Skip to content

Bump js-yaml from 3.14.2 to 3.15.0 in the npm_and_yarn group across 1 directory#60

Merged
francinelucca merged 3 commits into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-4e38a52fea
Jul 16, 2026
Merged

Bump js-yaml from 3.14.2 to 3.15.0 in the npm_and_yarn group across 1 directory#60
francinelucca merged 3 commits into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-4e38a52fea

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 15, 2026

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 1 update in the / directory: js-yaml.

Updates js-yaml from 3.14.2 to 3.15.0

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

  • Added docs/safety.md with notes about processing untrusted YAML.
  • Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
  • Added a loader option limiting merge sequence length. Not a problem after merge fix, but an additional restriction for safety.
  • Added sourcemaps to dist/ builds.

Changed

  • Stop resolving numbers with underscores as numeric scalars, #627.
  • Switched dev toolchains to Vite / neostandard.
  • Updated demo.
  • Reorganized tests.
  • dist/ files are no longer kept in the repository.

Fixed

  • Fix parsing of properties on the first implicit block mapping key, #62.
  • Fix trailing whitespace handling when folding flow scalar lines, #307.
  • Reject top-level block scalars without content indentation, #280.
  • Ensure numbers survive round-trip, #737.
  • Fix test coverage for issue #221.
  • Fix flow scalar trailing whitespace folding, #307.
  • Fix digits in YAML named tag handles.

Security

  • Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).
Commits

@dependabot
dependabot Bot requested a review from a team as a code owner July 15, 2026 13:40
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 15, 2026
@francinelucca

Copy link
Copy Markdown
Contributor

@copilot fix CI

Copilot AI commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

@copilot fix CI

Fixed in commit Fix CI: upgrade eslint-plugin-github to 6.1.1, migrate to flat config.

Root cause: eslint-plugin-github@4.10.2 required eslint@"^8.0.1" as a peer dependency, but this PR set eslint@"^10.7.0", causing npm install to fail with ERESOLVE.

Changes made:

  • Upgraded eslint-plugin-github from 4.10.26.1.1 (supports eslint@^8 || ^9 || ^10)
  • Migrated ESLint config from .eslintrc.json (legacy format, unsupported in eslint@10) to eslint.config.mjs (flat config)
  • Removed .eslintignore (replaced with ignores in the flat config)
  • Added "types": [] to tsconfig.json to prevent the newly-added @types/esrecurse package (which uses TypeScript 4.5+ syntax) from failing compilation with TypeScript 4.2.4

@francinelucca

Copy link
Copy Markdown
Contributor

@dependabot recreate

Bumps the npm_and_yarn group with 1 update in the / directory: [js-yaml](https://github.com/nodeca/js-yaml).


Updates `js-yaml` from 3.14.2 to 4.2.0
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.14.2...4.2.0)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.2.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-4e38a52fea branch from 54a4713 to 80ac57a Compare July 16, 2026 14:24
@francinelucca

Copy link
Copy Markdown
Contributor

@copilot bump js-yaml only, do not update eslint

Copilot AI commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

@copilot bump js-yaml only, do not update eslint

Done. Reverted eslint back to ^7.26.0 and eslint-plugin-github back to 4.1.5 in commit Revert eslint and eslint-plugin-github to original versions; keep js-yaml 4.2.0 bump. The PR now only contains the js-yaml bump to 4.2.0.

@francinelucca francinelucca changed the title Bump js-yaml from 3.14.2 to 4.2.0 in the npm_and_yarn group across 1 directory Bump js-yaml from 3.14.2 to 3.15.0 in the npm_and_yarn group across 1 directory Jul 16, 2026
@francinelucca

Copy link
Copy Markdown
Contributor

@copilot fix CI

Copilot AI commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

@copilot fix CI

Fixed in commit Fix CI: restore hoisted eslint-plugin-import by using main lockfile + js-yaml 3.15.0 bump.

Root cause: the previously regenerated package-lock.json caused npm to nest eslint-plugin-import under node_modules/eslint-plugin-github/node_modules/ instead of hoisting it to the top level. ESLint 7 requires plugins to be resolvable from the project root, so it couldn't find the plugin.

Fix: restored package-lock.json from main (which keeps eslint-plugin-import hoisted) and applied only the two js-yaml 3.14.2 → 3.15.0 version bumps on top. The diff vs main is now exclusively those two lockfile entries.

@francinelucca
francinelucca merged commit eae49ac into main Jul 16, 2026
4 checks passed
@francinelucca
francinelucca deleted the dependabot/npm_and_yarn/npm_and_yarn-4e38a52fea branch July 16, 2026 19:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants