Database] in api

Here is a PoC on mermaid.live: https://mermaid.live/edit#pako:eNo9T8FOwzAM_ZXI4rBJpWrpRtuIISF24caZZdKyxOsiLUnlJjCo-u9kQ8wX-_n5-dkjKK8ROEhSRxNQhUh4v8cghWMpOvKxZ7I3M3XyUc83L-9v2z9qQPo0CpneMwFPxnZsILU6M--QyNNKCAHaq2jRhfyL0vLZ7jwMiWd3443Q3krjpt38Mv4sgG3WMsi9HHDLjLs4CwcZdGQ08EARM7BISZMgjJdLBIQjWhTAU6nxIOMpCBBuSrJeug_v7b8yPdMdgR_kaUgo9loGXBvZkbS3LqHTSK8-ugC8LMrrEuAjnIEvlnlVL9q6rZu6Lh-rRQbfwKuyyZuybcvqIaWiqKcMfq6uRd7Uy-kXhYFzcA

Impact

XSS on all sites that use mermaid and render user supplied diagrams without further sanitization.

Remediation

Sanitize the value of iconText before passing it to html().

Severity

• CVSS Score: 5.1 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

• https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw
• https://nvd.nist.gov/vuln/detail/CVE-2025-54880
• https://github.com/mermaid-js/mermaid/commit/2aa83302795183ea5c65caec3da1edd6cb4791fc
• https://github.com/mermaid-js/mermaid/commit/734bde38777c9190a5a72e96421c83424442d4e4
• https://github.com/advisories/GHSA-8gwm-58g9-j8pw

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Mermaid improperly sanitizes sequence diagram labels leading to XSS

CVE-2025-54881 / GHSA-7rqq-prvp-x9jh

More information

Details

Summary

In the default configuration of mermaid 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML during calculation of element size, causing XSS.

Details

Sequence diagram node labels with KaTeX delimiters are passed through calculateMathMLDimensions. This method passes the full label to innerHTML which allows allows malicious users to inject arbitrary HTML and cause XSS when mermaid-js is used in it's default configuration (with KaTeX support enabled).

The vulnerability lies here:

export const calculateMathMLDimensions = async (text: string, config: MermaidConfig) => {
  text = await renderKatex(text, config);
  const divElem = document.createElement('div');
  divElem.innerHTML = text; // XSS sink, text has not been sanitized.
  divElem.id = 'katex-temp';
  divElem.style.visibility = 'hidden';
  divElem.style.position = 'absolute';
  divElem.style.top = '0';
  const body = document.querySelector('body');
  body?.insertAdjacentElement('beforeend', divElem);
  const dim = { width: divElem.clientWidth, height: divElem.clientHeight };
  divElem.remove();
  return dim;
};

The calculateMathMLDimensions method was introduced in 5c69e5fdb004a6d0a2abe97e23d26e223a059832 two years ago, which was released in Mermaid 10.9.0.

PoC

Render the following diagram and observe the modified DOM.

sequenceDiagram
    participant A as Alice<img src="x" onerror="document.write(`xss on ${document.domain}`)">$$\\text{Alice}$$
    A->>John: Hello John, how are you?
    Alice-)John: See you later!

Here is a PoC on mermaid.live: https://mermaid.live/edit#pako:eNpVUMtOwzAQ_BWzyoFKaRTyaFILiio4IK7ckA-1km1iKbaLY6spUf4dJ0AF68uOZ2dm7REqXSNQ6PHDoarwWfDGcMkUudaJGysqceLKkj3hPdl3osJ7IRvSm-qBwcCAaIXGaONRrSsnUdnobITF28PQ954lwXglai25UNNhxWAXBMyXxcGOi-3kL_5k79e73atuFSUv2HWazH1IWn0m3CC5aPf4b3p2WK--BW-4DJCOWzQ3TM0HQmiMqIFa4zAEicZv4iGMsw0D26JEBtS3NR656ywDpiYv869_11r-Ko12TQv0yLveI3eqfcjP111HUNVonrRTFuhdsVgAHWEAmuRxlG7SuEzKMi-yJAnhAjTLIk_EcbFJtuk2y9MphM8lM47KIp--AOZghtU

Impact

XSS on all sites that use mermaid and render user supplied diagrams without further sanitization.

