Lunny Xiao
ebde80bef4
Merge branch 'main' into lunny/project_workflow
2026-05-22 12:48:12 -07:00
silverwind
7c12446c1f
test(e2e): add comment, release, star, PR and fork tests ( #37800 )
...
Adds Playwright e2e coverage for five high-value workflows, each driven
through semantic locators with API-based setup:
- comment on and close an issue
- publish a release
- star and watch a repository
- create a pull request from the compare page
- fork a repository
Also passes `autoInit: false` in existing tests that only exercise
DB-backed units (issues, reactions, milestones, projects, events),
skipping an unused initial commit to speed up their setup and reduce
parallel git contention.
---
This PR was written with the help of Claude Opus 4.7
---------
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Nicolas <bircni@icloud.com>
2026-05-22 18:52:04 +00:00
silverwind
2e96e8227f
style: misc UI fixes ( #37691 )
...
- Action view sidebar: rename `job-brief-item` to
`action-view-sidebar-item`, fix trash icon overflow on long artifact
names, align artifact and workflow hover styles with the jobs list
- Branches: expand new PR button cell to three wide so the button is not
clipped on narrow viewports
- Dashboard feed: add `tw-max-w-full` so long issue titles truncate
- Reactions: tighten label padding
<img width="261" height="65" alt="Screenshot 2026-05-13 at 16 18 33"
src="https://github.com/user-attachments/assets/ecfe8f37-4a65-4839-b8c0-defccc85482c "
/>
<img width="154" height="126" alt="Screenshot 2026-05-13 at 16 19 25"
src="https://github.com/user-attachments/assets/41302134-d1b7-401a-be2d-79173adb6d17 "
/>
<img width="405" height="378" alt="Screenshot 2026-05-13 at 16 47 18"
src="https://github.com/user-attachments/assets/e2c5cdd4-f11d-498c-b17e-c74c80c0ddf7 "
/>
<img width="206" height="149" alt="Screenshot 2026-05-13 at 16 55 53"
src="https://github.com/user-attachments/assets/7787125d-04b1-4500-b9b8-2637845509d6 "
/>
<img width="858" height="135" alt="Screenshot 2026-05-13 at 16 58 41"
src="https://github.com/user-attachments/assets/cb5bdf56-3891-469d-aa77-ea38855958c1 "
/>
<img width="434" height="128" alt="Screenshot 2026-05-13 at 17 00 43"
src="https://github.com/user-attachments/assets/60f2c34d-b345-4813-8f6d-a95bf51021b4 "
/>
---
This PR was written with the help of Claude Opus 4.7
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-05-21 07:02:05 +00:00
Elisei Roca
9c8d55daf8
fix(pull): handle empty pull request files view to allow reviews ( #37783 )
...
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-05-20 02:06:29 +08:00
Lunny Xiao
171df0c9ff
fix(permissions): Fix reading permission ( #37769 )
2026-05-19 09:23:32 +00:00
Lunny Xiao
f2a1271f16
fix: Unify public-only token filtering in API queries and repo access checks ( #37118 )
...
This PR closes remaining `public-only` token gaps in the API by making
the restriction apply consistently across repository, organization,
activity, notification, and authenticated `/api/v1/user/...` routes.
Previously, `public-only` tokens were still able to:
- receive private results from some list/search/self endpoints,
- access repository data through ID-based lookups,
- and reach several authenticated self routes that should remain
unavailable for public-only access.
This change treats `public-only` as a cross-cutting visibility boundary:
- list/search endpoints now filter private resources consistently,
- repository lookups enforce the same restriction even when addressed
indirectly,
- and self routes that inherently expose or mutate private account state
now reject `public-only` tokens.
---
Generated by a coding agent with Codex 5.2
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
2026-05-18 11:36:42 -07:00
wxiaoguang
c37b5241d7
chore: fix tests ( #37760 )
...
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
2026-05-18 15:47:24 +00:00
Copilot
912afcaa51
refactor(waitgroup): replace Add/Done goroutines with WaitGroup.Go ( #37764 )
...
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: wxiaoguang <2114189+wxiaoguang@users.noreply.github.com>
2026-05-18 23:22:32 +08:00
Lunny Xiao
c3d9d07702
fix: Add missed token scope checking ( #37735 )
...
Follow #37698
2026-05-18 04:52:08 +00:00
Lunny Xiao
9f21e6b20c
Merge branch 'main' into lunny/project_workflow
2026-05-17 16:40:53 -07:00
Nicolas
9648716f63
fix: Allow direct commits for unprotected files with push restrictions ( #37657 )
...
Fixes an issue where users could not commit changes on a file which is
unprotected.
Fixes : #37655
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: Giteabot <teabot@gitea.io>
2026-05-18 00:49:38 +02:00
Copilot
94e3482d1a
chore(db): introduce db.Session and db.EngineMigration interfaces ( #37746 )
...
Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: wxiaoguang <2114189+wxiaoguang@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-05-18 03:56:39 +08:00
Lunny Xiao
23f8daa204
Merge branch 'main' into lunny/project_workflow
2026-05-17 11:16:50 -07:00
Lunny Xiao
b6a219fde8
fix tests
2026-05-17 11:13:30 -07:00
Kalash Thakare ☯︎
e7af84df72
feat: execute post run cleanup when workflow is cancelled ( #37275 )
...
## Fixes #36983
## Summary
1. Add transitional `Cancelling` status (between `Running` and
`Cancelled`); cancel flow marks active tasks `Cancelling`, runner
finalizes to `Cancelled` on terminal result.
