silverwind
7c12446c1f
test(e2e): add comment, release, star, PR and fork tests ( #37800 )
...
Adds Playwright e2e coverage for five high-value workflows, each driven
through semantic locators with API-based setup:
- comment on and close an issue
- publish a release
- star and watch a repository
- create a pull request from the compare page
- fork a repository
Also passes `autoInit: false` in existing tests that only exercise
DB-backed units (issues, reactions, milestones, projects, events),
skipping an unused initial commit to speed up their setup and reduce
parallel git contention.
---
This PR was written with the help of Claude Opus 4.7
---------
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com >
Co-authored-by: Nicolas <bircni@icloud.com >
2026-05-22 18:52:04 +00:00
Giteabot
6a27066269
fix(deps): update dependency mermaid to v11.15.0 [security], add e2e test ( #37662 )
...
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/ ) |
[Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
| [mermaid](https://redirect.github.com/mermaid-js/mermaid ) | [`11.14.0`
→ `11.15.0`](https://renovatebot.com/diffs/npm/mermaid/11.14.0/11.15.0 )
|

|

|
---
### Mermaid: Improper sanitization of `classDefs` in diagrams leads to
CSS injection
[CVE-2026-41148](https://nvd.nist.gov/vuln/detail/CVE-2026-41148 ) /
[GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r )
<details>
<summary>More information</summary>
#### Details
##### Details
The state diagram and any other diagram type that routes user-controlled
style strings through createCssStyles parser for Mermaid v11.14.0 and
earlier captures `classDef` values with an unrestricted regex:
```jison
// packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83
<CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' }
```
The value passes unsanitized through `addStyleClass()` ->
`createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in
the value closes the generated CSS selector, and everything after
becomes a new CSS rule on the page.
##### PoC
```
stateDiagram-v2
classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif ")}
```
Live demo:
<https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU >
##### Patches
This has been patched in:
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f ))
-
[v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102 ))
##### Workarounds
Setting [`"securityLevel":
"sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
will prevent this, by rendering the mermaid diagram in a sandboxed
`<iframe>`.
##### Impact
Enables page defacement, user tracking via `url()` callbacks, and DOM
attribute exfiltration via CSS `:has()` selectors.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r )
-
[https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102 ](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102 )
-
[https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f ](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f )
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
-
[https://mermaid.js.org/config/schema-docs/config.html#securitylevel ](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
-
[https://github.com/advisories/GHSA-xcj9-5m2h-648r ](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r )
This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid: Improper sanitization of `classDef` in state diagrams leads
to HTML injection
[CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149 ) /
[GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr )
<details>
<summary>More information</summary>
#### Details
##### Impact
Under the default configuration, Mermaid state diagram's `classDef`
allow DOM injection that escapes the SVG, although `<script>` tags are
removed, preventing XSS.
##### Proof-of-concept
```
stateDiagram-v2
classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b
[*] --> A:::xss
```
##### Patches
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056 ))
-
[v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3 ))
##### Workarounds
If you can not update to a patched version, setting [`"securityLevel":
"sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
will prevent this, by rendering the mermaid diagram in a sandboxed
`<iframe>`.
##### Credits
Thanks to @​zsxsoft from @​KeenSecurityLab for reporting
this vulnerability.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr )
-
[https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056 ](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056 )
-
[https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3 ](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
-
[https://mermaid.js.org/config/schema-docs/config.html#securitylevel ](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
-
[https://github.com/advisories/GHSA-ghcm-xqfw-q4vr ](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr )
This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid: Improper sanitization of configuration leads to CSS
injection
[CVE-2026-41159](https://nvd.nist.gov/vuln/detail/CVE-2026-41159 ) /
[GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p )
<details>
<summary>More information</summary>
#### Details
##### Impact
Mermaid's default configuration allows injecting CSS that applies
outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and
`altFontFamily` configuration options.
Live demo:
[mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg )
Example code:
```
%%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%%
flowchart LR
A --> B
```
The injected CSS exploits stylis's `&` (scope reference) handling.
`:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles
to all page elements. Global at-rules (`@font-face`, `@keyframes`,
`@counter-style`) are also injectable as stylis hoists them to top
level.
This allows page defacement and DOM attribute exfiltration via CSS
`:has()` selectors.
##### Patches
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa ))
-
[v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76 ))
##### Workarounds
If you can't upgrade mermaid, you can set the
[`secure`](https://mermaid.js.org/config/schema-docs/config.html#secure )
config value in the mermaid config to avoid allowing diagrams to modify
`fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`.
Setting [`"securityLevel":
"sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
will also prevent this.
##### Credits
Reported by @​zsxsoft on behalf of @​KeenSecurityLab
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p )
-
[https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa ](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa )
-
[https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76 ](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
-
[https://github.com/advisories/GHSA-87f9-hvmw-gh4p ](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p )
This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS
[CVE-2026-41150](https://nvd.nist.gov/vuln/detail/CVE-2026-41150 ) /
[GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh )
<details>
<summary>More information</summary>
#### Details
##### Impact
Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service
attack when rendering gantt charts, if they use the [`excludes`
attribute](https://mermaid.js.org/syntax/gantt.html?#excludes ) to
exclude all dates.
Example:
```
gantt
excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday
DoS :2025-01-01, 1d
```
`mermaid.parse` is unaffected, unless you then call the
`ganttDb.getTasks()` (which is called when rendering a diagram).
##### Patches
This has been patched in:
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e ))
-
[v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6 ))
##### Workarounds
There are no workarounds available without updating to a newer version
of mermaid.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh )
-
[https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6 ](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6 )
-
[https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e ](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e )
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
-
[https://github.com/advisories/GHSA-6m6c-36f7-fhxh ](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh )
This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS
[CVE-2026-41150](https://nvd.nist.gov/vuln/detail/CVE-2026-41150 ) /
[GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh )
<details>
<summary>More information</summary>
#### Details
##### Impact
Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service
attack when rendering gantt charts, if they use the [`excludes`
attribute](https://mermaid.js.org/syntax/gantt.html?#excludes ) to
exclude all dates.
Example:
```
gantt
excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday
DoS :2025-01-01, 1d
```
`mermaid.parse` is unaffected, unless you then call the
`ganttDb.getTasks()` (which is called when rendering a diagram).
##### Patches
This has been patched in:
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[faafb5d49106dd32c367f3882505f2dd625aa30e](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e ))
-
[v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[a59ea56174712ee5430dfd5bc877cb5151f501a6](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6 ))
##### Workarounds
There are no workarounds available without updating to a newer version
of mermaid.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh )
-
[https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6 ](https://redirect.github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6 )
-
[https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e ](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e )
-
[https://github.com/mermaid-js/mermaid ](https://redirect.github.com/mermaid-js/mermaid )
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-6m6c-36f7-fhxh ) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid: Improper sanitization of configuration leads to CSS
injection
[CVE-2026-41159](https://nvd.nist.gov/vuln/detail/CVE-2026-41159 ) /
[GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p )
<details>
<summary>More information</summary>
#### Details
##### Impact
Mermaid's default configuration allows injecting CSS that applies
outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and
`altFontFamily` configuration options.
Live demo:
[mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg )
Example code:
```
%%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%%
flowchart LR
A --> B
```
The injected CSS exploits stylis's `&` (scope reference) handling.
`:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles
to all page elements. Global at-rules (`@font-face`, `@keyframes`,
`@counter-style`) are also injectable as stylis hoists them to top
level.
This allows page defacement and DOM attribute exfiltration via CSS
`:has()` selectors.
##### Patches
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[64769738d5b59211e1decb471ffbaca8afec51aa](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa ))
-
[v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[a9d9f0d8eb790349121508688cd338253fd80d76](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76 ))
##### Workarounds
If you can't upgrade mermaid, you can set the
[`secure`](https://mermaid.js.org/config/schema-docs/config.html#secure )
config value in the mermaid config to avoid allowing diagrams to modify
`fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`.