Remediation

The value of the text argument for the calculateMathMLDimensions method needs to be sanitized before getting passed on to innerHTML.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

References

• https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh
• https://nvd.nist.gov/vuln/detail/CVE-2025-54881
• https://github.com/mermaid-js/mermaid/commit/5c69e5fdb004a6d0a2abe97e23d26e223a059832
• https://github.com/mermaid-js/mermaid/commit/685516a85ec1df64cefd4fd15f26533be87d458e
• https://github.com/advisories/GHSA-7rqq-prvp-x9jh

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Mermaid: Improper sanitization of classDefs in diagrams leads to CSS injection

CVE-2026-41148 / GHSA-xcj9-5m2h-648r

More information

Details

Details

The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures classDef values with an unrestricted regex:

// packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83
<CLASSDEFID>[^\n]*   { this.popState(); return 'CLASSDEF_STYLEOPTS' }

The value passes unsanitized through addStyleClass() -> createCssStyles() -> style.innerHTML (mermaidAPI.ts:418). A } in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page.

PoC

stateDiagram-v2 
      classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif")}

Live demo:
https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU

Patches

This has been patched in:

• v11.15.0 (see e9b0f34d8d82a6260077764ee45e1d7d90957a0f)
• v10.9.6 (see 8fead23c59166b7bab6a39eac81acebee2859102)

Workarounds

Setting "securityLevel": "sandbox" will prevent this, by rendering the mermaid diagram in a sandboxed <iframe>.

Impact

Enables page defacement, user tracking via url() callbacks, and DOM attribute exfiltration via CSS :has() selectors.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

References

• https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r
• https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102
• https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f
• https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0
• https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6
• https://mermaid.js.org/config/schema-docs/config.html#securitylevel
• https://github.com/advisories/GHSA-xcj9-5m2h-648r

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Mermaid: Improper sanitization of classDef in state diagrams leads to HTML injection

CVE-2026-41149 / GHSA-ghcm-xqfw-q4vr

More information

Details

Impact

Under the default configuration, Mermaid state diagram's classDef allow DOM injection that escapes the SVG, although <script> tags are removed, preventing XSS.

Proof-of-concept

stateDiagram-v2
  classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b
  [*] --> A:::xss

Patches

• v11.15.0 (see 37ff937f1da2e19f882fd1db01235db4d01f4056)
• v10.9.6 (see 4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3)

Workarounds

If you can not update to a patched version, setting "securityLevel": "sandbox" will prevent this, by rendering the mermaid diagram in a sandboxed <iframe>.

Credits

Thanks to @​zsxsoft from @​KeenSecurityLab for reporting this vulnerability.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

References

• https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr
• https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056
• https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3
• https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0
• https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6
• https://mermaid.js.org/config/schema-docs/config.html#securitylevel
• https://github.com/advisories/GHSA-ghcm-xqfw-q4vr

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Mermaid: Improper sanitization of configuration leads to CSS injection

CVE-2026-41159 / GHSA-87f9-hvmw-gh4p

More information

Details

Impact

Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration options.

Live demo: mermaid.live

Example code:

%%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%%
flowchart LR
    A --> B

The injected CSS exploits stylis's & (scope reference) handling. :not(&) escapes the #mermaid-xxx automatic scoping, applying styles to all page elements. Global at-rules (@font-face, @keyframes, @counter-style) are also injectable as stylis hoists them to top level.

This allows page defacement and DOM attribute exfiltration via CSS :has() selectors.

Patches

• v11.15.0 (see 64769738d5b59211e1decb471ffbaca8afec51aa)
• v10.9.6 (see a9d9f0d8eb790349121508688cd338253fd80d76)

Workarounds

If you can't upgrade mermaid, you can set the secure config value in the mermaid config to avoid allowing diagrams to modify fontFamily, themeCSS, altFontFamily, and themeVariables.

Setting "securityLevel": "sandbox" will also prevent this.

