安全性
¥Security
Mermaid 团队非常重视 Mermaid 及其使用 Mermaid 的应用的安全性。本页面介绍了如何报告你可能发现的任何漏洞,并列出了最佳实践,以最大程度地降低引入漏洞的风险。
¥The Mermaid team takes the security of Mermaid and the applications that use Mermaid seriously. This page describes how to report any vulnerabilities you may find, and lists best practices to minimize the risk of introducing a vulnerability.
报告漏洞
¥Reporting vulnerabilities
要报告漏洞,请通过电子邮件向 security@mermaid.live 发送问题描述、创建问题所采取的步骤、受影响的版本以及问题的缓解措施(如果已知)。
¥To report a vulnerability, please e-mail security@mermaid.live with a description of the issue, the steps you took to create the issue, affected versions, and if known, mitigations for the issue.
我们计划在三个工作日内响应,甚至可能更快。
¥We aim to reply within three working days, probably much sooner.
我们将密切合作,以解决你报告的问题。如果你没有及时收到关注和定期更新,请再次联系 security@mermaid.live。
¥You should expect a close collaboration as we work to resolve the issue you have reported. Please reach out to security@mermaid.live again if you do not receive prompt attention and regular updates.
你也可以通过我们的公共 Discord 聊天通道联系我们的团队;但是,请务必在报告问题时发送电子邮件至 security@mermaid.live,并避免公开透露有关漏洞的信息,因为这可能会危及用户安全。
¥You may also reach out to the team via our public Discord chat channels; however, please make sure to e-mail security@mermaid.live when reporting an issue, and avoid revealing information about vulnerabilities in public as that could that could put users at risk.
最佳实践
¥Best practices
与最新的 Mermaid 版本保持同步。我们会定期更新 Mermaid,这些更新可能会修复先前版本中发现的安全缺陷。查看 Mermaid 发行说明,了解安全相关的更新。
¥Keep current with the latest Mermaid releases. We regularly update Mermaid, and these updates may fix security defects discovered in previous versions. Check the Mermaid release notes for security-related updates.
保持应用的依赖为最新。请确保升级软件包依赖,以保持依赖为最新。避免将依赖固定到特定版本,如果这样做,请确保定期检查依赖是否已进行安全更新,并相应地更新固定值。
¥Keep your application’s dependencies up to date. Make sure you upgrade your package dependencies to keep the dependencies up to date. Avoid pinning to specific versions for your dependencies and, if you do, make sure you check periodically to see if your dependencies have had security updates, and update the pin accordingly.
配置 DomPurify
¥Configuring DomPurify
默认情况下,Mermaid 使用基准 DOMPurify 配置。可以通过在 Mermaid 选项中添加 dompurifyConfig 键来覆盖传递给 DOMPurify 的选项。这可能会破坏 Mermaid 的输出,因此请谨慎使用。
¥By default Mermaid uses a baseline DOMPurify config. It is possible to override the options passed to DOMPurify by adding a dompurifyConfig key to the Mermaid options. This could potentially break the output of Mermaid so use this with caution.