The docmd 0.7.5 release combines a security fix with significant i18n optimisations. It eliminates the upstream uuid vulnerability from the Mermaid plugin, adds multi-layer failsafes to the language switcher, and introduces a build-time page manifest that replaces all runtime network checks with instant local lookups.
🛡️ Security
Mermaid Plugin — Dependency Tree Fix
The @docmd/plugin-mermaid package previously declared mermaid as a production dependency. This caused the vulnerable transitive sub-dependency uuid@<14.0.0 to be installed in every consumer’s node_modules, even though the package never uses it at runtime.
Root Cause: The mermaid library is loaded exclusively from a CDN at runtime in the browser. The npm mermaid package was only needed during development for TypeScript type-checking and the esbuild bundling step. It was incorrectly categorised as a production dependency.
Fix: mermaid has been moved from dependencies to devDependencies in @docmd/plugin-mermaid. The published package now ships with zero production dependencies, so mermaid and its vulnerable uuid sub-dependency are never installed for end users.
npm audit/pnpm auditnow reports 0 vulnerabilities for projects using@docmd/plugin-mermaid.- No functional changes — the mermaid rendering pipeline is completely unaffected.
🌐 i18n — Language Switcher Failsafe
Previously, if a locale was declared in i18n.locales but its source directory (e.g. docs/hi/) did not exist, the language switcher would still render it as clickable — leading to a 404 when selected.
Fix: The engine now pre-scans locale directories at build time. Locales without a source directory are automatically disabled in the language switcher with an N/A badge, aria-disabled attribute, and non-clickable state.
- Build-time detection: The engine checks which locale directories actually exist before any pages are rendered.
- Template-level disabling: Unavailable locales appear greyed out with an “N/A” badge and
href="#". - Client-side guard: Clicking a disabled locale is a no-op — no navigation, no 404.
- Chained fallback: If a locale is available but a specific page is missing, the engine falls back to the default locale’s version of that page with a localised warning callout.
⚡ i18n — Build-Time Page Manifest
Previously, the language switcher used fetch(url, { method: 'HEAD' }) to verify whether a page existed in the target locale before navigating. This added latency, broke on some CDNs, and didn’t work offline.
Fix: The engine now generates a page manifest at build time — a tiny JS file (docmd-i18n-manifest.js) that maps every locale to its available page paths. The client-side switcher reads this manifest synchronously.
- Zero network requests: Page existence is checked locally from the manifest — no HEAD fetches.
- Works offline: The manifest is bundled with the site assets.
- CDN-agnostic: No dependency on how the hosting provider handles HEAD requests.
- Graceful degradation: If the manifest fails to load, the switcher falls back to HEAD fetches automatically.
When i18n is enabled, each locale must have its own subdirectory under the source directory (e.g. docs/en/, docs/hi/). The default locale’s directory is required as the fallback source for partially translated locales.
i18n Failsafe — How docmd Compares
| Capability | docmd | VitePress | Docusaurus | Starlight |
|---|---|---|---|---|
| Per-page fallback to default locale | ✅ | ❌ (404) | ❌ (404) | ✅ |
| Localised “not translated” warning | ✅ | ❌ | ❌ | ✅ |
| Auto-disable missing locales in switcher | ✅ | ❌ | ❌ | ❌ |
| Client-side navigation guard | ✅ | ❌ | ❌ | ❌ |
| Versioning + i18n combined | ✅ | ❌ | ❌ | ❌ |
| Old version backward compat (no locale dirs) | ✅ | N/A | N/A | N/A |
| RTL direction support | ✅ | ✅ | ✅ | ✅ |
| Zero-config (no custom React/Vue) | ✅ | Partial | ❌ | ✅ |
VitePress and Docusaurus both return 404 errors when a page is missing in a non-default locale — requiring manual server-side redirects or custom components to handle gracefully. Starlight (Astro) provides per-page fallback with a translation notice, similar to docmd — but does not auto-disable missing locale directories or guard against client-side navigation to non-existent locales.
Migration Guide
For end users: Update to the latest patch with npm update @docmd/plugin-mermaid or pnpm update @docmd/plugin-mermaid. No configuration changes are required.