WIP - Bump mermaid-js to 9.4.0

[benedekh]

Update mermaid-js to 9.4.0, because all versions between 9.1.1 and 9.3.0 use moment-js 2.24.0 as a transitive dependency. moment-js 2.24.0 has two vulnerabilities with CVE identifiers: CVE-2022-31129, CVE-2022-24785. Both of them are with HIGH severity. Luckily, they have been fixed in moment-js 2.29.4 and mermaid-js 9.4.0 depends on this fixed version.

Therefore, I would like to propose a version update for mermaid-js.

Without this update, quarkus-vertx-http-deployment can get marked as a vulnerable library by a dependency checking tool. That is because mermaid-js is packed inside quarkus-vertx-http-deployment.

[quarkus-bot]

Thanks for your pull request!

The title of your pull request does not follow our editorial rules. Could you have a look?

• title should preferably start with an uppercase character (if it makes sense!)

This message is automatically generated by a bot.

[gsmet]

@benedekh thanks but Dependabot beat you to it: #31234 :)

Thanks for providing the context though. I will mark the Dependabot PR for backport.

[benedekh]

@gsmet: Thank you for the quick feedback. It seems to be, version bumps are moving fast. :)

Could you give me an estimate, when a new version of the 2.16 series will be released that contains this bump?

[gsmet]

Given this is a dev mode only dependency, I don't feel the urgency to release something.

I released 2.16.3.Final yesterday (still to be announced) so maybe next week if something pressing pops up but most probably the week after that.

[benedekh]

@gsmet: I would not like to hurry things, but is there an ETA for the new patch release this week?

Update: Thank you for the release! https://github.com/quarkusio/quarkus/releases/tag/2.16.4.Final