Details

Impact

Under the default configuration, Mermaid state diagram's classDef allow DOM injection that escapes the SVG, although <script> tags are removed, preventing XSS.

Proof-of-concept

stateDiagram-v2
  classDef xss fill:red</style></svg><style>*{x:x;y:y;overflow:visible!important;contain:none!important;transform:none!important;filter:none!important;clip-path:none!important}</style><div style="x:x;y:y;color:red;font:5em/1 monospace;display:grid;place-items:center;z-index:2147483647;width:100vw;height:100vh;position:fixed;top:0;left:0;background:black">HACKED</div><svg><style>a:b
  [*] --> A:::xss

Patches

• v11.15.0 (see 37ff937f1da2e19f882fd1db01235db4d01f4056)
• v10.9.6 (see 4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3)

Workarounds

If you can not update to a patched version, setting "securityLevel": "sandbox" will prevent this, by rendering the mermaid diagram in a sandboxed <iframe>.

Credits

Thanks to @​zsxsoft from @​KeenSecurityLab for reporting this vulnerability.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

References

• https://github.com/mermaid-js/mermaid/security/advisories/GHSA-ghcm-xqfw-q4vr
• https://github.com/mermaid-js/mermaid/commit/37ff937f1da2e19f882fd1db01235db4d01f4056
• https://github.com/mermaid-js/mermaid/commit/4e2d512bf5bf6f9de1a8f0a48da78dc4d09ac4f3
• https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0
• https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6
• https://mermaid.js.org/config/schema-docs/config.html#securitylevel
• https://github.com/advisories/GHSA-ghcm-xqfw-q4vr

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Details

Details

The state diagram and any other diagram type that routes user-controlled style strings through createCssStyles parser for Mermaid v11.14.0 and earlier captures classDef values with an unrestricted regex:

// packages/mermaid/src/diagrams/state/parser/stateDiagram.jison:83
<CLASSDEFID>[^\n]*   { this.popState(); return 'CLASSDEF_STYLEOPTS' }

The value passes unsanitized through addStyleClass() -> createCssStyles() -> style.innerHTML (mermaidAPI.ts:418). A } in the value closes the generated CSS selector, and everything after becomes a new CSS rule on the page.

PoC

stateDiagram-v2 
      classDef x }*{ background-image: url("http://media.giphy.com/media/SggILpMXO7Xt6/giphy.gif")}

Live demo:
https://mermaid.live/edit#pako:eNpFjzFvgzAQhf-KdVNbEcBgMHhtlkqtOnSJKi8ONsYKBmRMlRTx3-skanvTfbp7996t0IxSAYPZC6_2Rmgn7O4rQ00v5nmvWnRG29OKjqI5aTcug9wZK7RiaHH9A4fO-4kliVXSiFibqbvEzWjvnHxo_fI6vR3e6cGXyX2qTcvhcYMItDMSmHeLisAqZ8UVYeUDQhx8p6ziwEIrhTtx4MNVM4nhcxztrywE0h2wVvRzoGWS_z_8rahBKvcckntgmN5OAFvhDIzUNCZZQXCR5nVaZkUEF2BVFpOcEkoxxhUuyRbB980yjStapKHqoKFlhvPtB7BFZEU

Patches

This has been patched in:

• v11.15.0 (see e9b0f34d8d82a6260077764ee45e1d7d90957a0f)
• v10.9.6 (see 8fead23c59166b7bab6a39eac81acebee2859102)

Workarounds

Setting "securityLevel": "sandbox" will prevent this, by rendering the mermaid diagram in a sandboxed <iframe>.

Impact

Enables page defacement, user tracking via url() callbacks, and DOM attribute exfiltration via CSS :has() selectors.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

References

• https://github.com/mermaid-js/mermaid/security/advisories/GHSA-xcj9-5m2h-648r
• https://github.com/mermaid-js/mermaid/commit/8fead23c59166b7bab6a39eac81acebee2859102
• https://github.com/mermaid-js/mermaid/commit/e9b0f34d8d82a6260077764ee45e1d7d90957a0f
• https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0
• https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6
• https://mermaid.js.org/config/schema-docs/config.html#securitylevel
• https://github.com/advisories/GHSA-xcj9-5m2h-648r

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Details

Impact

Mermaid v11.14.0 and earlier are vulnerable to a denial-of-service attack when rendering gantt charts, if they use the excludes attribute to exclude all dates.