Setting [`"securityLevel":
"sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
will also prevent this.
##### Credits
Reported by @​zsxsoft on behalf of @​KeenSecurityLab
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p )
-
[https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa ](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa )
-
[https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76 ](https://redirect.github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76 )
-
[https://github.com/mermaid-js/mermaid ](https://redirect.github.com/mermaid-js/mermaid )
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-87f9-hvmw-gh4p ) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid: Improper sanitization of `classDef` in state diagrams leads
to HTML injection
[CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149 ) /
[GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr )
<details>
<summary>More information</summary>
#### Details
##### Impact
Under the default configuration, Mermaid state diagram's `classDef`
allow DOM injection that escapes the SVG, although `<script>` tags are
removed, preventing XSS.
##### Proof-of-concept
```
stateDiagram-v2
classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b
[*] --> A:::xss
```
##### Patches
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[37ff937f1da2e19f882fd1db01235db4d01f4056](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056 ))
-
[v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3 ))
##### Workarounds
If you can not update to a patched version, setting [`"securityLevel":
"sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
will prevent this, by rendering the mermaid diagram in a sandboxed
`<iframe>`.
##### Credits
Thanks to @​zsxsoft from @​KeenSecurityLab for reporting
this vulnerability.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr )
-
[https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056 ](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056 )
-
[https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3 ](https://redirect.github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3 )
-
[https://github.com/mermaid-js/mermaid ](https://redirect.github.com/mermaid-js/mermaid )
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
-
[https://mermaid.js.org/config/schema-docs/config.html#securitylevel ](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-ghcm-xqfw-q4vr ) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid: Improper sanitization of `classDefs` in diagrams leads to
CSS injection
[CVE-2026-41148](https://nvd.nist.gov/vuln/detail/CVE-2026-41148 ) /
[GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r )
<details>
<summary>More information</summary>
#### Details
##### Details
The state diagram and any other diagram type that routes user-controlled
style strings through createCssStyles parser for Mermaid v11.14.0 and
earlier captures `classDef` values with an unrestricted regex:
```jison
// packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83
<CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' }
```
The value passes unsanitized through `addStyleClass()` ->
`createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in
the value closes the generated CSS selector, and everything after
becomes a new CSS rule on the page.
##### PoC
```
stateDiagram-v2
classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif ")}
```
Live demo:
<https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU >
##### Patches
This has been patched in:
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[e9b0f34d8d82a6260077764ee45e1d7d90957a0f](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f ))
-
[v10.9.6](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[8fead23c59166b7bab6a39eac81acebee2859102](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102 ))
##### Workarounds
Setting [`"securityLevel":
"sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
will prevent this, by rendering the mermaid diagram in a sandboxed
`<iframe>`.
##### Impact
Enables page defacement, user tracking via `url()` callbacks, and DOM
attribute exfiltration via CSS `:has()` selectors.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r )
-
[https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102 ](https://redirect.github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102 )
-
[https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f ](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f )
-
[https://github.com/mermaid-js/mermaid ](https://redirect.github.com/mermaid-js/mermaid )
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
-
[https://mermaid.js.org/config/schema-docs/config.html#securitylevel ](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-xcj9-5m2h-648r ) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Release Notes
<details>
<summary>mermaid-js/mermaid (mermaid)</summary>
###
[`v11.15.0`](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
[Compare
Source](https://redirect.github.com/mermaid-js/mermaid/compare/mermaid@11.14.0...mermaid@11.15.0 )
##### Minor Changes
-
[#​7174](https://redirect.github.com/mermaid-js/mermaid/pull/7174 )
[`0aca217`](https://redirect.github.com/mermaid-js/mermaid/commit/0aca21739c0d1fcaaa206e04a6cd574ebc415483 )
Thanks
[@​milesspencer35](https://redirect.github.com/milesspencer35 )! -
feat(sequence): Add support for decimal start and increment values in
the `autonumber` directive
-
[#​7512](https://redirect.github.com/mermaid-js/mermaid/pull/7512 )
[`8e17492`](https://redirect.github.com/mermaid-js/mermaid/commit/8e17492f7365ba50896382feb69a23efd9d8a22d )
Thanks [@​aruncveli](https://redirect.github.com/aruncveli )! -
feat(flowchart): add datastore shape
In Data flow diagrams, a datastore/warehouse/file/database is used to
represent data persistence. It is denoted by a rectangle with only top
and bottom borders, and can be used in flowcharts with `A@{ shape:
datastore, label: "Datastore" }`.
