Skip to content

[*] Security: Override yaml to >=1.10.3 to fix CVE-2026-33532#8324

Merged
etrepum merged 1 commit intomainfrom
fix/yaml-security-vulnerability
Apr 10, 2026
Merged

[*] Security: Override yaml to >=1.10.3 to fix CVE-2026-33532#8324
etrepum merged 1 commit intomainfrom
fix/yaml-security-vulnerability

Conversation

@potatowagon
Copy link
Copy Markdown
Contributor

@potatowagon potatowagon commented Apr 10, 2026
edited
Loading

Adds a pnpm override for the yaml package to resolve GHSA-48c2-rrv3-qjmp (medium severity) in the transitive dependency chain: @emotion/babel-plugin → babel-plugin-macros → cosmiconfig → yaml@1.10.2

Description

Describe the changes in this pull request

  • Adds a scoped pnpm override ("yaml@^1": "^1.10.3") to fix CVE-2026-33532 /
    GHSA-48c2-rrv3-qjmp (medium severity)

    • Vulnerable transitive dependency chain: @emotion/babel-plugin → babel-plugin-macros →
      cosmiconfig@7.0.1 → yaml@1.10.2
    • Uses a scoped override (yaml@^1) to ensure the bump stays within 1.x (patch-level
      1.10.2 → 1.10.3), avoiding a breaking major version jump to 2.x

    Test plan

    • Verified yaml@1.10.2 is no longer in pnpm-lock.yaml
    • Verified cosmiconfig@7.0.1 now resolves to yaml@1.10.3
    • CI passes

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 10, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
lexical Ready Ready Preview, Comment Apr 10, 2026 7:44am
lexical-playground Ready Ready Preview, Comment Apr 10, 2026 7:44am

Request Review

@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Apr 10, 2026
@potatowagon potatowagon marked this pull request as draft April 10, 2026 07:38
@potatowagon
[*] Security: Override yaml to ^1.10.3 to fix CVE-2026-33532
22b06ce 
Adds a scoped pnpm override for yaml@^1 to resolve GHSA-48c2-rrv3-qjmp
(medium severity) in the transitive dependency chain:
@emotion/babel-plugin → babel-plugin-macros → cosmiconfig → yaml@1.10.2
@potatowagon potatowagon force-pushed the fix/yaml-security-vulnerability branch from 6ed2649 to 22b06ce Compare April 10, 2026 07:42
@potatowagon potatowagon marked this pull request as ready for review April 10, 2026 07:48
@etrepum etrepum added this pull request to the merge queue Apr 10, 2026
Merged via the queue into main with commit a79f5cc Apr 10, 2026
40 checks passed
@etrepum etrepum mentioned this pull request Apr 27, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@etrepum etrepum etrepum approved these changes

@zurfyx zurfyx Awaiting requested review from zurfyx zurfyx is a code owner

@fantactuka fantactuka Awaiting requested review from fantactuka fantactuka is a code owner

@acywatson acywatson Awaiting requested review from acywatson acywatson is a code owner

@ivailop7 ivailop7 Awaiting requested review from ivailop7 ivailop7 is a code owner

@takuyakanbr takuyakanbr Awaiting requested review from takuyakanbr takuyakanbr is a code owner

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@potatowagon @etrepum