Example:

gantt
  excludes monday,tuesday,wednesday,thursday,friday,saturday,sunday
  DoS :2025-01-01, 1d

mermaid.parse is unaffected, unless you then call the ganttDb.getTasks() (which is called when rendering a diagram).

Patches

This has been patched in:

• v11.15.0 (see faafb5d49106dd32c367f3882505f2dd625aa30e)
• v10.9.6 (see a59ea56174712ee5430dfd5bc877cb5151f501a6)

Workarounds

There are no workarounds available without updating to a newer version of mermaid.

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:L

References

• https://github.com/mermaid-js/mermaid/security/advisories/GHSA-6m6c-36f7-fhxh
• https://github.com/mermaid-js/mermaid/commit/a59ea56174712ee5430dfd5bc877cb5151f501a6
• https://github.com/mermaid-js/mermaid/commit/faafb5d49106dd32c367f3882505f2dd625aa30e
• https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0
• https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6
• https://github.com/advisories/GHSA-6m6c-36f7-fhxh

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

Details

Impact

Mermaid's default configuration allows injecting CSS that applies outside of the Mermaid diagram via the fontFamily, themeCSS, and altFontFamily configuration options.

Live demo: mermaid.live

Example code:

%%{init: {"fontFamily": "x;a{b} :not(&){background:green !important} c{d}"}}%%
flowchart LR
    A --> B

The injected CSS exploits stylis's & (scope reference) handling. :not(&) escapes the #mermaid-xxx automatic scoping, applying styles to all page elements. Global at-rules (@font-face, @keyframes, @counter-style) are also injectable as stylis hoists them to top level.

This allows page defacement and DOM attribute exfiltration via CSS :has() selectors.

Patches

• v11.15.0 (see 64769738d5b59211e1decb471ffbaca8afec51aa)
• v10.9.6 (see a9d9f0d8eb790349121508688cd338253fd80d76)

Workarounds

If you can't upgrade mermaid, you can set the secure config value in the mermaid config to avoid allowing diagrams to modify fontFamily, themeCSS, altFontFamily, and themeVariables.

Setting "securityLevel": "sandbox" will also prevent this.

Credits

Reported by @​zsxsoft on behalf of @​KeenSecurityLab

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L

References

• https://github.com/mermaid-js/mermaid/security/advisories/GHSA-87f9-hvmw-gh4p
• https://github.com/mermaid-js/mermaid/commit/64769738d5b59211e1decb471ffbaca8afec51aa
• https://github.com/mermaid-js/mermaid/commit/a9d9f0d8eb790349121508688cd338253fd80d76
• https://github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.15.0
• https://github.com/mermaid-js/mermaid/releases/tag/v10.9.6
• https://github.com/advisories/GHSA-87f9-hvmw-gh4p

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

v11.15.0

Compare Source

Minor Changes

• #​7174 0aca217 Thanks @​milesspencer35! - feat(sequence): Add support for decimal start and increment values in the autonumber directive

• #​7512 8e17492 Thanks @​aruncveli! - feat(flowchart): add datastore shape

  In Data flow diagrams, a datastore/warehouse/file/database is used to represent data persistence. It is denoted by a rectangle with only top and bottom borders, and can be used in flowcharts with A@{ shape: datastore, label: "Datastore" }.

• #​6440 9ad8dde Thanks @​yordis, @​lgazo! - feat: add Event Modeling diagram

• #​7707 27db774 Thanks @​txmxthy! - feat(architecture): expose four fcose layout knobs for architecture-beta diagrams (nodeSeparation, idealEdgeLengthMultiplier, edgeElasticity, numIter) so authors can tune layout density and spread overlapping siblings without changing diagram source

• #​7604 bf9502f Thanks @​M-a-c! - feat(class): add nested namespace support for class diagrams via dot notation and syntactic nesting

  If you have namespaces in class diagrams that use .s already and want to render them without nesting (≤v11.14.0 behaviour), you can use set class.hierarchicalNamespaces=false in your mermaid config:

  config:
    class:
      hierarchicalNamespaces: false

• #​7272 88cdd3d Thanks @​xinbenlv! - feat(sankey): add outlined label style, configurable nodeWidth/nodePadding, and custom node colors

Patch Changes

• #​7737 e9b0f34 Thanks @​ashishjain0512! - fix: prevent unbalanced CSS styles in classDefs

• #​7737 37ff937 Thanks @​ashishjain0512! - fix: create CSS styles using the CSSOM

  This removes some invalid CSS and normalizes some CSS formatting.