-
[#​6440](https://redirect.github.com/mermaid-js/mermaid/pull/6440 )
[`9ad8dde`](https://redirect.github.com/mermaid-js/mermaid/commit/9ad8dde6d049adde85d8ed2d476c09b5820f3f4b )
Thanks [@​yordis](https://redirect.github.com/yordis ),
[@​lgazo](https://redirect.github.com/lgazo )! - feat: add Event
Modeling diagram
-
[#​7707](https://redirect.github.com/mermaid-js/mermaid/pull/7707 )
[`27db774`](https://redirect.github.com/mermaid-js/mermaid/commit/27db774627be1cee881961dfd0d2cb21cd01b79d )
Thanks [@​txmxthy](https://redirect.github.com/txmxthy )! -
feat(architecture): expose four fcose layout knobs for
`architecture-beta` diagrams (`nodeSeparation`,
`idealEdgeLengthMultiplier`, `edgeElasticity`, `numIter`) so authors can
tune layout density and spread overlapping siblings without changing
diagram source
-
[#​7604](https://redirect.github.com/mermaid-js/mermaid/pull/7604 )
[`bf9502f`](https://redirect.github.com/mermaid-js/mermaid/commit/bf9502fb6012a4b724679b401ac928f5ee55161c )
Thanks [@​M-a-c](https://redirect.github.com/M-a-c )! -
feat(class): add nested namespace support for class diagrams via dot
notation and syntactic nesting
If you have namespaces in class diagrams that use `.`s already and want
to render them without nesting (≤v11.14.0 behaviour), you can use set
`class.hierarchicalNamespaces=false` in your mermaid config:
```yaml
config:
class:
hierarchicalNamespaces: false
```
-
[#​7272](https://redirect.github.com/mermaid-js/mermaid/pull/7272 )
[`88cdd3d`](https://redirect.github.com/mermaid-js/mermaid/commit/88cdd3dc0aab9577174561b04e14760c565a232b )
Thanks [@​xinbenlv](https://redirect.github.com/xinbenlv )! -
feat(sankey): add outlined label style, configurable
nodeWidth/nodePadding, and custom node colors
##### Patch Changes
-
[#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737 )
[`e9b0f34`](https://redirect.github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f )
Thanks
[@​ashishjain0512](https://redirect.github.com/ashishjain0512 )! -
fix: prevent unbalanced CSS styles in classDefs
-
[#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737 )
[`37ff937`](https://redirect.github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056 )
Thanks
[@​ashishjain0512](https://redirect.github.com/ashishjain0512 )! -
fix: create CSS styles using the CSSOM
This removes some invalid CSS and normalizes some CSS formatting.
