chore(deps): bump mermaid to 11.15.0 for GHSA-ghcm-xqfw-q4vr

[waleedlatif1]

Summary

• Bump mermaid from 11.14.0 to 11.15.0 in apps/sim/package.json
• Patches GHSA-ghcm-xqfw-q4vr / CVE-2026-41149 (HTML injection via classDef in state diagrams)

Type of Change

• Bug fix

Testing

Tested manually

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	May 15, 2026 5:21pm

[cursor]

PR Summary

Low Risk
Low risk dependency update; primary impact is potential mermaid diagram rendering/regression changes while addressing a security advisory.

Overview
Bumps mermaid from 11.14.0 to 11.15.0 in apps/sim and pins it via root package.json overrides to ensure a consistent patched version.

Regenerates bun.lock, updating transitive mermaid/parser dependencies (including @mermaid-js/parser) and removing now-unneeded language-server related packages pulled in by the old parser stack.

^{Reviewed by Cursor Bugbot for commit f991d89. Configure here.}

[greptile-apps]

Greptile Summary

This PR bumps mermaid from 11.14.0 to 11.15.0 to patch the HTML-injection vulnerability GHSA-ghcm-xqfw-q4vr (CVE-2026-41149), and adds mermaid: 11.15.0 to both the root and apps/sim overrides fields to ensure the patched version is used by all transitive consumers (including streamdown).

• apps/sim/package.json: direct mermaid dep bumped to 11.15.0; overrides entry added so transitive deps resolve to the same version.
• package.json: root-level overrides entry added for mermaid: 11.15.0, closing the streamdown-bundled-copy gap.
• bun.lock: confirms a single mermaid@11.15.0 resolution; langium, chevrotain, and vscode-languageserver-* transitive deps removed as @mermaid-js/parser was updated from 1.1.0 to 1.1.1 (dropping the langium dependency chain).

Confidence Score: 5/5

Safe to merge — this is a targeted security patch with no logic changes, and the lockfile confirms the vulnerability is fully remediated across all consumers.

The change bumps mermaid to the patched version and adds overrides at both the root and app level to close the transitive gap via streamdown. The lockfile shows a single mermaid@11.15.0 resolution with no remaining nested copy of 11.14.0, and the removed transitive deps (langium, chevrotain, vscode-languageserver-*) are an expected side-effect of the updated @mermaid-js/parser@1.1.1.

No files require special attention.

Important Files Changed

Filename	Overview
apps/sim/package.json	Direct mermaid dep bumped to 11.15.0 and override added to force the patched version for transitive consumers like streamdown.
package.json	Root overrides entry added for mermaid@11.15.0, ensuring workspace-wide resolution to the patched version.
bun.lock	Lockfile resolves a single mermaid@11.15.0; the nested streamdown/mermaid@11.14.0 entry is gone, and langium/chevrotain/vscode-languageserver deps are removed as a side-effect of the updated parser.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A["apps/sim direct dep: mermaid@11.14.0 → 11.15.0"] --> C["Single resolved: mermaid@11.15.0"]
    B["streamdown@2.5.0 transitive dep"] -->|"override applied"| C
    E["root package.json overrides: mermaid@11.15.0"] --> C
    F["apps/sim overrides: mermaid@11.15.0"] --> C
    C --> D["GHSA-ghcm-xqfw-q4vr patched"]

Loading

_{Reviews (2): Last reviewed commit: "chore(deps): override transitive mermaid..." | Re-trigger Greptile}

[waleedlatif1]

@greptile

[waleedlatif1]

@cursor review

[cursor]

✅ Bugbot reviewed your changes and found no new issues!

Comment @cursor review or bugbot run to trigger another review on this PR

^{Reviewed by Cursor Bugbot for commit f991d89. Configure here.}