build(deps): bump the npm_and_yarn group across 1 directory with 4 updates

[dependabot]

Bumps the npm_and_yarn group with 4 updates in the /website directory: @babel/plugin-transform-modules-systemjs, dompurify, fast-uri and mermaid.

Updates @babel/plugin-transform-modules-systemjs from 7.29.0 to 7.29.7

Release notes

Sourced from @​babel/plugin-transform-modules-systemjs's releases.

v7.29.7 (2026-05-25)

Re-release all packages with npm provenance attestations

v7.29.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18014 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #18001 [7.x packport]Improve input source map handling (@​JLHwung)
• babel-core, babel-generator
  • #17998 Preserve original identifier names from input sourcemaps (#17992) (@​Andarist)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Mateusz Burzyński (@​Andarist)
• Nicolò Ribaudo (@​nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

• babel-preset-env
  • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser

... (truncated)

Commits

• 4fba754 v7.29.7
• a458f66 v7.29.4
• 32ebd5a [7.x backport]fix(systemjs): improve module string name support (#17974)
• See full diff in compare view

Updates dompurify from 3.2.6 to 3.4.11

Release notes

Sourced from dompurify's releases.

DOMPurify 3.4.11

• Fixed an issue with a leaky config for hooks via setConfig, thanks @​trace37labs
• Bumped vulnerable development dependencies to arrive at plain 0 with npm audit
• Updated the osv-scanner suppression list as no vulnerable dependencies are left for now
• Updated up the linting tool-chain and removed now-redundant lint directives
• Updated the documentation is several spots, README, wiki, etc.
• Bumped several dependencies where possible

DOMPurify 3.4.10

• Refactored codebase for clarity: extracted the public type declarations into types.ts
• Decomposed the three largest sanitizer functions into focused helpers
• Removed duplicated defaults and dead branches, consolidated SAFE_FOR_TEMPLATES scrubbing into single shared path
• Improved per-node performance by hoisting the mXSS probe regexes and testing textContent before innerHTML
• Added a deterministic micro-benchmark harness (npm run bench) with a --compare mode
• Reduced CI cost by running the full three-engine browser suite once per PR
• Refreshed the demos/ folder so every demo runs again, and added a SVG-via-<img> demo
• Documented the bench and test:happydom scripts in the README
• Completed the Attack Classes & Bypass History wiki page
• Bumped several dependencies where possible

DOMPurify 3.4.9

• Further improved the handling of Trusted Types config options, thanks @​offset
• Further improved the handling of IN_PLACE sanitization, thanks @​mozfreddyb
• Added more test coverage for IN_PLACE and Trusted Types related usage
• Bumped several dependencies where possible
• Updated README and wiki with more accurate documentation & attack samples

DOMPurify 3.4.8

• Cleaned up the repository root, renamed some and removed unneeded files
• Fixed an issue with handling of Trusted Types policies, thanks @​fulstadev
• Fixed the node iterator for better template scrubbing, thanks @​IamLeandrooooo
• Included formerly missing LICENSE-MPL in published npm package, thanks @​asamuzaK
• Bumped several dependencies where possible

DOMPurify 3.4.7

• Hardened the handling of Shadow Roots when using IN_PLACE, thanks @​GameZoneHacker
• Removed a problem leading to permanent hook pollution, thanks @​offset
• Refactored the test suite and expanded test coverage significantly

DOMPurify 3.4.6

• Fixed several issues with DOM Clobbering in IN_PLACE mode, thanks @​offset & @​Bankde
• Hardened the checks for cross-realm IN_PLACE and Shadow DOM sanitization, thanks @​offset & @​Bankde
• Added more test coverage for IN_PLACE and general DOM Clobbering attacks
• Bumped several dependencies where possible

DOMPurify 3.4.5

• Fixed a bypass caused by the new HTML element selectedcontent added in 3.4.4, thanks @​KabirAcharya

Note that this is a security release for an issue introduced in 3.4.4 and should be upgraded to immediately.

