Security issues raised by lodash-es

[theniceangel]

Description

Path: mermaid-11.12.1.tgz->parser-0.6.3.tgz->langium-3.3.1.tgz->chevrotain-11.0.3.tgz->lodash-es-4.17.21.tgz
mermaid-11.12.1.tgz->lodash-es-4.17.21.tgz
lodash-es-4.17.21.tgz
mermaid-11.12.1.tgz->parser-0.6.3.tgz->langium-3.3.1.tgz->chevrotain-allstar-0.3.1.tgz->lodash-es-4.17.21.tgz
mermaid-11.12.1.tgz->dagre-d3-es-7.0.13.tgz->lodash-es-4.17.21.tgz
mermaid-11.12.1.tgz->parser-0.6.3.tgz->langium-3.3.1.tgz->chevrotain-11.0.3.tgz->cst-dts-gen-11.0.3.tgz->lodash-es-4.17.21.tgz
mermaid-11.12.1.tgz->parser-0.6.3.tgz->langium-3.3.1.tgz->chevrotain-11.0.3.tgz->gast-11.0.3.tgz->lodash-es-4.17.21.tgz

CRITICAL: CVE-2025-13465

lodash-es should bump to 4.17.23

Steps to reproduce

install @mermaid-js/parser@0.6.3 or @mermaid-js/parser@latest

Screenshots

No response

Code Sample

Setup

• Mermaid version:
• Browser and Version: [Chrome, Edge, Firefox]

Suggested Solutions

No response

Additional Context

No response

[silverwind]

All that's needed should be to bump langium in @mermaid-js/parser to v4.2.0 or greater.

[krassowski]

Alternatively, would it be possible to extract the langium dependency to a separate package? It is not very valuable to downstreams which do not make use of a language server.

[mldangelo]

Related PRs that will fix it:

• chore(deps): update dependency lodash-es to v4.17.23 [security] #7336
• fix(deps): update all major dependencies (major) #7364

@ashishjain0512 can you please merge one of these? Thanks!

[silverwind]

#7336 wont fix it for consumers, the actual dependency chain needs to change.

[aloisklink]

All that's needed should be to bump langium in @mermaid-js/parser to v4.2.0 or greater.

I've made a PR bumping it in #7377. Since Langium v4 had some breaking changes, it wasn't trivial. It looks like it would be a breaking change/major release for the @mermaid-js/parser package, but it should only be a patch release for mermaid.

Alternatively, would it be possible to extract the langium dependency to a separate package? It is not very valuable to downstreams which do not make use of a language server.

Unfortunately, it's needed for quite a few diagram types, e.g. architecture diagrams, git graphs, radar, pie charts, and more.

You can also use your package manager to override lodash-es to silence the warning, or ignore it, since neither mermaid nor chevrotain in mermaid's dependency chain use _.omit or _.unset, so they're not vulnerable to CVE-2025-13465.