Skip to content

fix: bump preferred-pm to v5 to resolve js-yaml prototype pollution#756

Merged
rexxars merged 2 commits intosanity-io:mainfrom
ParakhJaggi:fix/bump-preferred-pm-js-yaml-vuln
Mar 23, 2026
Merged

fix: bump preferred-pm to v5 to resolve js-yaml prototype pollution#756
rexxars merged 2 commits intosanity-io:mainfrom
ParakhJaggi:fix/bump-preferred-pm-js-yaml-vuln

Conversation

@ParakhJaggi
Copy link
Contributor

@ParakhJaggi ParakhJaggi commented Mar 23, 2026
edited
Loading

Summary

Bumps preferred-pm from ^4.1.1 to ^5.0.0 in @sanity/cli to resolve the js-yaml prototype pollution vulnerability (moderate severity).

Dependency chain fix:

  • preferred-pm@4which-pm@3load-yaml-file@0.2js-yaml@3.x (vulnerable)
  • preferred-pm@5which-pm@4load-yaml-file@1.0js-yaml@4.x (safe)

Code change: The only breaking change in preferred-pm@5 is switching from a default export to a named export. Updated the import in packageManagerChoice.ts accordingly:

-// eslint-disable-next-line unicorn/no-named-default
-import {default as preferredPM} from 'preferred-pm'
+import {preferredPM} from 'preferred-pm'

The function signature is identical — (pkgPath: string) => Promise<{name: 'npm' | 'pnpm' | 'yarn' | 'bun', version: string} | null>.

Related: sanity-io/sanity#11151

Test plan

  • pnpm build:cli passes
  • pnpm check:types passes
  • Lint-staged hooks pass on commit
  • CI tests pass

@ParakhJaggi
fix: bump preferred-pm to v5 to resolve js-yaml prototype pollution v…
3af4c70 
…ulnerability

preferred-pm v4 depends on which-pm@3 → load-yaml-file@0.2 → js-yaml@3.x
which is vulnerable to prototype pollution (GHSA-mh29-5h37-fv8m).

preferred-pm v5 → which-pm@4 → load-yaml-file@1.0 → js-yaml@4.x (safe).

The only breaking change in preferred-pm v5 is the switch from default
to named export, which is updated in packageManagerChoice.ts.
@ParakhJaggi ParakhJaggi requested a review from a team as a code owner March 23, 2026 17:59
@ParakhJaggi ParakhJaggi requested review from mariuslundgard and removed request for a team March 23, 2026 17:59
@socket-security
Copy link

socket-security bot commented Mar 23, 2026

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​preferred-pm@​5.0.01001007880100

View full report

rexxars
rexxars approved these changes Mar 23, 2026
View reviewed changes
Copy link
Member

@rexxars rexxars left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@rexxars rexxars merged commit 34577da into sanity-io:main Mar 23, 2026
6 of 8 checks passed
@squiggler-app squiggler-app bot mentioned this pull request Mar 23, 2026
Open
@ParakhJaggi ParakhJaggi deleted the fix/bump-preferred-pm-js-yaml-vuln branch March 23, 2026 18:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@rexxars rexxars rexxars approved these changes

@mariuslundgard mariuslundgard Awaiting requested review from mariuslundgard mariuslundgard is a code owner automatically assigned from sanity-io/sdk

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ParakhJaggi @rexxars