2. Taskless jobs cancel directly (no runner to finalize).
3. Runner-protocol responses map `Cancelling` → `RESULT_CANCELLED`.
4. Run/job aggregation treats `Cancelling` as active.
5. Status mapping/aggregation tests + en-US locale added.
**Problem**
When a workflow was cancelled from the UI, jobs were marked cancelled
immediately, which could skip post-run cleanup behavior.
## Solution
Use a transitional status path:
Running → Cancelling → Cancelled
This allows runner finalization and cleanup path execution before final
terminal state.
**Testing**
> 1. go test -tags "sqlite sqlite_unlock_notify" ./models/actions -run
"TestAggregateJobStatus|TestStatusAsResult|TestStatusFromResult"
> 2. go run
github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.11.4 run
./models/actions/... ./routers/api/actions/runner/...
## Related
- act_runner: https://gitea.com/gitea/act_runner/pulls/825 —
independent; this PR's capability gate keeps legacy runners on the
immediate-cancel path. The new flow activates only for runners that
advertise the `cancelling` capability.
Co-authored-by: Nicolas <bircni@icloud.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Zettat123 <zettat123@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
2026-05-17 08:41:39 +02:00
Zettat123
ae9b34897f
fix(actions): wrong assumption that run id always >= job id ( #37737 )
...
Fix #37734
Follow up #37008
The `jobNum >= runNum` check is useless. Removed it to support `job_id <
run_id`
2026-05-17 00:02:21 -06:00
Lunny Xiao
d2db150558
update
2026-05-16 19:47:10 -07:00
Lunny Xiao
cc11cdaf4e
update
2026-05-16 18:36:45 -07:00
Lunny Xiao
2708a49d3d
Merge branch 'main' into lunny/project_workflow
2026-05-16 14:35:07 -07:00
Lunny Xiao
71cb6e0f19
update
2026-05-16 13:43:45 -07:00
Lunny Xiao
33923a4d7c
fix(web): enforce token scopes on raw, media, and attachment downloads ( #37698 )
...
This PR tightens token-scope enforcement for non-API download endpoints
in the web layer.
What it changes:
- require `read:repository` for repository content downloads served from
web routes such as:
- `/raw/...`
- `/media/...`
- enforce attachment-specific scopes in `ServeAttachment`:
- issue / pull request attachments require `read:issue`
- release attachments require `read:repository`
- centralize token-scope checks for web handlers with a shared context
helper
- add matrix-style integration coverage for:
- public and private repository content downloads
- `blob`, `branch`, `tag`, and `commit` download routes
- global and repo-scoped attachment routes
- `public-only` token behavior on public vs private resources
Why:
API tokens and OAuth access tokens can be used on some non-API web
endpoints. Before this change, those endpoints relied on repository
visibility and unit permissions, but did not consistently enforce the
token’s declared scope. That allowed scoped tokens to access resources
beyond their intended category through web download routes.
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Nicolas <bircni@icloud.com>
2026-05-16 14:50:41 +00:00
Nicolas
eb93981d45
feat: Add bypass allowlist for branch protection ( #36514 )
...
- Introduce a “Bypass Protection Allowlist” on branch rules
(users/teams) alongside admins, with BlockAdminMergeOverride
still respected.
- Surface the allowlist in API (create/edit options, structs) and
settings UI; merge box now shows the red button +
message for bypass-capable users.
- Apply bypass logic to merge checks and pre-receive so allowlisted
users can override unmet approvals/status checks/
protected files when force-merging.
- Add migration for new columns, locale strings, and unit tests (bypass
helper; queue test tweak).
<img width="1069" height="218" alt="image"
src="https://github.com/user-attachments/assets/0b61bc2a-a27f-47f3-a923-613688008e65 "
/>
Fixes #36476
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Giteabot <teabot@gitea.io>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Codex GPT-5.3 <codex@openai.com>
Co-authored-by: GPT-5.2 <noreply@openai.com>
Co-authored-by: Cursor <cursoragent@cursor.com>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
2026-05-16 14:23:42 +00:00
Nicolas
34fd3c9f06
feat: Add default PR branch update style setting ( #37410 )
...
Adds repository-level settings for pull request branch updates so admins
can choose the default update method and disable merge or rebase
updates.
<img width="1025" height="158"
src="https://github.com/user-attachments/assets/d030973b-0ddd-4035-b04f-145c445084d7 "
/>
---------
Co-authored-by: OpenAI Codex (GPT-5) <codex@openai.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-05-16 10:06:40 +00:00
Lunny Xiao
d56741a238
Merge branch 'main' into lunny/project_workflow
2026-05-16 00:04:36 -07:00
Lunny Xiao
baf88f7e8c
refactor project workflow frontend and add some tests
2026-05-16 00:04:13 -07:00
Lunny Xiao
7e54514316
fix(oauth): bind token exchanges to the original client request ( #37704 )
2026-05-16 07:03:23 +02:00
Lunny Xiao
35c81e3166
fix
2026-05-15 21:20:18 -07:00
Lunny Xiao
b2f1106365
Merge branch 'main' into lunny/project_workflow
2026-05-15 15:10:01 -07:00
Lunny Xiao
59fe0ef4d9
fix
2026-05-15 15:09:49 -07:00
pandareen
ef801bb661
fix(auth): set User-Agent on avatar fetch and sync avatar on link-account register ( #37564 ) ( #37588 )
...
## Summary
Fixes
[go-gitea/gitea#37564 ](https://github.com/go-gitea/gitea/issues/37564 ):
when an OIDC provider returns a `picture` claim, Gitea is supposed to
download that image as the user's avatar (if `[oauth2_client]
UPDATE_AVATAR = true`). Two latent bugs prevented this from working
consistently:
1. **Default Go User-Agent rejected by some image hosts.**
`oauth2UpdateAvatarIfNeed` used `http.Get`, which sends `User-Agent:
Go-http-client/1.1`. Hosts like `upload.wikimedia.org` reject that UA
with `403`, and every error path silently returned, so the user was left
with an identicon and **no log line** to diagnose the issue.