Credits

Reported by @​zsxsoft on behalf of @​KeenSecurityLab

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

References

• https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p
• https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa
• https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76
• https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0
• https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6
• https://github.com/advisories/GHSA-87f9-hvmw-gh4p

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS

CVE-2026-41150 / GHSA-6m6c-36f7-fhxh

More information

Details

Impact

Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the excludes attribute to exclude all dates.

Example:

gantt
  excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday
  DoS :2025-01-01, 1d

mermaid.parse is unaffected, unless you then call the ganttDb.getTasks() (which is called when rendering a diagram).

Patches

This has been patched in:

• v11.15.0 (see faafb5d49106dd32c367f3882505f2dd625aa30e)
• v10.9.6 (see a59ea56174712ee5430dfd5bc877cb5151f501a6)

Workarounds

There are no workarounds available without updating to a newer version of mermaid.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

References

• https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh
• https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6
• https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e
• https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0
• https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6
• https://github.com/advisories/GHSA-6m6c-36f7-fhxh

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

mermaid-js/mermaid (mermaid)

v11.15.0

Compare Source

Minor Changes

• #​7174 0aca217 Thanks @​milesspencer35! - feat(sequence): Add support for decimal start and increment values in the autonumber directive

• #​7512 8e17492 Thanks @​aruncveli! - feat(flowchart): add datastore shape

  In Data flow diagrams, a datastore/warehouse/file/database is used to represent data persistence. It is denoted by a rectangle with only top and bottom borders, and can be used in flowcharts with A@{ shape: datastore, label: "Datastore" }.

• #​6440 9ad8dde Thanks @​yordis, @​lgazo! - feat: add Event Modeling diagram

• #​7707 27db774 Thanks @​txmxthy! - feat(architecture): expose four fcose layout knobs for architecture-beta diagrams (nodeSeparation, idealEdgeLengthMultiplier, edgeElasticity, numIter) so authors can tune layout density and spread overlapping siblings without changing diagram source

• #​7604 bf9502f Thanks @​M-a-c! - feat(class): add nested namespace support for class diagrams via dot notation and syntactic nesting

  If you have namespaces in class diagrams that use .s already and want to render them without nesting (≤v11.14.0 behaviour), you can use set class.hierarchicalNamespaces=false in your mermaid config:

  config:
    class:
      hierarchicalNamespaces: false

• #​7272 88cdd3d Thanks @​xinbenlv! - feat(sankey): add outlined label style, configurable nodeWidth/nodePadding, and custom node colors

Patch Changes

• #​7737 e9b0f34 Thanks @​ashishjain0512! - fix: prevent unbalanced CSS styles in classDefs

• #​7737 37ff937 Thanks @​ashishjain0512! - fix: create CSS styles using the CSSOM

  This removes some invalid CSS and normalizes some CSS formatting.

• #​7508 bfe60cc Thanks @​biiab! - fix(stateDiagram): end note now only closes a note when used on a new line

• #​7737 faafb5d Thanks @​ashishjain0512! - fix(gantt): add iteration limit for excludes field

• #​7737 65f8be2 Thanks @​ashishjain0512! - fix: disallow some CSS at-rules in custom CSS

• #​7726 1502f32 Thanks @​aloisklink! - fix(wardley): fix unnecessary sanitization of text

• #​7578 1f98db8 Thanks @​Gaston202! - fix(class): self-referential class multiplicity labels no longer rendered multiple times

  Fixes #​7560. Resolves an issue where cardinality labels on self-referential class relationships were rendered three times due to edge splitting in the dagre layout. The fix ensures that each sub-edge only carries its relevant label positions.

• #​7592 2343e38 Thanks @​knsv-bot! - fix(sequence): add background box behind alt/else section title labels in sequence diagrams

• #​7589 7fb9509 Thanks @​NYCU-Chung! - fix(block): prevent column widths from shrinking when mixing different column spans

• #​7632 3f9e0f1 Thanks @​ekiauhce! - fix(sequence): correct messageAlign label position for right-to-left arrows in sequence diagrams

• #​7642 7a8fb85 Thanks @​tractorjuice! - fix(wardley): allow hyphens in unquoted component names

  Multi-word names containing hyphens — e.g. real-time processing, end-user, on-call engineer — now parse without quoting, bringing the grammar in line with the OnlineWardleyMaps (OWM) convention. A->B (no-space arrow) still tokenises correctly.