-
[#​7508](https://redirect.github.com/mermaid-js/mermaid/pull/7508 )
[`bfe60cc`](https://redirect.github.com/mermaid-js/mermaid/commit/bfe60cc67b9a6dec64f9161f58e4d24a06c42b65 )
Thanks [@​biiab](https://redirect.github.com/biiab )! -
fix(stateDiagram): `end note` now only closes a note when used on a new
line
-
[#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737 )
[`faafb5d`](https://redirect.github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e )
Thanks
[@​ashishjain0512](https://redirect.github.com/ashishjain0512 )! -
fix(gantt): add iteration limit for `excludes` field
-
[#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737 )
[`65f8be2`](https://redirect.github.com/mermaid-js/mermaid/commit/65f8be2a42faf869b811469571983cba7eeeca99 )
Thanks
[@​ashishjain0512](https://redirect.github.com/ashishjain0512 )! -
fix: disallow some CSS at-rules in custom CSS
-
[#​7726](https://redirect.github.com/mermaid-js/mermaid/pull/7726 )
[`1502f32`](https://redirect.github.com/mermaid-js/mermaid/commit/1502f32f3c5fb944925b0c527fbbde3c4f041824 )
Thanks [@​aloisklink](https://redirect.github.com/aloisklink )! -
fix(wardley): fix unnecessary sanitization of text
-
[#​7578](https://redirect.github.com/mermaid-js/mermaid/pull/7578 )
[`1f98db8`](https://redirect.github.com/mermaid-js/mermaid/commit/1f98db8e326299ac97a2fa60abfd509d8f5f16e2 )
Thanks [@​Gaston202](https://redirect.github.com/Gaston202 )! -
fix(class): self-referential class multiplicity labels no longer
rendered multiple times
Fixes
[#​7560](https://redirect.github.com/mermaid-js/mermaid/issues/7560 ).
Resolves an issue where cardinality labels on self-referential class
relationships were rendered three times due to edge splitting in the
dagre layout. The fix ensures that each sub-edge only carries its
relevant label positions.
-
[#​7592](https://redirect.github.com/mermaid-js/mermaid/pull/7592 )
[`2343e38`](https://redirect.github.com/mermaid-js/mermaid/commit/2343e38498a3b31f8ce5e79f1f009e0b56fbe086 )
Thanks [@​knsv-bot](https://redirect.github.com/knsv-bot )! -
fix(sequence): add background box behind alt/else section title labels
in sequence diagrams
-
[#​7589](https://redirect.github.com/mermaid-js/mermaid/pull/7589 )
[`7fb9509`](https://redirect.github.com/mermaid-js/mermaid/commit/7fb9509b8b5cb1dc48519dc60cf6cdc6afba0462 )
Thanks [@​NYCU-Chung](https://redirect.github.com/NYCU-Chung )! -
fix(block): prevent column widths from shrinking when mixing different
column spans
-
[#​7632](https://redirect.github.com/mermaid-js/mermaid/pull/7632 )
[`3f9e0f1`](https://redirect.github.com/mermaid-js/mermaid/commit/3f9e0f15bedc1e2c71ddb6b34192d1a21124cfc2 )
Thanks [@​ekiauhce](https://redirect.github.com/ekiauhce )! -
fix(sequence): correct messageAlign label position for right-to-left
arrows in sequence diagrams
-
[#​7642](https://redirect.github.com/mermaid-js/mermaid/pull/7642 )
[`7a8fb85`](https://redirect.github.com/mermaid-js/mermaid/commit/7a8fb8532c57ecc55b3711454ab0e505a4291445 )
Thanks [@​tractorjuice](https://redirect.github.com/tractorjuice )!
- fix(wardley): allow hyphens in unquoted component names
Multi-word names containing hyphens — e.g. `real-time processing`,
`end-user`, `on-call engineer` — now parse without quoting, bringing the
grammar in line with the OnlineWardleyMaps (OWM) convention. `A->B`
(no-space arrow) still tokenises correctly.
-
[#​7523](https://redirect.github.com/mermaid-js/mermaid/pull/7523 )
[`5144ed4`](https://redirect.github.com/mermaid-js/mermaid/commit/5144ed4b138ae0f4836bab4c163c575e0a767dd3 )
Thanks [@​darshanr0107](https://redirect.github.com/darshanr0107 )!
- fix(block): Arrow blocks in block-beta diagrams not spanning the
specified number of columns when using `:n` syntax.
-
[#​7262](https://redirect.github.com/mermaid-js/mermaid/pull/7262 )
[`13d9bfa`](https://redirect.github.com/mermaid-js/mermaid/commit/13d9bfa4748e845a9eec7d6265ba496d2278f26e )
Thanks [@​darshanr0107](https://redirect.github.com/darshanr0107 )!