2. **Link-account *register* path skipped avatar sync.** First-time OIDC
sign-ins where auto-registration is disabled (or required a
username/password retype) go through `LinkAccountPostRegister`, which
created the user but never called `oauth2SignInSync`. So the avatar /
full name / SSH keys from the IdP were dropped on the floor for those
users, even though the existing-account-link path (`oauth2LinkAccount`)
and the auto-register path (`handleOAuth2SignIn`) both already did the
sync.
## Changes
- `routers/web/auth/oauth.go` — `oauth2UpdateAvatarIfNeed` now uses
`http.NewRequest` + `http.DefaultClient.Do`, sets `User-Agent: Gitea
<version>`, and logs every failure path at `Warn` (invalid URL, fetch
error, non-200, body read error, oversize body, upload error). No silent
failures.
- `routers/web/auth/linkaccount.go` — `LinkAccountPostRegister` now
calls `oauth2SignInSync` after a successful user creation, mirroring the
auto-register and link-existing-account flows.
- `tests/integration/oauth_avatar_test.go` — new
`TestOAuth2AvatarFromPicture` integration test with five sub-cases:
- `AutoRegister_FetchesAvatarFromPictureWithGiteaUA` — happy path,
asserts `use_custom_avatar=true`, an avatar hash is set, exactly one
HTTP request was made, and the request carried a `Gitea ` UA. The mock
server enforces the UA prefix to mirror real-world hosts that reject
Go's default UA.
- `AutoRegister_NonOK_DoesNotUpdateAvatar` — server returns 403; user's
avatar must remain unset.
- `AutoRegister_EmptyPicture_NoFetch` — empty `picture` claim must not
trigger any HTTP request.
- `AutoRegister_UpdateAvatarFalse_NoFetch` — `UPDATE_AVATAR=false` must
not trigger any HTTP request.
- `LinkAccountRegister_FetchesAvatarFromPicture` — guards the
`linkaccount.go` fix; without the new `oauth2SignInSync` call this
assertion fails.
## Related
- Upstream issue: go-gitea/gitea#37564
--------------------------------------------
AI Editor was used in this PR
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Nicolas <bircni@icloud.com>
2026-05-15 11:22:36 -07:00
wxiaoguang
59db4154eb
chore: clean up tests ( #37715 )
...
1. use MockVariableValue as much as possible
2. use wg.Go as much as possible instead of Add/Done
3. simplify global lock's DefaultLocker logic to make it easier to test
4. introduce a general approach for getting external service config in
CI
5. remove unclear & unnecessary "t.Skip"
6. use modern generic syntax for remaining "DecodeJSON" calls
7. clarify test result for "list gitignore templates" and "list
licenses"
2026-05-15 16:26:36 +02:00
Lunny Xiao
f9b7b65371
fix(security): enforce wiki git writes and LFS token access at request time ( #37695 )
...
This PR fixes two permission-checking gaps in Git and LFS request
handling.
## What it changes
- keep wiki Git HTTP pushes on the normal write-permission path, even
when proc-receive support is enabled
- revalidate LFS bearer token requests against the current user state
and current repository permissions before allowing access
- add regression coverage for unauthorized wiki HTTP pushes
- add LFS tests for blocked users, revoked repository access, read-only
upload attempts, and valid write access
## Why
- wiki repositories should not inherit the relaxed refs/for handling
used for normal code repositories
- LFS authorization tokens should not remain usable after a user is
disabled or loses repository access
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-05-15 08:12:59 +00:00
agyss
5b3575a8be
fix(repo): /generate must sync the branch table for the new repo ( #37693 )
...
Two bugs in GenerateGitContent, the function behind
`POST /api/v1/repos/{owner}/{template}/generate`:
1. The new repository's refs were not written `branch` DB table
2. The function re-fetched the new repo row from the database
but reassigned its local pointer
---------
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-05-15 07:24:40 +00:00
Lunny Xiao
cc25afa752
Merge branch 'main' into lunny/project_workflow
2026-05-14 22:20:49 -07:00
Matt Schoen
a564f0587a
feat(api): add sort and order query parameters to job list endpoints ( #37672 )
...
Adds `sort` and `order` query parameters to all action job list API
endpoints (`/admin/actions/jobs`, `/repos/{owner}/{repo}/actions/jobs`,
`/repos/{owner}/{repo}/actions/runs/{run}/jobs`, `/user/actions/jobs`),
following the existing `OrderByMap` pattern used by repo/user search
endpoints.
- Default is `id` / `asc` (backwards compatible — matches previous DB
natural order)
- Only `id` sort field for now; the map is extensible for future fields
- Returns 422 for invalid sort/order values
- `ToOrders()` returns empty string when `OrderBy` is unset, so internal
callers (webhook dispatch, concurrency checks) are unaffected
Closes : #37666
Supersedes: #37667
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Co-authored-by: silverwind <me@silverwind.io>
2026-05-13 13:11:02 +00:00
silverwind
79f7062d9e
fix(actions): run TransferLogs on UpdateLog{Rows:[], NoMore:true} ( #37631 )
...
`UpdateLog` short-circuits on `len(Rows)==0` before honoring `NoMore`,
so a final empty `UpdateLog{NoMore:true}` never runs `TransferLogs`. The
task's `dbfs_data` rows are then never moved to log storage and never
deleted.
Fix: let `NoMore=true` with no new rows fall through to `TransferLogs`.
Bail when the runner has outrun the server (`Index > ack`) even with
`NoMore`, since archiving a log with a gap is worse than retrying.
Always call `WriteLogs` so `offset==0` bootstraps an empty DBFS file in
the no-output case (otherwise `TransferLogs` would fail at `dbfs.Open`).
Fixes: https://github.com/go-gitea/gitea/issues/37623
Ref: https://gitea.com/gitea/runner/pulls/952
Ref: https://gitea.com/gitea/runner/pulls/950
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
2026-05-13 05:18:07 +00:00
Giteabot
6a27066269
fix(deps): update dependency mermaid to v11.15.0 [security], add e2e test ( #37662 )
...
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/ ) |
[Confidence](https://docs.renovatebot.com/merge-confidence/ ) |
|---|---|---|---|
| [mermaid](https://redirect.github.com/mermaid-js/mermaid ) | [`11.14.0`
→ `11.15.0`](https://renovatebot.com/diffs/npm/mermaid/11.14.0/11.15.0 )
|
|
|
---
### Mermaid: Improper sanitization of `classDefs` in diagrams leads to
CSS injection
[CVE-2026-41148](https://nvd.nist.gov/vuln/detail/CVE-2026-41148 ) /
[GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r )
<details>
<summary>More information</summary>
#### Details
##### Details
The state diagram and any other diagram type that routes user-controlled
style strings through createCssStyles parser for Mermaid v11.14.0 and
earlier captures `classDef` values with an unrestricted regex:
```jison
// packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83
<CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' }
```
The value passes unsanitized through `addStyleClass()` ->
`createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in
the value closes the generated CSS selector, and everything after
becomes a new CSS rule on the page.
##### PoC
```
stateDiagram-v2
classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif ")}
```
Live demo:
<https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU >
##### Patches
This has been patched in:
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[e9b0f34d8d82a6260077764ee45e1d7d90957a0f](e9b0f34d8dhttps://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[8fead23c59166b7bab6a39eac81acebee2859102](8fead23c59https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
will prevent this, by rendering the mermaid diagram in a sandboxed
`<iframe>`.
##### Impact
Enables page defacement, user tracking via `url()` callbacks, and DOM
attribute exfiltration via CSS `:has()` selectors.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r )
-
[8fead23c59e9b0f34d8dhttps://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
-
[https://mermaid.js.org/config/schema-docs/config.html#securitylevel ](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
-
[https://github.com/advisories/GHSA-xcj9-5m2h-648r ](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r )
This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid: Improper sanitization of `classDef` in state diagrams leads
to HTML injection
[CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149 ) /
[GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr )
<details>
<summary>More information</summary>
#### Details
##### Impact
Under the default configuration, Mermaid state diagram's `classDef`
allow DOM injection that escapes the SVG, although `<script>` tags are
removed, preventing XSS.
##### Proof-of-concept
```
stateDiagram-v2
classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b
[*] --> A:::xss
```
##### Patches
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[37ff937f1da2e19f882fd1db01235db4d01f4056](37ff937f1dhttps://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](4e2d512bf5https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
will prevent this, by rendering the mermaid diagram in a sandboxed
`<iframe>`.
##### Credits
Thanks to @​zsxsoft from @​KeenSecurityLab for reporting
this vulnerability.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr )
-
[37ff937f1d4e2d512bf5https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
-
[https://mermaid.js.org/config/schema-docs/config.html#securitylevel ](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
-
[https://github.com/advisories/GHSA-ghcm-xqfw-q4vr ](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr )
This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid: Improper sanitization of configuration leads to CSS
injection
[CVE-2026-41159](https://nvd.nist.gov/vuln/detail/CVE-2026-41159 ) /
[GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p )
<details>
<summary>More information</summary>
#### Details
##### Impact
Mermaid's default configuration allows injecting CSS that applies
outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and
`altFontFamily` configuration options.
Live demo:
[mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg )
Example code:
```
%%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%%
flowchart LR
A --> B
```
The injected CSS exploits stylis's `&` (scope reference) handling.
`:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles
to all page elements. Global at-rules (`@font-face`, `@keyframes`,
`@counter-style`) are also injectable as stylis hoists them to top
level.
This allows page defacement and DOM attribute exfiltration via CSS
`:has()` selectors.
##### Patches
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[64769738d5b59211e1decb471ffbaca8afec51aa](64769738d5https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[a9d9f0d8eb790349121508688cd338253fd80d76](a9d9f0d8ebhttps://mermaid.js.org/config/schema-docs/config.html#secure )
config value in the mermaid config to avoid allowing diagrams to modify
`fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`.
Setting [`"securityLevel":
"sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
will also prevent this.
##### Credits
Reported by @​zsxsoft on behalf of @​KeenSecurityLab
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p )
-
[64769738d5a9d9f0d8ebhttps://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
-
[https://github.com/advisories/GHSA-87f9-hvmw-gh4p ](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p )
This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS
[CVE-2026-41150](https://nvd.nist.gov/vuln/detail/CVE-2026-41150 ) /
[GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh )
<details>
<summary>More information</summary>
#### Details
##### Impact
Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service
attack when rendering gantt charts, if they use the [`excludes`
attribute](https://mermaid.js.org/syntax/gantt.html?#excludes ) to
exclude all dates.
Example:
```
gantt
excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday
DoS :2025-01-01, 1d
```
`mermaid.parse` is unaffected, unless you then call the
`ganttDb.getTasks()` (which is called when rendering a diagram).
