Skip to content

fix(deps): update dependency yaml to v2.9.0#368

Merged
JoshMock merged 1 commit into
mainfrom
renovate/yaml-2.x-lockfile
May 26, 2026
Merged

fix(deps): update dependency yaml to v2.9.0#368
JoshMock merged 1 commit into
mainfrom
renovate/yaml-2.x-lockfile

Conversation

@elastic-renovate-prod
Copy link
Copy Markdown
Contributor

@elastic-renovate-prod elastic-renovate-prod Bot commented May 25, 2026

This PR contains the following updates:

Package Type Update Change
yaml (source) dependencies minor 2.8.4 -> 2.9.0

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

Release Notes

eemeli/yaml (yaml)

v2.9.0

Compare Source

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

  • fix: Avoid calling Array.prototype.push.apply() with large source array
  • fix(lexer): Avoid recursive calls that may exhaust the call stack

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Renovate Bot.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 25, 2026

MegaLinter analysis: Success

Descriptor Linter Files Fixed Errors Warnings Elapsed time
✅ COPYPASTE jscpd yes no no 9.27s
✅ REPOSITORY gitleaks yes no no 56.95s
✅ REPOSITORY git_diff yes no no 0.07s
✅ REPOSITORY secretlint yes no no 31.8s
✅ REPOSITORY trivy yes no no 17.51s

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff

MegaLinter is graciously provided by OX Security
Show us your support by starring ⭐ the repository

@JoshMock JoshMock merged commit a1f9e18 into main May 26, 2026
19 of 20 checks passed
@JoshMock JoshMock deleted the renovate/yaml-2.x-lockfile branch May 26, 2026 18:53
@elastic-vault-github-plugin-prod elastic-vault-github-plugin-prod Bot mentioned this pull request May 26, 2026
Draft
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@JoshMock JoshMock JoshMock approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@JoshMock