... (truncated)

Commits

• 0cae518 release: 3.4.11 (#1494)
• 6ee5716 release: 3.4.10 (#1478)
• 5210247 release: 3.4.9 (#1459)
• bcdd828 release: 3.4.8 (#1439)
• ca30f07 release: 3.4.7 (#1414)
• bb7739e release: 3.4.6 (#1394)
• 011b0c7 release: 3.4.5 (#1382)
• 5817ad9 release: 3.4.4 (#1374)
• 520edb0 release: 3.4.3 (#1352)
• 6f67fd3 Sync/3.4.2 (#1322)
• Additional commits viewable in compare view

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.

Updates fast-uri from 3.0.6 to 3.1.2

Release notes

Sourced from fast-uri's releases.

v3.1.2

⚠️ Security Release

• Fix for GHSA-v39h-62p7-jpjc

What's Changed

• Handle malformed fragment decoding as a parse error by @​mcollina in fastify/fast-uri#171

Full Changelog: fastify/fast-uri@v3.1.1...v3.1.2

v3.1.1

⚠️ Security Release

• Fix for GHSA-q3j6-qgpj-74h6

What's Changed

• build(deps-dev): bump tsd from 0.32.0 to 0.33.0 by @​dependabot[bot] in fastify/fast-uri#148
• build(deps): bump actions/checkout from 4 to 5 by @​dependabot[bot] in fastify/fast-uri#149
• chore(.npmrc): ignore scripts by @​Fdawgs in fastify/fast-uri#150
• build(deps-dev): remove @​fastify/pre-commit by @​Fdawgs in fastify/fast-uri#151
• build(deps): bump actions/setup-node from 4 to 5 by @​dependabot[bot] in fastify/fast-uri#152
• ci(ci): add concurrency config by @​Fdawgs in fastify/fast-uri#153
• build(deps): bump actions/setup-node from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#154
• build(deps): bump actions/checkout from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#156
• chore(license): standardise license notice by @​Fdawgs in fastify/fast-uri#159
• style: remove trailing whitespace by @​Fdawgs in fastify/fast-uri#161
• ci: remove unused github files by @​Tony133 in fastify/fast-uri#162
• chore: update readme by @​Tony133 in fastify/fast-uri#164
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-manager.yml from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#165
• build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml from 5 to 6 by @​dependabot[bot] in fastify/fast-uri#166
• build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 by @​dependabot[bot] in fastify/fast-uri#167
• ci: add lock-threads workflow by @​Fdawgs in fastify/fast-uri#169

New Contributors

• @​Tony133 made their first contribution in fastify/fast-uri#162

Full Changelog: fastify/fast-uri@v3.1.0...v3.1.1

v3.1.0

What's Changed

• ci: remove master branch support by @​Fdawgs in fastify/fast-uri#126
• chore(test) remove .gitkeep by @​Fdawgs in fastify/fast-uri#128
• ci(ci): set job permissions by @​Fdawgs in fastify/fast-uri#129
• ci: set permissions at workflow level by @​Fdawgs in fastify/fast-uri#131
• ci: set workflow permissions to read-only by default by @​Fdawgs in fastify/fast-uri#132
• ci(ci): restore job level permissions by @​Fdawgs in fastify/fast-uri#133
• build(deps-dev): bump tsd from 0.31.2 to 0.32.0 by @​dependabot[bot] in fastify/fast-uri#134
• ci(ci): pin actions to commit-hash by @​Fdawgs in fastify/fast-uri#135
• ci: add node 24 to test matrix by @​Fdawgs in fastify/fast-uri#136

... (truncated)

Commits

• 919dd8e Bumped v3.1.2
• c65ba57 fixup: linting
• 6c86c17 Merge commit from fork
• a95158a Handle malformed fragment decoding without throwing (#171)
• cea547c Bumped v3.1.1
• 876ce79 Merge commit from fork
• dcdf690 ci: add lock-threads workflow (#169)
• c860e65 build(deps-dev): bump neostandard from 0.12.2 to 0.13.0 (#167)
• 9b4c6dc build(deps): bump fastify/workflows/.github/workflows/plugins-ci.yml (#166)
• 85d09a9 build(deps): bump fastify/workflows/.github/workflows/plugins-ci-package-mana...
• Additional commits viewable in compare view

Updates mermaid from 11.12.2 to 11.16.0

Release notes

Sourced from mermaid's releases.

mermaid@11.16.0

Minor Changes

• #7535 ea1c48f Thanks @​ragelink! - feat(cynefin): Adds the Cynefin framework as a new diagram type (beta) to Mermaid (available as cynefin-beta). The Cynefin framework, created by Dave Snowden, is a decision-making framework that categorizes problems into five complexity domains, widely used in agile, incident management, strategy, and organizational design.

