From de2c05cd5463af68d19dd7b6b3f1303d69ddb2dd Mon Sep 17 00:00:00 2001
From: Alois Klink <alois@aloisklink.com>
Date: Tue, 1 Oct 2024 23:55:36 +0900
Subject: [PATCH] fix: ban version v3.1.7 of DOMPurify

[DOMPurify v3.1.7][1] forbids the use of `<foreignElement>` for HTML
inside of an `<svg>` element, which breaks many mermaid diagrams.

It is likely that v3.1.8 will add a new option that will allow us to
re-enable this behaviour, but v3.1.7 definitely does not work.

[1]: https://github.com/cure53/DOMPurify/releases/tag/3.1.7

See: https://github.com/cure53/DOMPurify/issues/1002
Fix: https://github.com/mermaid-js/mermaid/issues/5904
---
 .changeset/witty-rabbits-hunt.md | 5 +++++
 packages/mermaid/package.json    | 2 +-
 pnpm-lock.yaml                   | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)
 create mode 100644 .changeset/witty-rabbits-hunt.md

diff --git a/.changeset/witty-rabbits-hunt.md b/.changeset/witty-rabbits-hunt.md
new file mode 100644
index 0000000000..3817bb9286
--- /dev/null
+++ b/.changeset/witty-rabbits-hunt.md
@@ -0,0 +1,5 @@
+---
+'mermaid': patch
+---
+
+Ban DOMPurify v3.1.7 as a dependency
diff --git a/packages/mermaid/package.json b/packages/mermaid/package.json
index 2469af2ff8..9c0756b81f 100644
--- a/packages/mermaid/package.json
+++ b/packages/mermaid/package.json
@@ -77,7 +77,7 @@
     "d3-sankey": "^0.12.3",
     "dagre-d3-es": "7.0.10",
     "dayjs": "^1.11.10",
-    "dompurify": "^3.0.11",
+    "dompurify": "^3.0.11 <3.1.7",
     "katex": "^0.16.9",
     "khroma": "^2.1.0",
     "lodash-es": "^4.17.21",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index b23b384b61..b80fb5d8d9 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -237,7 +237,7 @@ importers:
         specifier: ^1.11.10
         version: 1.11.13
       dompurify:
-        specifier: ^3.0.11
+        specifier: ^3.0.11 <3.1.7
         version: 3.1.6
       katex:
         specifier: ^0.16.9