build(deps): bump @excalidraw/excalidraw from 0.18.0 to 0.18.1 by dependabot[bot] · Pull Request #4329 · ever-co/ever-teams

dependabot · 2026-04-24T20:43:10Z

Bumps @excalidraw/excalidraw from 0.18.0 to 0.18.1.

Release notes

Sourced from @excalidraw/excalidraw's releases.

v0.18.1

Security patch release for @excalidraw/excalidraw@0.18.x, addressing upstream Mermaid XSS vulnerability CVE-2025-54881 / GHSA-7rqq-prvp-x9jh.

Backports Mermaid XSS mitigation by updating @excalidraw/mermaid-to-excalidraw to 2.2.2

Pins @types/d3-dispatch for compatibility with the 0.18.x TypeScript version

Commits

a2ec288 fix: backport mermaid xss fix to 0.18.1
See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
You can disable automated security fix PRs for this repo from the Security Alerts page.

Summary by cubic

Upgrade @excalidraw/excalidraw to 0.18.1 to patch the upstream Mermaid XSS vulnerability (CVE-2025-54881). This mitigates XSS risks when rendering Mermaid diagrams; only the lockfile changed.

Dependencies
- Bumped @excalidraw/excalidraw to 0.18.1.
- Pulls @excalidraw/mermaid-to-excalidraw@2.2.2 with the Mermaid XSS fix.
- Pins @types/d3-dispatch for 0.18.x TypeScript compatibility.

^{Written for commit ba66d6f. Summary will update on new commits.}

Bumps [@excalidraw/excalidraw](https://github.com/excalidraw/excalidraw) from 0.18.0 to 0.18.1. - [Release notes](https://github.com/excalidraw/excalidraw/releases) - [Commits](excalidraw/excalidraw@v0.18.0...v0.18.1) --- updated-dependencies: - dependency-name: "@excalidraw/excalidraw" dependency-version: 0.18.1 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>

cla-assistant · 2026-04-24T20:43:24Z

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

cla-assistant · 2026-04-24T20:43:25Z

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

socket-security · 2026-04-24T20:44:48Z

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Quality
	@types/cookie@1.0.0
	@cypress/browserify-preprocessor@3.0.2
	electron@38.8.4
	@radix-ui/react-slot@1.2.4
	@jitsu/jitsu-react@1.10.4
	@ai-sdk/openai@1.3.24
	@typescript-eslint/parser@8.32.1 ⏵ 8.56.1
	@emoji-mart/react@1.1.1
	@commitlint/travis-cli@20.4.2
	@commitlint/cli@20.4.2
	@atlaskit/pragmatic-drag-and-drop-hitbox@1.1.0
	@emoji-mart/data@1.2.1
	@cucumber/cucumber-expressions@19.0.0
	@hapi/shot@6.0.1 ⏵ 6.0.2	⁺¹	⁺¹
	@ai-sdk/react@1.2.12
	@blueprintjs/popover2@2.1.32
	@cucumber/gherkin@38.0.0
	@atlaskit/pragmatic-drag-and-drop@1.7.8
	@excalidraw/excalidraw@0.18.1
	pako@2.1.0
	@typescript-eslint/eslint-plugin@8.32.1 ⏵ 8.56.1	⁺¹	⁺¹
	nanoid@5.1.6
	marked@17.0.3
	@fullcalendar/list@6.1.20
	@commitlint/config-lerna-scopes@20.4.0
	@blueprintjs/core@6.9.1
	cross-env@7.0.3
	@hello-pangea/dnd@18.0.1
	eslint-plugin-promise@7.2.1
	@electron/notarize@2.5.0
	@fullcalendar/daygrid@6.1.20
	@fullcalendar/timegrid@6.1.20
	@electron/rebuild@3.7.2
See 26 more rows in the dashboard