• #​7523 5144ed4 Thanks @​darshanr0107! - fix(block): Arrow blocks in block-beta diagrams not spanning the specified number of columns when using :n syntax.

• #​7262 13d9bfa Thanks @​darshanr0107! - fix(block): Ensure block diagram hexagon blocks respect column spanning syntax

• #​7684 e14bb88 Thanks @​aloisklink! - fix: loosen uuid dependency range to allow v14

  Mermaid does not use any of the vulnerable code in CVE-2026-41907,
  but this allows users to silence any npm audit alerts on it.

• #​7633 9217c0d Thanks @​Felix-Garci! - fix(block): add support for all arrow types in block diagrams

• #​7587 5e7eb62 Thanks @​MaddyGuthridge! - chore: drop lodash-es in favour of es-toolkit

• #​7693 afaf306 Thanks @​dull-bird! - fix(quadrant-chart): allow CJK, emoji, Latin-1 accented characters, and other non-ASCII text in unquoted axis/quadrant/point labels.

  Previously the lexer only matched ASCII [A-Za-z]+ for text tokens, even though the grammar referenced UNICODE_TEXT. Bare Chinese, Japanese, Korean, emoji, and accented Latin characters in labels caused a parse error. Added a [^\x00-\x7F]+ lexer rule to emit UNICODE_TEXT and included it in the alphaNumToken grammar rule.

  Fixes #​7120.

• #​7737 4755553 Thanks @​ashishjain0512! - fix: improve D3 types for mermaidAPI funcs

• #​7737 6476973 Thanks @​ashishjain0512! - fix: handle & when namespacing CSS rules

• #​7520 8c1a0c1 Thanks @​RodrigojndSantos! - fix(stateDiagram): comments starting with one % are no longer treated as comments

  Switch to using two %% if you want to write a comment.

• Updated dependencies [7a8fb85, 675a64c]:

  • @​mermaid-js/parser@​1.1.1

v11.14.0

Compare Source

Thanks to our awesome mermaid community that contributed to this release: @​ashishjain0512, @​tractorjuice, @​autofix-ci[bot], @​aloisklink, @​knsv, @​kibanana, @​chandershekhar22, @​khalil, @​ytatsuno, @​sidharthv96, @​github-actions[bot], @​dripcoding, @​knsv-bot, @​jeroensmink98, @​Alex9583, @​GhassenS, @​omkarht, @​darshanr0107, @​leentaylor, @​lee-treehouse, @​veeceey, @​turntrout, @​Mermaid-Chart, @​BambioGaming, Claude

Releases

@​mermaid-js/examples@​1.2.0

Minor Changes

• #​7526 efe218a - add new TreeView diagram

mermaid@​11.14.0

Minor Changes

• #​7526 efe218a - Add Wardley Maps diagram type (beta)

  Adds Wardley Maps as a new diagram type to Mermaid (available as wardley-beta). Wardley Maps are visual representations of business strategy that help map value chains and component evolution.

  Features:

  • Component positioning with [visibility, evolution] coordinates (OWM format)
  • Anchors for users/customers
  • Multiple link types: dependencies, flows, labeled links
  • Evolution arrows and trend indicators
  • Custom evolution stages with optional dual labels
  • Custom stage widths using @​boundary notation
  • Pipeline components with visibility inheritance
  • Annotations, notes, and visual elements
  • Source strategy markers: build, buy, outsource, market
  • Inertia indicators
  • Theme integration

  Implementation includes parser, D3.js renderer, unit tests, E2E tests, and comprehensive documentation.

• #​7526 efe218a - feat: implement neo look styling for state diagrams

• #​7526 efe218a - feat: implement neo look support for sequence diagrams with drop shadows, and enhanced styling

• #​7526 efe218a - feat: add randomize config option for architecture diagrams, defaulting to false for deterministic layout

• #​7526 efe218a - feat: Add option to change timeline direction

• #​7526 efe218a - Fix duplicate SVG element IDs when rendering multiple diagrams on the same page. Internal element IDs (nodes, edges, markers, clusters) are now prefixed with the diagram's SVG element ID across all diagram types. Custom CSS or JS using exact ID selectors like #arrowhead should use attribute-ending selectors like [id$="-arrowhead"] instead.

