主题
安全
【Security】
Mermaid 团队非常重视 Mermaid 及使用 Mermaid 的应用的安全性。本页面描述了如何报告你可能发现的任何漏洞,并列出了将漏洞风险降至最低的最佳实践。
【The Mermaid team takes the security of Mermaid and the applications that use Mermaid seriously. This page describes how to report any vulnerabilities you may find, and lists best practices to minimize the risk of introducing a vulnerability.】
报告漏洞
【Reporting vulnerabilities】
如需报告漏洞,请发送电子邮件至 security@mermaid.live,并提供问题描述、你发现问题的步骤、受影响的版本,以及如果已知的话,问题的缓解措施。
【To report a vulnerability, please e-mail security@mermaid.live with a description of the issue, the steps you took to create the issue, affected versions, and if known, mitigations for the issue.】
我们力求在三个工作日内回复,通常会更快。
【We aim to reply within three working days, probably much sooner.】
在我们处理你报告的问题时,你应期待与我们的密切合作。如果你没有及时收到关注和定期更新,请再次联系 security@mermaid.live。
【You should expect a close collaboration as we work to resolve the issue you have reported. Please reach out to security@mermaid.live again if you do not receive prompt attention and regular updates.】
你也可以通过我们的公开 Discord 聊天通道联系团队;然而,在报告问题时,请务必发送电子邮件至 security@mermaid.live,并避免在公共场合透露漏洞信息,因为这可能会使用户处于风险之中。
【You may also reach out to the team via our public Discord chat channels; however, please make sure to e-mail security@mermaid.live when reporting an issue, and avoid revealing information about vulnerabilities in public as that could that could put users at risk.】
最佳实践
【Best practices】
保持最新的 Mermaid 版本。我们会定期更新 Mermaid,这些更新可能会修复之前版本中发现的安全缺陷。请查看 Mermaid 的版本说明以获取与安全相关的更新信息。
【Keep current with the latest Mermaid releases. We regularly update Mermaid, and these updates may fix security defects discovered in previous versions. Check the Mermaid release notes for security-related updates.】
保持你的应用依赖最新。确保升级你的软件包依赖以保持依赖的最新状态。避免将依赖固定在特定版本,如果确实固定了,请定期检查依赖是否有安全更新,并相应地更新固定版本。
【Keep your application’s dependencies up to date. Make sure you upgrade your package dependencies to keep the dependencies up to date. Avoid pinning to specific versions for your dependencies and, if you do, make sure you check periodically to see if your dependencies have had security updates, and update the pin accordingly.】
配置 DomPurify
【Configuring DomPurify】
默认情况下,Mermaid 使用基线的 DOMPurify 配置。可以通过在 Mermaid 选项中添加 dompurifyConfig 键来覆盖传递给 DOMPurify 的选项。这可能会破坏 Mermaid 的输出,因此请谨慎使用。
【By default Mermaid uses a baseline DOMPurify config. It is possible to override the options passed to DOMPurify by adding a dompurifyConfig key to the Mermaid options. This could potentially break the output of Mermaid so use this with caution.】