##### Patches
This has been patched in:
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[faafb5d49106dd32c367f3882505f2dd625aa30e](faafb5d491https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[a59ea56174712ee5430dfd5bc877cb5151f501a6](a59ea56174https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh )
-
[a59ea56174faafb5d491https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
-
[https://github.com/advisories/GHSA-6m6c-36f7-fhxh ](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh )
This data is provided by the [GitHub Advisory
Database](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid Gantt Charts are vulnerable to an Infinite Loop DoS
[CVE-2026-41150](https://nvd.nist.gov/vuln/detail/CVE-2026-41150 ) /
[GHSA-6m6c-36f7-fhxh](https://redirect.github.com/advisories/GHSA-6m6c-36f7-fhxh )
<details>
<summary>More information</summary>
#### Details
##### Impact
Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service
attack when rendering gantt charts, if they use the [`excludes`
attribute](https://mermaid.js.org/syntax/gantt.html?#excludes ) to
exclude all dates.
Example:
```
gantt
excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday
DoS :2025-01-01, 1d
```
`mermaid.parse` is unaffected, unless you then call the
`ganttDb.getTasks()` (which is called when rendering a diagram).
##### Patches
This has been patched in:
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[faafb5d49106dd32c367f3882505f2dd625aa30e](faafb5d491https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[a59ea56174712ee5430dfd5bc877cb5151f501a6](a59ea56174https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh )
-
[a59ea56174faafb5d491https://github.com/mermaid-js/mermaid ](https://redirect.github.com/mermaid-js/mermaid )
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-6m6c-36f7-fhxh ) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid: Improper sanitization of configuration leads to CSS
injection
[CVE-2026-41159](https://nvd.nist.gov/vuln/detail/CVE-2026-41159 ) /
[GHSA-87f9-hvmw-gh4p](https://redirect.github.com/advisories/GHSA-87f9-hvmw-gh4p )
<details>
<summary>More information</summary>
#### Details
##### Impact
Mermaid's default configuration allows injecting CSS that applies
outside of the Mermaid diagram via the `fontFamily`, `themeCSS`, and
`altFontFamily` configuration options.
Live demo:
[mermaid.live](https://mermaid.live/edit#pako:eNpNjktLxDAUhf9KvFBR6JS-60QQfODKlUvJ5k6TtsEmKTHFGUP-u-mI6Nmdy3fOPR56wwVQSBIvtXSUeAaD0e4ZlZxPDChhcLxFfwiEauOuLq_9Afv30ZpVczpaITS5kGox1qF2gfSeBwYhJAnThAyz-ewntI68vG5-0z3Z7e7IA9OQwmglB-rsKlJQwircLPgNZeAmocTPAi4GXGfHgOkQYwvqN2PUbzJuGSegA84f0a0LRyeeJI4W_xChubCPcbQD2pwbgHo4Aq2aKmvbqq3zoiu7pizqFE6RybN9VFfFY1HWXRVS-Dr_zLObrt7_V_gGGXZlGg )
Example code:
```
%%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%%
flowchart LR
A --> B
```
The injected CSS exploits stylis's `&` (scope reference) handling.
`:not(&)` escapes the `#mermaid-xxx` automatic scoping, applying styles
to all page elements. Global at-rules (`@font-face`, `@keyframes`,
`@counter-style`) are also injectable as stylis hoists them to top
level.
This allows page defacement and DOM attribute exfiltration via CSS
`:has()` selectors.
##### Patches
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[64769738d5b59211e1decb471ffbaca8afec51aa](64769738d5https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[a9d9f0d8eb790349121508688cd338253fd80d76](a9d9f0d8ebhttps://mermaid.js.org/config/schema-docs/config.html#secure )
config value in the mermaid config to avoid allowing diagrams to modify
`fontFamily`, `themeCSS`, `altFontFamily`, and `themeVariables`.
Setting [`"securityLevel":
"sandbox"`](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
will also prevent this.
##### Credits
Reported by @​zsxsoft on behalf of @​KeenSecurityLab
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p )
-
[64769738d5a9d9f0d8ebhttps://github.com/mermaid-js/mermaid ](https://redirect.github.com/mermaid-js/mermaid )
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-87f9-hvmw-gh4p ) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid: Improper sanitization of `classDef` in state diagrams leads
to HTML injection
[CVE-2026-41149](https://nvd.nist.gov/vuln/detail/CVE-2026-41149 ) /
[GHSA-ghcm-xqfw-q4vr](https://redirect.github.com/advisories/GHSA-ghcm-xqfw-q4vr )
<details>
<summary>More information</summary>
#### Details
##### Impact
Under the default configuration, Mermaid state diagram's `classDef`
allow DOM injection that escapes the SVG, although `<script>` tags are
removed, preventing XSS.
##### Proof-of-concept
```
stateDiagram-v2
classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b
[*] --> A:::xss
```
##### Patches
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[37ff937f1da2e19f882fd1db01235db4d01f4056](37ff937f1dhttps://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3](4e2d512bf5https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
will prevent this, by rendering the mermaid diagram in a sandboxed
`<iframe>`.
##### Credits
Thanks to @​zsxsoft from @​KeenSecurityLab for reporting
this vulnerability.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr )
-
[37ff937f1d4e2d512bf5https://github.com/mermaid-js/mermaid ](https://redirect.github.com/mermaid-js/mermaid )
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
-
[https://mermaid.js.org/config/schema-docs/config.html#securitylevel ](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-ghcm-xqfw-q4vr ) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Mermaid: Improper sanitization of `classDefs` in diagrams leads to
CSS injection
[CVE-2026-41148](https://nvd.nist.gov/vuln/detail/CVE-2026-41148 ) /
[GHSA-xcj9-5m2h-648r](https://redirect.github.com/advisories/GHSA-xcj9-5m2h-648r )
<details>
<summary>More information</summary>
#### Details
##### Details
The state diagram and any other diagram type that routes user-controlled
style strings through createCssStyles parser for Mermaid v11.14.0 and
earlier captures `classDef` values with an unrestricted regex:
```jison
// packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83
<CLASSDEFID>[^\n]* { this.popState(); return 'CLASSDEF_STYLEOPTS' }
```
The value passes unsanitized through `addStyleClass()` ->
`createCssStyles()` -> `style.innerHTML` (mermaidAPI.ts:418). A `}` in
the value closes the generated CSS selector, and everything after
becomes a new CSS rule on the page.