- fix(block): Ensure block diagram hexagon blocks respect column
spanning syntax
-
[#​7684](https://redirect.github.com/mermaid-js/mermaid/pull/7684 )
[`e14bb88`](https://redirect.github.com/mermaid-js/mermaid/commit/e14bb88bdb940124cdb0a107025653bf93745c99 )
Thanks [@​aloisklink](https://redirect.github.com/aloisklink )! -
fix: loosen `uuid` dependency range to allow v14
Mermaid does not use any of the vulnerable code in CVE-2026-41907,
but this allows users to silence any `npm audit` alerts on it.
-
[#​7633](https://redirect.github.com/mermaid-js/mermaid/pull/7633 )
[`9217c0d`](https://redirect.github.com/mermaid-js/mermaid/commit/9217c0d8b221b423af80e420b7adae901acf6c8c )
Thanks [@​Felix-Garci](https://redirect.github.com/Felix-Garci )! -
fix(block): add support for all arrow types in block diagrams
-
[#​7587](https://redirect.github.com/mermaid-js/mermaid/pull/7587 )
[`5e7eb62`](https://redirect.github.com/mermaid-js/mermaid/commit/5e7eb62e3aba6b5df559f5c839a868e5b7f40e72 )
Thanks
[@​MaddyGuthridge](https://redirect.github.com/MaddyGuthridge )! -
chore: drop lodash-es in favour of es-toolkit
-
[#​7693](https://redirect.github.com/mermaid-js/mermaid/pull/7693 )
[`afaf306`](https://redirect.github.com/mermaid-js/mermaid/commit/afaf3062381d115d66744413151b642f124dd9ba )
Thanks [@​dull-bird](https://redirect.github.com/dull-bird )! -
fix(quadrant-chart): allow CJK, emoji, Latin-1 accented characters, and
other non-ASCII text in unquoted axis/quadrant/point labels.
Previously the lexer only matched ASCII `[A-Za-z]+` for text tokens,
even though the grammar referenced `UNICODE_TEXT`. Bare Chinese,
Japanese, Korean, emoji, and accented Latin characters in labels caused
a parse error. Added a `[^\x00-\x7F]+` lexer rule to emit `UNICODE_TEXT`
and included it in the `alphaNumToken` grammar rule.
Fixes
[#​7120](https://redirect.github.com/mermaid-js/mermaid/issues/7120 ).
-
[#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737 )
[`4755553`](https://redirect.github.com/mermaid-js/mermaid/commit/4755553d5fb6d1217809e43ffb8fc54d6a73e482 )
Thanks
[@​ashishjain0512](https://redirect.github.com/ashishjain0512 )! -
fix: improve D3 types for mermaidAPI funcs
-
[#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737 )
[`6476973`](https://redirect.github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa )
Thanks
[@​ashishjain0512](https://redirect.github.com/ashishjain0512 )! -
fix: handle `&` when namespacing CSS rules
-
[#​7520](https://redirect.github.com/mermaid-js/mermaid/pull/7520 )
[`8c1a0c1`](https://redirect.github.com/mermaid-js/mermaid/commit/8c1a0c1fd19587c6772d6966fe9d217e5cd1356c )
Thanks
[@​RodrigojndSantos](https://redirect.github.com/RodrigojndSantos )!
- fix(stateDiagram): comments starting with one `%` are no longer
treated as comments
Switch to using two `%%` if you want to write a comment.
- Updated dependencies
\[[`7a8fb85`](https://redirect.github.com/mermaid-js/mermaid/commit/7a8fb8532c57ecc55b3711454ab0e505a4291445 ),
[`675a64c`](https://redirect.github.com/mermaid-js/mermaid/commit/675a64ca0e3cde8728ca715991623c3fc055ce88 )]:
-
[@​mermaid-js/parser](https://redirect.github.com/mermaid-js/parser )@​1.1.1
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- ""
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
---------
Co-authored-by: silverwind <me@silverwind.io >
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com >
2026-05-12 01:34:49 +02:00