• #​7526 efe218a - feat: implement neo look styling for ER diagrams

• #​7526 efe218a - feat: implement neo look styling for requirement diagrams

• #​7526 efe218a - feat: add theme support for data label colour in xy chart

• #​7526 efe218a - feat: implement neo look styling for mindmap diagrams

• #​7526 efe218a - feat: implement neo look for mermaid flowchart diagrams

• #​7526 efe218a - feat: implement neo look and themes for class diagram

• #​7526 efe218a - feat: add showDataLabelOutsideBar option for xy chart

• #​7526 efe218a - feat: implement neo look support for timeline diagram with drop shadows, additoinal redux themes and enhanced styling

• #​7526 efe218a - feat: implement neo look and themes for gitGraph diagram

• #​7526 efe218a - add new TreeView diagram

Patch Changes

• #​7526 efe218a - add link to ishikawa diagram on mermaid.js.org

• #​7526 efe218a - docs: document valid duration token formats in gantt.md

• #​7526 efe218a - fix: ER diagram parsing when using "1" as entity identifier on right side

  The parser was incorrectly tokenizing the second "1" in patterns like a many to 1 1: because the lookahead rule only checked for alphabetic characters after whitespace, not digits. Added a new lookahead pattern "1"(?=\s+[0-9]) to correctly identify the cardinality alias before a numeric entity name.

  Fixes #​7472

• #​7526 efe218a - fix: scope cytoscape label style mapping to edges with labels to prevent console warnings

• #​7526 efe218a - fix: support inline annotation syntax in class diagrams (class Shape <>)

• #​7526 efe218a - fix: Align branch label background with text for multi-line labels in LR GitGraph layout

• #​7526 efe218a - fix: preserve cause hierarchy when ishikawa effect is indented more than causes

• #​7526 efe218a - refactor: remove unused createGraphWithElements function and add regression test for open edge arrowheads

• #​7526 efe218a - fix: Prevent long pie chart titles from being clipped by expanding the viewBox

• #​7526 efe218a - fix: prevent sequence diagram hang when "as" is used without a trailing space in participant declarations

• #​7526 efe218a - fix: warn when style statement targets a non-existent node in flowcharts

• #​7526 efe218a - fix: group state diagram SVG children under single root element

• #​7526 efe218a - fix: Allow :::className syntax inside composite state blocks

• #​7526 efe218a Thanks @​aloisklink, @​BambioGaming! - fix: prevent escaping < and & when htmlLabels: false

• #​7526 efe218a - fix: treemap title and labels use theme-aware colors for dark backgrounds

• Updated dependencies [efe218a]:

  • @​mermaid-js/parser@​1.1.0

@​mermaid-js/parser@​1.1.0

Minor Changes

• #​7526 efe218a - add new TreeView diagram

@​mermaid-js/tiny@​11.14.0

Minor Changes

• #​7526 efe218a - Add Wardley Maps diagram type (beta)

  Adds Wardley Maps as a new diagram type to Mermaid (available as wardley-beta). Wardley Maps are visual representations of business strategy that help map value chains and component evolution.

  Features:

  • Component positioning with [visibility, evolution] coordinates (OWM format)
  • Anchors for users/customers
  • Multiple link types: dependencies, flows, labeled links
  • Evolution arrows and trend indicators
  • Custom evolution stages with optional dual labels
  • Custom stage widths using @​boundary notation
  • Pipeline components with visibility inheritance
  • Annotations, notes, and visual elements
  • Source strategy markers: build, buy, outsource, market
  • Inertia indicators
  • Theme integration

  Implementation includes parser, D3.js renderer, unit tests, E2E tests, and comprehensive documentation.