##### PoC
```
stateDiagram-v2
classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif ")}
```
Live demo:
<https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU >
##### Patches
This has been patched in:
-
[v11.15.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
(see
[e9b0f34d8d82a6260077764ee45e1d7d90957a0f](e9b0f34d8dhttps://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
(see
[8fead23c59166b7bab6a39eac81acebee2859102](8fead23c59https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
will prevent this, by rendering the mermaid diagram in a sandboxed
`<iframe>`.
##### Impact
Enables page defacement, user tracking via `url()` callbacks, and DOM
attribute exfiltration via CSS `:has()` selectors.
#### Severity
- CVSS Score: 5.3 / 10 (Medium)
- Vector String:
`CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L`
#### References
-
[https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r ](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r )
-
[8fead23c59e9b0f34d8dhttps://github.com/mermaid-js/mermaid ](https://redirect.github.com/mermaid-js/mermaid )
-
[https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
-
[https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6 ](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.6 )
-
[https://mermaid.js.org/config/schema-docs/config.html#securitylevel ](https://mermaid.js.org/config/schema-docs/config.html#securitylevel )
This data is provided by
[OSV](https://osv.dev/vulnerability/GHSA-xcj9-5m2h-648r ) and the [GitHub
Advisory Database](https://redirect.github.com/github/advisory-database )
([CC-BY
4.0](https://redirect.github.com/github/advisory-database/blob/main/LICENSE.md )).
</details>
---
### Release Notes
<details>
<summary>mermaid-js/mermaid (mermaid)</summary>
###
[`v11.15.0`](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0 )
[Compare
Source](https://redirect.github.com/mermaid-js/mermaid/compare/mermaid@11.14.0...mermaid@11.15.0 )
##### Minor Changes
-
[#​7174](https://redirect.github.com/mermaid-js/mermaid/pull/7174 )
[`0aca217`](0aca21739chttps://redirect.github.com/milesspencer35 )! -
feat(sequence): Add support for decimal start and increment values in
the `autonumber` directive
-
[#​7512](https://redirect.github.com/mermaid-js/mermaid/pull/7512 )
[`8e17492`](8e17492f73https://redirect.github.com/aruncveli )! -
feat(flowchart): add datastore shape
In Data flow diagrams, a datastore/warehouse/file/database is used to
represent data persistence. It is denoted by a rectangle with only top
and bottom borders, and can be used in flowcharts with `A@{ shape:
datastore, label: "Datastore" }`.
-
[#​6440](https://redirect.github.com/mermaid-js/mermaid/pull/6440 )
[`9ad8dde`](9ad8dde6d0https://redirect.github.com/yordis ),
[@​lgazo](https://redirect.github.com/lgazo )! - feat: add Event
Modeling diagram
-
[#​7707](https://redirect.github.com/mermaid-js/mermaid/pull/7707 )
[`27db774`](27db774627https://redirect.github.com/txmxthy )! -
feat(architecture): expose four fcose layout knobs for
`architecture-beta` diagrams (`nodeSeparation`,
`idealEdgeLengthMultiplier`, `edgeElasticity`, `numIter`) so authors can
tune layout density and spread overlapping siblings without changing
diagram source
-
[#​7604](https://redirect.github.com/mermaid-js/mermaid/pull/7604 )
[`bf9502f`](bf9502fb60https://redirect.github.com/M-a-c )! -
feat(class): add nested namespace support for class diagrams via dot
notation and syntactic nesting
If you have namespaces in class diagrams that use `.`s already and want
to render them without nesting (≤v11.14.0 behaviour), you can use set
`class.hierarchicalNamespaces=false` in your mermaid config:
```yaml
config:
class:
hierarchicalNamespaces: false
```
-
[#​7272](https://redirect.github.com/mermaid-js/mermaid/pull/7272 )
[`88cdd3d`](88cdd3dc0ahttps://redirect.github.com/xinbenlv )! -
feat(sankey): add outlined label style, configurable
nodeWidth/nodePadding, and custom node colors
##### Patch Changes
-
[#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737 )
[`e9b0f34`](e9b0f34d8dhttps://redirect.github.com/ashishjain0512 )! -
fix: prevent unbalanced CSS styles in classDefs
-
[#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737 )
[`37ff937`](37ff937f1dhttps://redirect.github.com/ashishjain0512 )! -
fix: create CSS styles using the CSSOM
This removes some invalid CSS and normalizes some CSS formatting.
-
[#​7508](https://redirect.github.com/mermaid-js/mermaid/pull/7508 )
[`bfe60cc`](bfe60cc67bhttps://redirect.github.com/biiab )! -
fix(stateDiagram): `end note` now only closes a note when used on a new
line
-
[#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737 )
[`faafb5d`](faafb5d491https://redirect.github.com/ashishjain0512 )! -
fix(gantt): add iteration limit for `excludes` field
-
[#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737 )
[`65f8be2`](65f8be2a42https://redirect.github.com/ashishjain0512 )! -
fix: disallow some CSS at-rules in custom CSS
-
[#​7726](https://redirect.github.com/mermaid-js/mermaid/pull/7726 )
[`1502f32`](1502f32f3chttps://redirect.github.com/aloisklink )! -
fix(wardley): fix unnecessary sanitization of text
-
[#​7578](https://redirect.github.com/mermaid-js/mermaid/pull/7578 )
[`1f98db8`](1f98db8e32https://redirect.github.com/Gaston202 )! -
fix(class): self-referential class multiplicity labels no longer
rendered multiple times
Fixes
[#​7560](https://redirect.github.com/mermaid-js/mermaid/issues/7560 ).