• #7721 f45cc2c Thanks @​notionparallax! - feat(treeView): add box-drawing character input support for treeView diagrams

• #7550 f1f4d45 Thanks @​DominicBurkart! - feat(xychart): add per-point text labels for xychart line plots

• #7527 b4d0442 Thanks @​notionparallax! - feat(treeView): Extends the existing treeView-beta diagram with features useful for representing file/directory structures.

• #7793 a6f097d Thanks @​SSDWGG! - feat(er): support optional ER attribute types with a ? suffix

• #7772 37f2e36 Thanks @​devareddy05! - feat(gantt): support multiple excludes / includes lines so long exclusion lists can be split into commented groups (#6270)

• #7708 4e63e9d Thanks @​txmxthy! - feat(architecture): add align row|column {ids…} directive to architecture-beta diagrams so authors can declare horizontal or vertical alignment of services explicitly.

• #7760 05223be Thanks @​ngdaniels! - feat(pie): Enhance Pie Chart - Enable donut chart, Set legend position, and highlight slice

• #7251 216e4e9 Thanks @​ydah! - feat(railroad): Add support for Railroad Diagrams (Syntax Diagrams) with four input syntaxes: IR (railroad-beta), EBNF (railroad-ebnf-beta), ABNF (railroad-abnf-beta), and PEG (railroad-peg-beta).

• #7774 e5c75e6 Thanks @​ngdaniels! - feat(xychart): enable rotate label on X-axis

• #7791 974fa7b Thanks @​knsv-bot! - feat(swimlane): add swimlane as a standalone diagram type with a dedicated layered orthogonal layout algorithm

Patch Changes

• #7744 633c261 Thanks @​ashishjain0512! - fix(architecture): add architecture.seed config option to make architecture diagrams render deterministically. Resolves #7729.

• #7732 c8ba156 Thanks @​rkdfx! - fix: tolerate leading horizontal whitespace before YAML frontmatter delimiters. Closes mermaid-js/mermaid#7613

• #7314 4e4e6c4 Thanks @​darshanr0107! - fix(flowchart): Prevent crash when flowchart node shape is undefined

• #7762 cfd2391 Thanks @​Dharya-dev! - fix(class): support styling and callbacks for generic classes

• #7284 c1f116d Thanks @​darshanr0107! - fix(gantt): Render gantt vertical markers without affecting row layout or chart height

• #7786 72fbab1 Thanks @​knsv-bot! - fix(er): allow special characters (e.g. dots) in ER diagram attribute names and types by escaping them with backticks

• #7672 4887e97 Thanks @​sjackson0109! - fix(flowchart): respect per-subgraph direction keyword in Dagre layout. Fixes #4648

• #7734 a4c1e50 Thanks @​OfirHaf! - fix(block): read block padding and sanitize config dynamically instead of at module load time

• #7674 cc75089 Thanks @​cyphercodes! - fix(block): respect current DOMPurify config when sanitizing labels

• #7711 be2e282 Thanks @​Jinacker! - fix(flowchart): render flowchart and state self-loop edges as a single SVG path.

• #7781 d945968 Thanks @​Dharya-dev! - fix(radar): align axis labels based on angular position to prevent clipping

• #7661 2f5e9e8 Thanks @​nabila401! - fix(venn): fix 3-circle venn diagram union rendering

... (truncated)

Commits

• 7c0cafc Version Packages: v11.16.0 (#7916)
• 26acd1a Merge pull request #7915 from mermaid-js/release/11.16.0
• 5a8eae7 Merge branch 'master' into release/11.16.0
• dd5ea77 Merge pull request #7913 from mermaid-js/pebr/fix-changesets
• 658ee66 docs: fix missing bumps of @mermaid-js/parser
• 04259a1 docs: fix author and commit on examples changeset
• c9dcfb1 docs: update changeset diagram scopes
• a34dab9 docs: remove swimlane/cynefin bugfix changesets
• e81f31f docs: remove local-editor changeset
• 7223f03 Minor correction
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.