• #​7508 bfe60cc Thanks @​biiab! - fix(stateDiagram): end note now only closes a note when used on a new line

• #​7737 faafb5d Thanks @​ashishjain0512! - fix(gantt): add iteration limit for excludes field

• #​7737 65f8be2 Thanks @​ashishjain0512! - fix: disallow some CSS at-rules in custom CSS

• #​7726 1502f32 Thanks @​aloisklink! - fix(wardley): fix unnecessary sanitization of text

• #​7578 1f98db8 Thanks @​Gaston202! - fix(class): self-referential class multiplicity labels no longer rendered multiple times

  Fixes #​7560. Resolves an issue where cardinality labels on self-referential class relationships were rendered three times due to edge splitting in the dagre layout. The fix ensures that each sub-edge only carries its relevant label positions.

• #​7592 2343e38 Thanks @​knsv-bot! - fix(sequence): add background box behind alt/else section title labels in sequence diagrams

• #​7589 7fb9509 Thanks @​NYCU-Chung! - fix(block): prevent column widths from shrinking when mixing different column spans

• #​7632 3f9e0f1 Thanks @​ekiauhce! - fix(sequence): correct messageAlign label position for right-to-left arrows in sequence diagrams

• #​7642 7a8fb85 Thanks @​tractorjuice! - fix(wardley): allow hyphens in unquoted component names

  Multi-word names containing hyphens — e.g. real-time processing, end-user, on-call engineer — now parse without quoting, bringing the grammar in line with the OnlineWardleyMaps (OWM) convention. A->B (no-space arrow) still tokenises correctly.

• #​7523 5144ed4 Thanks @​darshanr0107! - fix(block): Arrow blocks in block-beta diagrams not spanning the specified number of columns when using :n syntax.

• #​7262 13d9bfa Thanks @​darshanr0107! - fix(block): Ensure block diagram hexagon blocks respect column spanning syntax

• #​7684 e14bb88 Thanks @​aloisklink! - fix: loosen uuid dependency range to allow v14

  Mermaid does not use any of the vulnerable code in CVE-2026-41907,
  but this allows users to silence any npm audit alerts on it.

• #​7633 9217c0d Thanks @​Felix-Garci! - fix(block): add support for all arrow types in block diagrams

• #​7587 5e7eb62 Thanks @​MaddyGuthridge! - chore: drop lodash-es in favour of es-toolkit

• #​7693 afaf306 Thanks @​dull-bird! - fix(quadrant-chart): allow CJK, emoji, Latin-1 accented characters, and other non-ASCII text in unquoted axis/quadrant/point labels.

  Previously the lexer only matched ASCII [A-Za-z]+ for text tokens, even though the grammar referenced UNICODE_TEXT. Bare Chinese, Japanese, Korean, emoji, and accented Latin characters in labels caused a parse error. Added a [^\x00-\x7F]+ lexer rule to emit UNICODE_TEXT and included it in the alphaNumToken grammar rule.

  Fixes #​7120.

• #​7737 4755553 Thanks @​ashishjain0512! - fix: improve D3 types for mermaidAPI funcs

• #​7737 6476973 Thanks @​ashishjain0512! - fix: handle & when namespacing CSS rules

• #​7520 8c1a0c1 Thanks @​RodrigojndSantos! - fix(stateDiagram): comments starting with one % are no longer treated as comments

  Switch to using two %% if you want to write a comment.

• Updated dependencies [7a8fb85, 675a64c]:

  • @​mermaid-js/parser@​1.1.1

v11.14.0

Compare Source

Thanks to our awesome mermaid community that contributed to this release: @​ashishjain0512, @​tractorjuice, @​autofix-ci[bot], @​aloisklink, @​knsv, @​kibanana, @​chandershekhar22, @​khalil, @​ytatsuno, @​sidharthv96, @​github-actions[bot], @​dripcoding, @​knsv-bot, @​jeroensmink98, @​Alex9583, @​GhassenS, @​omkarht, @​darshanr0107, @​leentaylor, @​lee-treehouse, @​veeceey, @​turntrout, @​Mermaid-Chart, @​BambioGaming, Claude

Releases

@​mermaid-js/examples@​1.2.0

Minor Changes

• #​7526 efe218a - add new TreeView diagram

mermaid@​11.14.0

Minor Changes

• #​7526 efe218a - Add Wardley Maps diagram type (beta)

  Adds Wardley Maps as a new diagram type to Mermaid (available as wardley-beta). Wardley Maps are visual representations of business strategy that help map value chains and component evolution.

