fix(parser): bundle langium and chevrotain inside @mermaid-js/parser

[aloisklink]

📑 Summary

Note

I'm targeting the release/11.15.0 branch, instead of develop.

Bundle langium and chevrotain in the @mermaid-js/parser package, so they're no longer dependencies.

This has the following benefits:

1. Chevrotain v11.1.1 has a pin on lodash-es v4.17.23. There is a CVE on that version, and chevrotain will not make a new v11 release since that CVE don't affect chevrotain and they're dropping Lodash in v12 (along with Node.JS v20 support), see Patch fix chevrotain v11 for lodash-es Chevrotain/chevrotain#2186. See CVE-2026-4800.
2. Langium v4 raises an install warning on Node.JS v20.0, which is causing issues for some of mermaid's users, even if this code only runs in the browser, see chore: upgrade to Langium v4 and TypeScript v5.8 #7377 (comment)

I'm using api-extractor to bundle the types for this. We're still keeping the @chevrotatin/types package as a dependency, since api-extractor can't seem to handle it, and it's only used for types.

📏 Design Decisions

Describe the way your implementation works or what design decisions you made if applicable.

📋 Tasks

Make sure you

• 📖 have read the contribution guidelines
• 💻 have added necessary unit/e2e tests.
  • This is covered by our existing pnpm run test:check:tsc test
• 📓 have added documentation. Make sure MERMAID_RELEASE_VERSION is used for all new features.
• 🦋 If your PR makes a change that should be noted in one or more packages' changelogs, generate a changeset by running pnpm changeset and following the prompts. Changesets that add features should be minor and those that fix bugs should be patch. Please prefix changeset messages with feat:, fix:, or chore:.

[netlify]

✅ Deploy Preview for mermaid-js ready!

Name	Link
🔨 Latest commit	675a64c
🔍 Latest deploy log	https://app.netlify.com/projects/mermaid-js/deploys/69eb6fae1e54c50008367ff3
😎 Deploy Preview	https://deploy-preview-7658--mermaid-js.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[changeset-bot]

🦋 Changeset detected

Latest commit: 675a64c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 2 packages

Name	Type
@mermaid-js/parser	Patch
mermaid	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[pkg-pr-new]

Open in StackBlitz

@mermaid-js/examples

npm i https://pkg.pr.new/@mermaid-js/examples@7658

mermaid

npm i https://pkg.pr.new/mermaid@7658

@mermaid-js/layout-elk

npm i https://pkg.pr.new/@mermaid-js/layout-elk@7658

@mermaid-js/layout-tidy-tree

npm i https://pkg.pr.new/@mermaid-js/layout-tidy-tree@7658

@mermaid-js/mermaid-zenuml

npm i https://pkg.pr.new/@mermaid-js/mermaid-zenuml@7658

@mermaid-js/parser

npm i https://pkg.pr.new/@mermaid-js/parser@7658

@mermaid-js/tiny

npm i https://pkg.pr.new/@mermaid-js/tiny@7658

commit: 675a64c

[codecov]

Codecov Report

❌ Patch coverage is 2.43902% with 40 lines in your changes missing coverage. Please review.
✅ Project coverage is 3.31%. Comparing base (0fbb2e8) to head (675a64c).

Files with missing lines	Patch %	Lines
packages/parser/scripts/prepack.ts	2.50%	39 Missing ⚠️
scripts/tsc-check.ts	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           develop   #7658      +/-   ##
==========================================
- Coverage     3.31%   3.31%   -0.01%     
==========================================
  Files          539     540       +1     
  Lines        56719   56760      +41     
  Branches       824     825       +1     
==========================================
+ Hits          1880    1881       +1     
- Misses       54839   54879      +40     

Flag	Coverage Δ
unit	3.31% <2.43%> (-0.01%)	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

Files with missing lines	Coverage Δ
scripts/tsc-check.ts	0.82% <0.00%> (-0.01%)	⬇️
packages/parser/scripts/prepack.ts	2.50% <2.50%> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[argos-ci]

The latest updates on your projects. Learn more about Argos notifications ↗︎

Build	Status	Details	Updated (UTC)
default (Inspect)	⚠️ Changes detected (Review)	1 changed	Apr 24, 2026, 1:40 PM

[ashishjain0512]

[sisyphus-bot]

Nice tightly-scoped fix — silencing the chevrotain/lodash CVE noise and the langium-on-Node-20 warning by bundling at the package boundary is exactly the right shape for this. The motivation is well-documented in the PR body and the changeset.

What's working well

• 🎉 [praise] Diagnosis is precise and the writeup links upstream context — the chevrotain v11/lodash situation (Chevrotain/chevrotain#2186) and the langium-v4-on-Node-20 thread are both linked, which means anyone tracing this fix in six months will find the upstream story instead of guessing why we own a rollup of langium types now.
• 🎉 [praise] api-extractor.json configuration is thoughtful. Enabling dtsRollup only, disabling the other outputs we don't need, and explicitly silencing ae-forgotten-export and ae-missing-release-tag (with the inline comment explaining that langium-generated files don't carry TSDoc tags) — that's the right level of curation for a generated codebase. Same applies to tsdocMessageReporting.default: "none" with the "we don't have control over bundled types" comment.
• 🎉 [praise] localBuild: !process.env.CI is the right knob. Warnings are fatal in CI and non-fatal locally, which keeps publish gates strict without making developer iteration miserable. And the succeeded check in prepack.ts:30-35 throws a clear "N errors and N warnings" message rather than swallowing failures.

Nits

• 🟢 [nit] Cleanup loop sort comment. In prepack.ts:53, the directories are sorted-then-reversed so children get removed before their parents. The comment is there ("delete subdirectories before their parents") but the sort being a deepest-first pass is the load-bearing detail — worth pulling that intuition into the comment, e.g. // Sort lexicographically and reverse so deeper paths come first. Minor readability thing.

Suggestions

• 💡 [suggestion] Type-identity loss for downstream consumers. Once this lands, anyone who uses @mermaid-js/parser and langium directly in the same project gets two distinct copies of AstNode — structural identity still works, but nominal instanceof checks across the boundary won't. Since @mermaid-js/parser is mostly an internal package consumed by mermaid itself, this is fine, but it might be worth a one-liner in the parser package's README ("consumers should not also depend on langium directly; the types are bundled here") so anyone who hits this in the future has a fast answer.
• 💡 [suggestion] Forward-port plan. Since this targets release/11.15.0, it'll need a follow-up merge into develop (or a cherry-pick) to keep the branches in sync. Mostly a process note — mentioning explicitly so it doesn't fall off the radar after this lands.
• 💡 [suggestion] Smoke test that the rollup actually exports what consumers expect. tsc-check.ts flipping @mermaid-js/parser from skipped to checked goes a long way here, but a small end-to-end check that imports a few key symbols from dist/src/index.d.ts after prepack runs (e.g., as part of CI) would catch silent regressions if api-extractor's rollup behavior changes. Not blocking — tsc-check.ts covers most of this.

Security

No XSS or injection surface — this PR is purely build configuration and a publish-time script. No runtime code changes, no DOM/SVG output paths touched. Skipping the sub-agent pass since there's nothing for it to analyze.

---

LGTM, happy to see this one land. 🙌