Mermaid CLI relies on headless browser rendering. Harden Node.js runtime, Chromium execution, and CI permissions.
- Run Mermaid CLI in containerized CI jobs.
- Avoid running as root.
- Apply seccomp/AppArmor profiles when available.
- Keep Chromium and Node.js patched.
- Use minimal launch flags and avoid unsafe sandbox disabling where possible.
- Limit memory/CPU to reduce abuse by malicious inputs.
- Pin
@mermaid-js/mermaid-cli version in lockfiles.
- Scan npm dependencies for known vulnerabilities.
- Rebuild images regularly.
- Review untrusted diagrams before rendering in privileged environments.
- Restrict output paths and artifact permissions.
- Avoid embedding internal secrets in diagrams.