  Features:

  • Component positioning with [visibility, evolution] coordinates (OWM format)
  • Anchors for users/customers
  • Multiple link types: dependencies, flows, labeled links
  • Evolution arrows and trend indicators
  • Custom evolution stages with optional dual labels
  • Custom stage widths using @​boundary notation
  • Pipeline components with visibility inheritance
  • Annotations, notes, and visual elements
  • Source strategy markers: build, buy, outsource, market
  • Inertia indicators
  • Theme integration

  Implementation includes parser, D3.js renderer, unit tests, E2E tests, and comprehensive documentation.

• #​7526 efe218a - feat: implement neo look styling for state diagrams

• #​7526 efe218a - feat: implement neo look support for sequence diagrams with drop shadows, and enhanced styling

• #​7526 efe218a - feat: add randomize config option for architecture diagrams, defaulting to false for deterministic layout

• #​7526 efe218a - feat: Add option to change timeline direction

• #​7526 efe218a - Fix duplicate SVG element IDs when rendering multiple diagrams on the same page. Internal element IDs (nodes, edges, markers, clusters) are now prefixed with the diagram's SVG element ID across all diagram types. Custom CSS or JS using exact ID selectors like #arrowhead should use attribute-ending selectors like [id$="-arrowhead"] instead.

• #​7526 efe218a - feat: implement neo look styling for ER diagrams

• #​7526 efe218a - feat: implement neo look styling for requirement diagrams

• #​7526 efe218a - feat: add theme support for data label colour in xy chart

• #​7526 efe218a - feat: implement neo look styling for mindmap diagrams

• #​7526 efe218a - feat: implement neo look for mermaid flowchart diagrams

• #​7526 efe218a - feat: implement neo look and themes for class diagram

• #​7526 efe218a - feat: add showDataLabelOutsideBar option for xy chart

• #​7526 efe218a - feat: implement neo look support for timeline diagram with drop shadows, additoinal redux themes and enhanced styling

• #​7526 efe218a - feat: implement neo look and themes for gitGraph diagram

• #​7526 efe218a - add new TreeView diagram

Patch Changes

• #​7526 efe218a - add link to ishikawa diagram on mermaid.js.org

• #​7526 efe218a - docs: document valid duration token formats in gantt.md

• #​7526 efe218a - fix: ER diagram parsing when using "1" as entity identifier on right side

  The parser was incorrectly tokenizing the second "1" in patterns like a many to 1 1: because the lookahead rule only checked for alphabetic characters after whitespace, not digits. Added a new lookahead pattern "1"(?=\s+[0-9]) to correctly identify the cardinality alias before a numeric entity name.

  Fixes #​7472

• #​7526 efe218a - fix: scope cytoscape label style mapping to edges with labels to prevent console warnings

• #​7526 efe218a - fix: support inline annotation syntax in class diagrams (class Shape <>)

• #​7526 efe218a - fix: Align branch label background with text for multi-line labels in LR GitGraph layout

• #​7526 efe218a - fix: preserve cause hierarchy when ishikawa effect is indented more than causes

• #​7526 efe218a - refactor: remove unused createGraphWithElements function and add regression test for open edge arrowheads

• #​7526 efe218a - fix: Prevent long pie chart titles from being clipped by expanding the viewBox

• #​7526 efe218a - fix: prevent sequence diagram hang when "as" is used without a trailing space in participant declarations

• #​7526 efe218a - fix: warn when style statement targets a non-existent node in flowcharts

• #​7526 efe218a - fix: group state diagram SVG children under single root element

• #​7526 efe218a - fix: Allow :::className syntax inside composite state blocks

• #​7526 efe218a Thanks @​aloisklink, @​BambioGaming! - fix: prevent escaping < and & when htmlLabels: false

• #​7526 efe218a - fix: treemap title and labels use theme-aware colors for dark backgrounds

• Updated dependencies [efe218a]:

  • @​mermaid-js/parser@​1.1.0

@​mermaid-js/parser@​1.1.0

Minor Changes

• #​7526 efe218a - add new TreeView diagram

@​mermaid-js/tiny@​11.14.0

Minor Changes

• #​7526 efe218a - Add Wardley Maps diagram type (beta)

  Adds Wardley Maps as a new diagram type to Mermaid (available as wardley-beta). Wardley Maps are visual representations of business strategy that help map value chains and component evolution.

