Skip to content

fix(deps): bump js-yaml to >=4.2.0 to resolve GHSA-h67p-54hq-rp68#841

Merged
BYK merged 1 commit into
masterfrom
fix/dependabot-js-yaml-dos
Jul 1, 2026
Merged

fix(deps): bump js-yaml to >=4.2.0 to resolve GHSA-h67p-54hq-rp68#841
BYK merged 1 commit into
masterfrom
fix/dependabot-js-yaml-dos

Conversation

@BYK

@BYK BYK commented Jul 1, 2026

Copy link
Copy Markdown
Member

Summary

Resolves 3 Dependabot alerts (#186, #187, #188), all the same advisory across both projects.

  • Advisory: GHSA-h67p-54hq-rp68 / CVE-2026-53550js-yaml: Quadratic-complexity DoS in merge key handling via repeated aliases (medium severity)
  • Vulnerable: `>= 4.0.0, <= 4.1.1` → patched: `4.2.0`

These alerts were opened by the post-merge rescan right after #839 landed (newly-published advisory), not caused by that change.

Fix

Alert Manifest Relationship Change
#187 root `package.json` direct devDep bump pinned `js-yaml` `4.1.1` → `4.2.0`
#188 root `pnpm-lock.yaml` direct devDep regenerated → `4.2.0`
#186 `docs/pnpm-lock.yaml` transitive (astro/starlight) `pnpm.overrides` `js-yaml: ^4.2.0` → resolves to `4.3.0`
  • Root uses an exact pin (matching the repo's pinned-devDep convention, e.g. `tar`); docs uses an override (matching the docs override style) since js-yaml is transitive there.
  • Both lockfile diffs are 100% js-yaml-scoped — no unrelated drift. No `@babel/core`/other packages touched.

Verification

  • Root: `pnpm build` ✅, `pnpm test` ✅ (1025 passed, 1 skipped), `pnpm lint` ✅ (0 errors), `pnpm format:check` ✅ (tracked files)
  • Docs: `pnpm build` ✅ (27 pages built)
  • `grep "js-yaml@" pnpm-lock.yaml docs/pnpm-lock.yaml` — only `4.2.0`/`4.3.0` remain; `4.1.1` gone. (`@types/js-yaml` is type-defs only, not the vulnerable package.)

Fixes a quadratic-complexity DoS in js-yaml merge key handling via
repeated aliases (CVE-2026-53550, medium severity).

- Root: bump the pinned js-yaml devDependency 4.1.1 -> 4.2.0.
- Docs: add a pnpm override forcing js-yaml to ^4.2.0 (transitive via
  astro/starlight), resolving to 4.3.0.

Closes Dependabot alerts #186, #187, #188.
@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor
PR Preview Action v1.8.1
Preview removed because the pull request was closed.
2026-07-01 13:36 UTC

@BYK BYK merged commit c55e4bb into master Jul 1, 2026
24 checks passed
@BYK BYK deleted the fix/dependabot-js-yaml-dos branch July 1, 2026 13:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant