chore: bump up mermaid version to v10.9.4 [SECURITY] (#13518)

This PR contains the following updates:

| Package | Change | Age | Confidence |
|---|---|---|---|
| [mermaid](https://redirect.github.com/mermaid-js/mermaid) | [`10.9.3`
-> `10.9.4`](https://renovatebot.com/diffs/npm/mermaid/10.9.3/10.9.4) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/mermaid/10.9.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/mermaid/10.9.3/10.9.4?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2025-54881](https://redirect.github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh)

### Summary
In the default configuration of mermaid 11.9.0, user supplied input for
sequence diagram labels is passed to `innerHTML` during calculation of
element size, causing XSS.

### Details
Sequence diagram node labels with KaTeX delimiters are passed through
`calculateMathMLDimensions`. This method passes the full label to
`innerHTML` which allows allows malicious users to inject arbitrary HTML
and cause XSS when mermaid-js is used in it's default configuration
(with KaTeX support enabled).

The vulnerability lies here:

```ts
export const calculateMathMLDimensions = async (text: string, config: MermaidConfig) => {
  text = await renderKatex(text, config);
  const divElem = document.createElement('div');
  divElem.innerHTML = text; // XSS sink, text has not been sanitized.
  divElem.id = 'katex-temp';
  divElem.style.visibility = 'hidden';
  divElem.style.position = 'absolute';
  divElem.style.top = '0';
  const body = document.querySelector('body');
  body?.insertAdjacentElement('beforeend', divElem);
  const dim = { width: divElem.clientWidth, height: divElem.clientHeight };
  divElem.remove();
  return dim;
};
```

The `calculateMathMLDimensions` method was introduced in
5c69e5fdb004a6d0a2abe97e23d26e223a059832 two years ago, which was
released in [Mermaid
10.9.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.0).

### PoC
Render the following diagram and observe the modified DOM.

```
sequenceDiagram
    participant A as Alice<img src="x" onerror="document.write(`xss on ${document.domain}`)">$$\\text{Alice}$$
    A->>John: Hello John, how are you?
    Alice-)John: See you later!
```

Here is a PoC on mermaid.live:
https://mermaid.live/edit#pako:eNpVUMtOwzAQ_BWzyoFKaRTyaFILiio4IK7ckA-1km1iKbaLY6spUf4dJ0AF68uOZ2dm7REqXSNQ6PHDoarwWfDGcMkUudaJGysqceLKkj3hPdl3osJ7IRvSm-qBwcCAaIXGaONRrSsnUdnobITF28PQ954lwXglai25UNNhxWAXBMyXxcGOi-3kL_5k79e73atuFSUv2HWazH1IWn0m3CC5aPf4b3p2WK--BW-4DJCOWzQ3TM0HQmiMqIFa4zAEicZv4iGMsw0D26JEBtS3NR656ywDpiYv869_11r-Ko12TQv0yLveI3eqfcjP111HUNVonrRTFuhdsVgAHWEAmuRxlG7SuEzKMi-yJAnhAjTLIk_EcbFJtuk2y9MphM8lM47KIp--AOZghtU

### Impact
XSS on all sites that use mermaid and render user supplied diagrams
without further sanitization.

### Remediation
The value of the `text` argument for the `calculateMathMLDimensions`
method needs to be sanitized before getting passed on to `innerHTML`.

---

### Release Notes

<details>
<summary>mermaid-js/mermaid (mermaid)</summary>

###
[`v10.9.4`](https://redirect.github.com/mermaid-js/mermaid/releases/tag/v10.9.4)

[Compare
Source](https://redirect.github.com/mermaid-js/mermaid/compare/v10.9.3...v10.9.4)

This release backports the fix for GHSA-7rqq-prvp-x9jh from
[v11.10.0](https://redirect.github.com/mermaid-js/mermaid/releases/tag/mermaid%4011.10.0),
preventing a potential XSS attack in labels in sequence diagrams.

See:
[`9d68517`](9d685178d2)
(on `main` branch)
See:
[`7509b06`](7509b066f1)
(backported commit)

**Full Changelog**:
<https://github.com/mermaid-js/mermaid/compare/v10.9.3...v10.9.4>

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you
are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/toeverything/AFFiNE).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS44MS4yIiwidXBkYXRlZEluVmVyIjoiNDEuODIuNyIsInRhcmdldEJyYW5jaCI6ImNhbmFyeSIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiXX0=-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>

yarn.lock

@@ -26700,8 +26700,8 @@ __metadata:
   linkType: hard
 
 "mermaid@npm:^10.9.1":
-  version: 10.9.3
-  resolution: "mermaid@npm:10.9.3"
+  version: 10.9.4
+  resolution: "mermaid@npm:10.9.4"
   dependencies:
     "@braintree/sanitize-url": "npm:^6.0.1"
     "@types/d3-scale": "npm:^4.0.3"
@@ -26723,7 +26723,7 @@ __metadata:
     ts-dedent: "npm:^2.2.0"
     uuid: "npm:^9.0.0"
     web-worker: "npm:^1.2.0"
-  checksum: 10/ca6ed9e6a24a7d8777ea9f145d7dc5b66e2070cfb7afa39b77532ebe6ebf6e7a1e9ae617ccc9b47ca493d862a27487ea13f841ccd1184107e4ac689d4b3d4c38
+  checksum: 10/1d51839345cbb3e54171be73549afa4dba77df56cf3693fb57dd7ff24c2806310dc7b829f2ab2e87b7beb15cf5a89c8029d8d7cfd206258ed97bddfa03b54a97
   languageName: node
   linkType: hard