• #​7526 efe218a - feat: implement neo look styling for state diagrams

• #​7526 efe218a - feat: implement neo look support for sequence diagrams with drop shadows, and enhanced styling

• #​7526 efe218a - feat: add randomize config option for architecture diagrams, defaulting to false for deterministic layout

• #​7526 efe218a - feat: Add option to change timeline direction

• #​7526 efe218a - Fix duplicate SVG element IDs when rendering multiple diagrams on the same page. Internal element IDs (nodes, edges, markers, clusters) are now prefixed with the diagram's SVG element ID across all diagram types. Custom CSS or JS using exact ID selectors like #arrowhead should use attribute-ending selectors like [id$="-arrowhead"] instead.

• #​7526 efe218a - feat: implement neo look styling for ER diagrams

• #​7526 efe218a - feat: implement neo look styling for requirement diagrams

• #​7526 efe218a - feat: add theme support for data label colour in xy chart

• #​7526 efe218a - feat: implement neo look styling for mindmap diagrams

• #​7526 efe218a - feat: implement neo look for mermaid flowchart diagrams

• #​7526 efe218a - feat: implement neo look and themes for class diagram

• #​7526 efe218a - feat: add showDataLabelOutsideBar option for xy chart

• #​7526 efe218a - feat: implement neo look support for timeline diagram with drop shadows, additoinal redux themes and enhanced styling

• #​7526 efe218a - feat: implement neo look and themes for gitGraph diagram

• #​7526 efe218a - add new TreeView diagram

Patch Changes

• #​7526 efe218a - add link to ishikawa diagram on mermaid.js.org

• #​7526 efe218a - docs: document valid duration token formats in gantt.md

• #​7526 efe218a - fix: ER diagram parsing when using "1" as entity identifier on right side

  The parser was incorrectly tokenizing the second "1" in patterns like a many to 1 1: because the lookahead rule only checked for alphabetic characters after whitespace, not digits. Added a new lookahead pattern "1"(?=\s+[0-9]) to correctly identify the cardinality alias before a numeric entity name.

  Fixes #​7472

• #​7526 efe218a - fix: scope cytoscape label style mapping to edges with labels to prevent console warnings

• #​7526 efe218a - fix: support inline annotation syntax in class diagrams (class Shape <>)

• #​7526 efe218a - fix: Align branch label background with text for multi-line labels in LR GitGraph layout

• #​7526 efe218a - fix: preserve cause hierarchy when ishikawa effect is indented more than causes

• #​7526 efe218a - refactor: remove unused createGraphWithElements function and add regression test for open edge arrowheads

• #​7526 efe218a - fix: Prevent long pie chart titles from being clipped by expanding the viewBox

• #​7526 efe218a - fix: prevent sequence diagram hang when "as" is used without a trailing space in participant declarations

• #​7526 efe218a - fix: warn when style statement targets a non-existent node in flowcharts

• #​7526 efe218a - fix: group state diagram SVG children under single root element

• #​7526 efe218a - fix: Allow :::className syntax inside composite state blocks

• #​7526 efe218a Thanks @​aloisklink, @​BambioGaming! - fix: prevent escaping < and & when htmlLabels: false

• #​7526 efe218a - fix: treemap title and labels use theme-aware colors for dark backgrounds

• Updated dependencies [efe218a]:

  • @​mermaid-js/parser@​1.1.0

v11.13.0

Compare Source

Minor Changes

• #​7352 d6db0b0 Thanks @​remcohaszing! - feat: Export the AsyncIconLoader, SyncIconLoader, and IconLoader types.

• #​5932 cdacb0b Thanks @​exoego! - feat: Add venn-beta diagram

• #​6789 73e9849 Thanks @​omkarht! - feat: Add half-arrowheads (solid & stick) and central connection support

• #​7387 acce4db Thanks @​exoego! - feat: Add Ishikawa diagram (ishikawa-beta)

• #​6995 9745f32 Thanks @​darshanr0107! - feat: Deprecate flowchart.htmlLabels in favor of root-level htmlLabels in Mermaid config

• #​5814 2dd29be Thanks @​kairi003! -

✂ Note

PR body was truncated to here.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for elastic-elion-a958b6 ready!

Name	Link
🔨 Latest commit	873afae
🔍 Latest deploy log	https://app.netlify.com/projects/elastic-elion-a958b6/deploys/6a024e42f455df000881101f
😎 Deploy Preview	https://deploy-preview-377--elastic-elion-a958b6.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.