View full report

socket-security · 2026-04-24T20:44:50Z

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert (click "▶" to expand/collapse)
Warn		HTTP dependency: npm `@electron/rebuild` depends on https://github.com/electron/node-gyp#06b29aafb7708acef8b3669835c8a7857ebc92d2 Dependency: @electron/node-gyp @https://github.com/electron/node-gyp#06b29aafb7708acef8b3669835c8a7857ebc92d2 Location: Package overview From: apps/server-web/package.json → `npm/@electron/rebuild@3.7.2` ℹ Read more on: This package \| This alert \| What are http dependencies? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Publish the HTTP URL dependency to a public or private package repository and consume it from there. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@electron/rebuild@3.7.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potentially malicious package (AI signal): npm `@google-recaptcha/core` is 60.0% likely malicious Notes: This module provides a targeted utility to disable Google reCAPTCHA by removing relevant scripts and clearing the grecaptcha config. While it may be used for legitimate testing or automation, it also enables circumvention of bot protections, representing a potential security risk if misused. It does not exfiltrate data or execute remote commands but undermines a client-side security control. Confidence: 0.60 Severity: 0.90 From: `?` → `npm/@google-recaptcha/react@2.4.0` → `npm/@google-recaptcha/core@1.1.2` ℹ Read more on: This package \| This alert \| What is AI-detected potential malware? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Given the AI system's identification of this package as malware, extreme caution is advised. It is recommended to avoid downloading or installing this package until the threat is confirmed or flagged as a false positive. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@google-recaptcha/core@1.1.2`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm `@jitsu/js` is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: `?` → `npm/@jitsu/jitsu-react@1.10.4` → `npm/@jitsu/js@1.10.4` ℹ Read more on: This package \| This alert \| What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at `support@socket.dev`. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment `@SocketSecurity ignore npm/@jitsu/js@1.10.4`. You can also ignore all packages with `@SocketSecurity ignore-all`. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

codacy-production · 2026-04-24T20:44:53Z

Not up to standards ⛔

🔴 Issues 1 high · 2 medium

Alerts:
⚠ 3 issues (≤ 0 issues of at least minor severity)

Results:
3 new issues

Category Results

Security 2 medium
1 high

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric Results

Complexity 0

Duplication 0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer}
_{TIP This summary will be updated as you push new changes.}

sonarqubecloud · 2026-04-24T20:44:54Z

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

cubic-dev-ai

No issues found across 1 file

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 24, 2026

Copilot AI review requested due to automatic review settings April 24, 2026 20:43

dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Apr 24, 2026

dependabot Bot review requested due to automatic review settings April 24, 2026 20:43

cubic-dev-ai Bot reviewed Apr 24, 2026

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

build(deps): bump @excalidraw/excalidraw from 0.18.0 to 0.18.1#4329

build(deps): bump @excalidraw/excalidraw from 0.18.0 to 0.18.1#4329
dependabot[bot] wants to merge 1 commit into
developfrom
dependabot/npm_and_yarn/excalidraw/excalidraw-0.18.1

dependabot Bot commented on behalf of github Apr 24, 2026 •

edited by cubic-dev-ai Bot

Loading

Uh oh!

cla-assistant Bot commented Apr 24, 2026

Uh oh!

cla-assistant Bot commented Apr 24, 2026

Uh oh!

socket-security Bot commented Apr 24, 2026

Uh oh!

socket-security Bot commented Apr 24, 2026

Uh oh!

codacy-production Bot commented Apr 24, 2026

Uh oh!

sonarqubecloud Bot commented Apr 24, 2026

Uh oh!

cubic-dev-ai Bot left a comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Conversation

dependabot Bot commented on behalf of github Apr 24, 2026 • edited by cubic-dev-ai Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

v0.18.1

Summary by cubic

Uh oh!

cla-assistant Bot commented Apr 24, 2026

Uh oh!

cla-assistant Bot commented Apr 24, 2026

Uh oh!

socket-security Bot commented Apr 24, 2026

Uh oh!

socket-security Bot commented Apr 24, 2026

Uh oh!

codacy-production Bot commented Apr 24, 2026

Not up to standards ⛔

Uh oh!

sonarqubecloud Bot commented Apr 24, 2026

Quality Gate passed

Uh oh!

cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

dependabot Bot commented on behalf of github Apr 24, 2026 •

edited by cubic-dev-ai Bot

Loading