Resolves an issue where cardinality labels on self-referential class
relationships were rendered three times due to edge splitting in the
dagre layout. The fix ensures that each sub-edge only carries its
relevant label positions.
-
[#​7592](https://redirect.github.com/mermaid-js/mermaid/pull/7592 )
[`2343e38`](2343e38498https://redirect.github.com/knsv-bot )! -
fix(sequence): add background box behind alt/else section title labels
in sequence diagrams
-
[#​7589](https://redirect.github.com/mermaid-js/mermaid/pull/7589 )
[`7fb9509`](7fb9509b8bhttps://redirect.github.com/NYCU-Chung )! -
fix(block): prevent column widths from shrinking when mixing different
column spans
-
[#​7632](https://redirect.github.com/mermaid-js/mermaid/pull/7632 )
[`3f9e0f1`](3f9e0f15behttps://redirect.github.com/ekiauhce )! -
fix(sequence): correct messageAlign label position for right-to-left
arrows in sequence diagrams
-
[#​7642](https://redirect.github.com/mermaid-js/mermaid/pull/7642 )
[`7a8fb85`](7a8fb8532chttps://redirect.github.com/tractorjuice )!
- fix(wardley): allow hyphens in unquoted component names
Multi-word names containing hyphens — e.g. `real-time processing`,
`end-user`, `on-call engineer` — now parse without quoting, bringing the
grammar in line with the OnlineWardleyMaps (OWM) convention. `A->B`
(no-space arrow) still tokenises correctly.
-
[#​7523](https://redirect.github.com/mermaid-js/mermaid/pull/7523 )
[`5144ed4`](5144ed4b13https://redirect.github.com/darshanr0107 )!
- fix(block): Arrow blocks in block-beta diagrams not spanning the
specified number of columns when using `:n` syntax.
-
[#​7262](https://redirect.github.com/mermaid-js/mermaid/pull/7262 )
[`13d9bfa`](13d9bfa474https://redirect.github.com/darshanr0107 )!
- fix(block): Ensure block diagram hexagon blocks respect column
spanning syntax
-
[#​7684](https://redirect.github.com/mermaid-js/mermaid/pull/7684 )
[`e14bb88`](e14bb88bdbhttps://redirect.github.com/aloisklink )! -
fix: loosen `uuid` dependency range to allow v14
Mermaid does not use any of the vulnerable code in CVE-2026-41907,
but this allows users to silence any `npm audit` alerts on it.
-
[#​7633](https://redirect.github.com/mermaid-js/mermaid/pull/7633 )
[`9217c0d`](9217c0d8b2https://redirect.github.com/Felix-Garci )! -
fix(block): add support for all arrow types in block diagrams
-
[#​7587](https://redirect.github.com/mermaid-js/mermaid/pull/7587 )
[`5e7eb62`](5e7eb62e3ahttps://redirect.github.com/MaddyGuthridge )! -
chore: drop lodash-es in favour of es-toolkit
-
[#​7693](https://redirect.github.com/mermaid-js/mermaid/pull/7693 )
[`afaf306`](afaf306238https://redirect.github.com/dull-bird )! -
fix(quadrant-chart): allow CJK, emoji, Latin-1 accented characters, and
other non-ASCII text in unquoted axis/quadrant/point labels.
Previously the lexer only matched ASCII `[A-Za-z]+` for text tokens,
even though the grammar referenced `UNICODE_TEXT`. Bare Chinese,
Japanese, Korean, emoji, and accented Latin characters in labels caused
a parse error. Added a `[^\x00-\x7F]+` lexer rule to emit `UNICODE_TEXT`
and included it in the `alphaNumToken` grammar rule.
Fixes
[#​7120](https://redirect.github.com/mermaid-js/mermaid/issues/7120 ).
-
[#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737 )
[`4755553`](4755553d5fhttps://redirect.github.com/ashishjain0512 )! -
fix: improve D3 types for mermaidAPI funcs
-
[#​7737](https://redirect.github.com/mermaid-js/mermaid/pull/7737 )
[`6476973`](64769738d5https://redirect.github.com/ashishjain0512 )! -
fix: handle `&` when namespacing CSS rules
-
[#​7520](https://redirect.github.com/mermaid-js/mermaid/pull/7520 )
[`8c1a0c1`](8c1a0c1fd1https://redirect.github.com/RodrigojndSantos )!
- fix(stateDiagram): comments starting with one `%` are no longer
treated as comments
Switch to using two `%%` if you want to write a comment.
- Updated dependencies
\[[`7a8fb85`](7a8fb8532c675a64ca0ehttps://redirect.github.com/mermaid-js/parser )@​1.1.1
</details>
---
### Configuration
📅 **Schedule**: (UTC)
- Branch creation
- ""
- Automerge
- At any time (no schedule defined)
🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.
♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR has been generated by [Mend
Renovate](https://redirect.github.com/renovatebot/renovate ).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNDEuNSIsInVwZGF0ZWRJblZlciI6IjQzLjE0MS41IiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
2026-05-12 01:34:49 +02:00
Lunny Xiao
5d87a70af9
fix(packages): Add label for private and internal package and fix composor package source permission check ( #37610 )
...
