Skip to content

chore(deps): override js-yaml to patched 3.15.0 / 4.2.0 (Dependabot)#7798

Merged
ar2rsawseen merged 2 commits into
masterfrom
chore/dependabot-js-yaml
Jul 8, 2026
Merged

chore(deps): override js-yaml to patched 3.15.0 / 4.2.0 (Dependabot)#7798
ar2rsawseen merged 2 commits into
masterfrom
chore/dependabot-js-yaml

Conversation

@ar2rsawseen

Copy link
Copy Markdown
Member

What

Adds two version-scoped npm overrides for the transitive js-yaml dependency in the root manifest, and regenerates package-lock.json:

  • js-yaml@^3.0.0 -> ^3.15.0
  • js-yaml@^4.0.0 -> ^4.2.0

Why

Resolves the two remaining open js-yaml Dependabot alerts (quadratic-complexity DoS in merge-key handling via repeated aliases):

  • medium — js-yaml 4.0.04.1.1, patched in 4.2.0
  • medium — js-yaml < 3.15.0, patched in 3.15.0

js-yaml is pulled in transitively by dev/build tooling:

  • 3.x via grunt and nyc -> @istanbuljs/load-nyc-config
  • 4.x via mocha, eslint, and puppeteer -> cosmiconfig

Both patches are within-major (3.14.2 -> 3.15.0, 4.1.1 -> 4.3.0), so every consumer keeps an API-compatible js-yaml. The lockfile diff touches only js-yaml nodes — no unrelated churn — and npm audit reports no remaining js-yaml advisories.

Testing

CI exercises all three consumer paths: lint (eslint), dist-all (grunt), and mochaTest (mocha) — verifying the bumped js-yaml versions don't break linting, the asset build, or the test runner.

🤖 Generated with Claude Code

…abot alerts

Bumps the transitive js-yaml dependency via version-scoped npm overrides:

- js-yaml ^3 -> ^3.15.0 (used by grunt, nyc/@istanbuljs/load-nyc-config)
- js-yaml ^4 -> ^4.2.0 (used by mocha, eslint, puppeteer/cosmiconfig)

Resolves the two open js-yaml Dependabot alerts (quadratic-complexity DoS
in merge-key handling). Both bumps stay within their major version, so all
consumers keep API-compatible js-yaml. Only js-yaml nodes change in the
lockfile.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings July 7, 2026 11:05

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the root npm dependency resolution to address js-yaml security advisories by enforcing patched js-yaml versions via overrides, and regenerates the lockfile so installs consistently pick the patched versions across the toolchain (grunt/mocha/eslint/puppeteer, etc.).

Changes:

  • Add npm overrides entries to force js-yaml@^3 to ^3.15.0 and js-yaml@^4 to ^4.2.0.
  • Regenerate package-lock.json so js-yaml nodes resolve to patched versions (e.g., 3.15.0 and 4.3.0).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Adds version-scoped npm overrides to enforce patched js-yaml versions across transitive dependencies.
package-lock.json Updates locked js-yaml resolutions to patched versions consistent with the new overrides.

@ar2rsawseen ar2rsawseen enabled auto-merge July 8, 2026 14:00
@ar2rsawseen ar2rsawseen merged commit 802faee into master Jul 8, 2026
9 of 10 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants