fix(deps): scope js-yaml override to restore changesets compatibility#423
Merged
Conversation
…eset compat The security fix in bbf46a4 added a global js-yaml >=4.1.1 pnpm override. @changesets/cli@2.31.0 has a transitive dep (read-yaml-file@1.1.0) that calls yaml.safeLoad(), removed in js-yaml v4. This crashed pnpm changeset version in CI on every prerelease and release run. Add a scoped override 'read-yaml-file>js-yaml: ^3' using pnpm's package>dep syntax, which pins js-yaml to v3 only within read-yaml-file's dep tree. Everything else stays on the >=4.1.1 security-fix version.
Contributor
✅ Visual Regression Test ResultsStatus: ✅ All visual tests passed! All screenshots match the baseline. No visual regressions detected! 🎉 |
Contributor
⚡ Performance Benchmark Results✅ Build Time Benchmarks: PASSED✅ Bundle Size Benchmarks: PASSED❌ Runtime Vitals Benchmarks: FAILED📝 Note: Detailed results are available in the job logs. 🎯 Performance Budgets:
Updated: 2026-05-15T17:25:15.399Z |
Contributor
♿ Accessibility Test ResultsOverall Status: ✅ 0/0 tests passed 🦮 WCAG 2.1 AA ComplianceNo WCAG test results available ⌨️ Keyboard NavigationNo keyboard navigation test results available 📊 Detailed ReportDownload the full HTML accessibility report from the workflow artifacts for:
🔍 Testing ChecklistOur accessibility tests verify:
Powered by @axe-core/playwright and Playwright |
This was referenced May 15, 2026
Merged
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
PR
bbf46a43(security overrides) added"js-yaml": ">=4.1.1"topnpm.overrides, forcing js-yaml v4 globally.@changesets/cli@2.31.0has a transitive depread-yaml-file@1.1.0that callsyaml.safeLoad(), which was removed in js-yaml v4.This broke
pnpm changeset versionin CI, causing both prerelease runs triggered by PRs #420 and #421 to fail:Fix
pnpm's
package>dependencyoverride syntax scopes a version constraint to one specific package's dep resolution. Adding"read-yaml-file>js-yaml": "^3"givesread-yaml-fileits own js-yaml v3 without affecting any other package. All Stackwright packages stay on>=4.1.1per the security fix.Verification
Confirmed via module resolution inspection:
read-yaml-fileresolves js-yaml to its own nestednode_modules/read-yaml-file/node_modules/js-yamlat v3.14.2 withsafeLoadintact ✅js-yamlremains v4.1.1 (security-fix version) ✅require('read-yaml-file')loads cleanly with no errors ✅No changeset needed
pnpm.overridesis lockfile infrastructure — no published package API changes.