- Add permission checks for Composer package source links
- Add private/internal visibility labels for packages, similar to
repository visibility labels
<img width="969" height="571" alt="image"
src="https://github.com/user-attachments/assets/8a8ec3a0-bfbd-4dd6-b45b-58eda5db1a2d "
/>
- Add a link to change package visibility
<img width="1309" height="208" alt="image"
src="https://github.com/user-attachments/assets/3fa82b23-4c63-4a5e-b3f0-d37a103231ee "
/>
- Update link package descriptions
<img width="1308" height="265" alt="image"
src="https://github.com/user-attachments/assets/2c80b50e-5ffe-4d96-aedd-aa15964c4e05 "
/>
---------
Co-authored-by: Nicolas <bircni@icloud.com>
Co-authored-by: silverwind <me@silverwind.io>
2026-05-11 05:49:46 +00:00
silverwind
5dc9d621fd
refactor: replace Fomantic search module with first-party code ( #37443 )
...
- Replace fomantic `search` code with minimal first-party code
- Added a small fix to vertically align search box and search button
- Manually tested all search forms.
- Add `errorName` helper, similar to `errorMessage`.
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
2026-05-11 05:25:26 +00:00
pomidorry
67f86bc3fe
feat(api): add last_sync to repository API ( #37566 )
...
This PR adds a new repository API field, `mirror_last_sync_at`, to
expose the timestamp of the last successful pull mirror sync.
Unlike `mirror_updated`, this field does not affect mirror scheduling
and is updated only after a successful pull sync. Failed sync attempts
leave the value unchanged.
What changed
- added `mirror_last_sync_at` to the repository API response
- updated pull mirror sync flow to persist the timestamp only on
successful sync
- kept `mirror_updated` behavior unchanged for queue/scheduling purposes
`mirror_updated` is currently tied to mirror queue behavior, so it
cannot safely represent the last successful sync time. The new field
makes that state explicit for API consumers without changing scheduling
semantics.
---------
Signed-off-by: pomidorry <106489913+Pomidorry@users.noreply.github.com>
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Giteabot <teabot@gitea.io>
2026-05-10 20:07:56 +00:00
silverwind
29676adfd3
fix: treat email addresses case-insensitively ( #37600 )
...
Fixes #36184 and three more discovered cases.
---
This PR was written with the help of Claude Opus 4.7
---------
Signed-off-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
Co-authored-by: Nicolas <bircni@icloud.com>
2026-05-08 15:14:33 +00:00
Lunny Xiao
7dc3087acd
fix(git): Fix smart http request scope bug ( #37583 )
...
Co-authored-by: Nicolas <bircni@icloud.com>
Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>
Co-authored-by: silverwind <me@silverwind.io>
2026-05-08 08:30:23 +02:00
wxiaoguang
2b93eaf55b
refactor: only reset a database table when the table's data was changed ( #37573 )
...
Reduce CI time
Saves about 3 minutes for each test suit
test-unit: 13min -> 10min (-race)
test-pgsql: 24min -> 20min (-race)
test-mysql: 15min -> 12min
test-mssql: 16min -> 12min
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
2026-05-08 00:49:40 +00:00
Nicolas
c9b9e376fb
fix: Invalid UTF-8 commit messages in JSON API responses ( #37542 )
2026-05-07 16:19:45 +02:00
wxiaoguang
a39af1a829
refactor: use modernc sqlite driver as default ( #37562 )
...
The mattn driver is still kept, can be enabled by
TAGS="sqlite_mattn sqlite_unlock_notify"
---------
Co-authored-by: TheFox0x7 <thefox0x7@gmail.com>
2026-05-06 18:57:59 +00:00
wxiaoguang
6ba907d89c
Fix various problems ( #37547 )
...
1. Fix ugly commit form "warning" message
2. Use JSONError for "Update PR Branch" response
3. Remove useless "timeline" class
4. Make timeline review default to "comment" to avoid icon missing
5. Align PR's "command line instructions" UI
6. Simply "Update PR branch" button logic
And then some TODOs are fixed.
---------
Signed-off-by: wxiaoguang <wxiaoguang@gmail.com>
2026-05-05 15:54:07 +00:00
wxiaoguang
a90d5dd131
Refactor pull request view (7) ( #37524 )
...
Almost done
`pull_merge_box.tmpl` only has about 80 lines now, and (almost) all
variable accesses are strictly typed.
---------
Co-authored-by: silverwind <me@silverwind.io>
Co-authored-by: Claude (Opus 4.7) <noreply@anthropic.com>
Co-authored-by: Nicolas <bircni@icloud.com>
2026-05-04 20:13:38 +00:00
wxiaoguang
f26f71f1b2
Refactor pull request view (5) ( #37517 )
...
Clean up templates, remove various CSS patches.
By the way, fix incorrect NewRequest URLs in tests.
2026-05-03 18:53:24 +00:00
Rayan Salhab
7016f7b37f
fix(packages): use file names for generic web downloads ( #37514 )
...
Fixes #37511 .
Serve Generic package web asset downloads with the stored package filename
Signed-off-by: cyphercodes <cyphercodes@users.noreply.github.com>
Co-authored-by: cyphercodes <cyphercodes@users.noreply.github.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-05-03 15:19:21 +08:00
Jason Learst
0385e4783e
fix: merge autodetect can't close other PRs but only the last one when multiple PRs are pushed at once ( #37512 )
...
Make `getMergeCommit` correctly handle multiple commits output from `git rev-list --ancestry-path --merges ...`
Fixes #37510 .
---------
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
2026-05-02 18:40:50 +00:00