  Features:

  • Component positioning with [visibility, evolution] coordinates (OWM format)
  • Anchors for users/customers
  • Multiple link types: dependencies, flows, labeled links
  • Evolution arrows and trend indicators
  • Custom evolution stages with optional dual labels
  • Custom stage widths using @​boundary notation
  • Pipeline components with visibility inheritance
  • Annotations, notes, and visual elements
  • Source strategy markers: build, buy, outsource, market
  • Inertia indicators
  • Theme integration

  Implementation includes parser, D3.js renderer, unit tests, E2E tests, and comprehensive documentation.

• #​7526 efe218a - feat: implement neo look styling for state diagrams

• #​7526 efe218a - feat: implement neo look support for sequence diagrams with drop shadows, and enhanced styling

• #​7526 efe218a - feat: add randomize config option for architecture diagrams, defaulting to false for deterministic layout

• #​7526 efe218a - feat: Add option to change timeline direction

• #​7526 efe218a - Fix duplicate SVG element IDs when rendering multiple diagrams on the same page. Internal element IDs (nodes, edges, markers, clusters) are now prefixed with the diagram's SVG element ID across all diagram types. Custom CSS or JS using exact ID selectors like #arrowhead should use attribute-ending selectors like [id$="-arrowhead"] instead.

• #​7526 efe218a - feat: implement neo look styling for ER diagrams

• #​7526 efe218a - feat: implement neo look styling for requirement diagrams

• #​7526 efe218a - feat: add theme support for data label colour in xy chart

• #​7526 efe218a - feat: implement neo look styling for mindmap diagrams

• #​7526 efe218a - feat: implement neo look for mermaid flowchart diagrams

• #​7526 efe218a - feat: implement neo look and themes for class diagram

• #​7526 efe218a - feat: add showDataLabelOutsideBar option for xy chart

• #​7526 efe218a - feat: implement neo look support for timeline diagram with drop shadows, additoinal redux themes and enhanced styling

• #​7526 efe218a - feat: implement neo look and themes for gitGraph diagram

• #​7526 efe218a - add new TreeView diagram

Patch Changes

• #​7526 efe218a - add link to ishikawa diagram on mermaid.js.org

• #​7526 efe218a - docs: document valid duration token formats in gantt.md

• #​7526 efe218a - fix: ER diagram parsing when using "1" as entity identifier on right side

  The parser was incorrectly tokenizing the second "1" in patterns like a many to 1 1: because the lookahead rule only checked for alphabetic characters after whitespace, not digits. Added a new lookahead pattern "1"(?=\s+[0-9]) to correctly identify the cardinality alias before a numeric entity name.

  Fixes #​7472

• #​7526 efe218a - fix: scope cytoscape label style mapping to edges with labels to prevent console warnings

• #​7526 efe218a - fix: support inline annotation syntax in class diagrams (class Shape <>)

• #​7526 efe218a - fix: Align branch label background with text for multi-line labels in LR GitGraph layout

• #​7526 efe218a - fix: preserve cause hierarchy when ishikawa effect is indented more than causes

• #​7526 efe218a - refactor: remove unused createGraphWithElements function and add regression test for open edge arrowheads

• #​7526 efe218a - fix: Prevent long pie chart titles from being clipped by expanding the viewBox

• #​7526 efe218a - fix: prevent sequence diagram hang when "as" is used without a trailing space in participant declarations

• #​7526 efe218a - fix: warn when style statement targets a non-existent node in flowcharts

• #​7526 efe218a - fix: group state diagram SVG children under single root element

• #​7526 efe218a - fix: Allow :::className syntax inside composite state blocks

• #​7526 efe218a Thanks @​aloisklink, @​BambioGaming! - fix: prevent escaping < and & when htmlLabels: false

• #​7526 efe218a - fix: treemap title and labels use theme-aware colors for dark backgrounds

• Updated dependencies [efe218a]:

  • @​mermaid-js/parser@​1.1.0

v11.13.0

Compare Source

Minor Changes

• #​7352 d6db0b0 Thanks @​remcohaszing! - feat: Export the AsyncIconLoader, SyncIconLoader, and IconLoader types.

