sbp opened a new issue, #1145: URL: https://github.com/apache/tooling-trusted-releases/issues/1145
@andrewmusselman recently [added Mermaid support to ATR](a9ef14a6ce1cfbed91d0649c6aeff252de042f0d) to fix #891. He set the version to `"mermaid": "11.4.1"` which is quite out of date, and we got some Dependabot PRs (#1140, #1141) relating to this. Dependabot wanted us to update to [11.14.0](https://www.npmjs.com/package/mermaid/v/11.14.0), but that's within the 14 day cooldown window. [Our documentation states](https://release-test.apache.org/docs/code-conventions#javascript): > Disable lifecycle scripts, separate the process into pinning and building from pinned versions, ensure that versions are properly pinned (e.g. using `save-exact` and `save-prefix` in npm), run audits automatically after installation, and set a package cooldown of 14 days. Manually update in case of a CVE within the 14 day cooldown period. If possible, run the whole process in an OCI container with a non-root build user in the container. So the remediation here is to update manually, which I attempted. We also have a problem with the build container, however, tracked as #1138, for which @andrewmusselman suggested PR #1143, adding the `edge/main` repository to a stable version of Alpine. I think we should just move the whole container to edge instead, until `dart-scss` becomes available in stable. Once that was resolved, I found that even manually updating Mermaid to 11.14.0 did not resolve the issue. The issues are [CVE-2026-4800](https://github.com/advisories/GHSA-r5fr-rjxr-66jc) and [CVE-2026-2950](https://github.com/advisories/GHSA-f23m-r3pf-42rh) in `lodash-es`, a dependency of Mermaid. A patched version of `lodash-es` is available ([4.18.1](https://www.npmjs.com/package/lodash-es/v/4.18.1)), but Mermaid and its dependencies have not yet switched over to it. Instead, there is https://github.com/mermaid-js/mermaid/pull/7587 which was merged _as I was writing this issue description_. Therefore it seems that a new version of Mermaid will be available shortly without the CVEs in the dependency chain. Since Mermaid functionality is low priority for us, I propose that we give this at least 5 days, and preferably 7, to cooldown and then manually update the build process as directed by our documentation quoted above. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