• #​5932 cdacb0b Thanks @​exoego! - feat: Add venn-beta diagram

• #​6789 73e9849 Thanks @​omkarht! - feat: Add half-arrowheads (solid & stick) and central connection support

• #​7387 acce4db Thanks @​exoego! - feat: Add Ishikawa diagram (ishikawa-beta)

• #​6995 9745f32 Thanks @​darshanr0107! - feat: Deprecate flowchart.htmlLabels in favor of root-level htmlLabels in Mermaid config

• #​5814 2dd29be Thanks @​kairi003! - feat: allow to put notes in namespaces on classDiagram

Patch Changes

• #​7075 96a766d Thanks @​darshanr0107! - fix: Prevent HTML tags from being escaped in sandbox label rendering

• #​6843 32723b2 Thanks @​saurabhg772244! - fix: Support edge animation in hand drawn look

• #​7453 a60e615 Thanks @​darshanr0107! - fix: ER diagram edge label positioning

• #​6989 1a9d45a Thanks @​darshanr0107! - fix: Resolved parsing error where direction TD was not recognized within subgraphs

• #​7178 96ca7c0 Thanks @​omkarht! - fix(treemap): Fixed treemap classDef style application to properly apply user-defined styles

• #​7076 60f6331 Thanks @​darshanr0107! - fix: Correct viewBox casing and make SVGs responsive

• #​7055 fa15ce8 Thanks @​darshanr0107! - fix: Improve participant parsing and prevent recursive loops on invalid syntax

• #​7276 33c7c72 Thanks @​darshanr0107! - fix: respect markdownAutoWrap: false to prevent text auto-wrapping in flowchart markdown labels with htmlLabels enabled.

  Markdown labels with markdownAutoWrap: false, htmlLabels: false set doesn't work
  correctly.

• #​7416 3c069b5 Thanks @​Crafter-Y! - fix: architecture diagram lines should now have the correct length

• #​6995 9745f32 Thanks @​darshanr0107! - fix: Support the htmlLabels Mermaid config value whenever possible

• #​7293 a408b55 Thanks @​darshanr0107! - fix: Prevent browser hang when using multiline accDescr in XY charts

• #​6119 712c1ec Thanks @​NealGooch! - fix: correct block positioning when nested blocks span multiple columns

• #​7424 981a62e Thanks @​knsv! - fix: correct BT orientation arc sweep flags in gitGraph drawArrow()

  Swapped SVG arc sweep-flag values in the BT (bottom-to-top) orientation branches of drawArrow() so curves bend in the correct direction. Affects both rerouting and non-rerouting code paths for merge and non-merge arrows.

  Resolves #​6593

• #​7430 a4bb0b5 Thanks @​knsv! - fix: allow colons in stateDiagram-v2 transition and state description text

• #​7432 b0f9d5b Thanks @​knsv! - fix: derive taskTextDarkColor from doneTaskBkgColor in dark theme for readable done-task text

• #​7456 981fbb8 Thanks @​knsv-bot! - fix(gantt): restore readable outside-text color for done tasks in dark mode

• #​7139 93aa657 Thanks @​omkarht! - revert: restore original hexagon and roundedRect implementations

• #​7136 6bc6617 Thanks @​omkarht! - feat: add alias support for new participant syntax of sequence diagrams

• #​7375 9d0669a Thanks @​kaigritun! - fix(er): recognize '1' cardinality alias before relationship operators

• #​7275 7eed6a1 Thanks @​darshanr0107! - fix: change createLabel to call createText

  This adds support for KaTeX and FontAwesome icons loaded via iconpacks in some
  older labels. There are some small changes in formatting due to standardizing this code.

• #​7265 2000680 Thanks @​omkarht! - fix: prevent unintended opacity on SVG aws icons containing rect elements

• #​7139 [b7c66a2](https://r

✂ Note

PR body was truncated to here.