Skip to content

[reverted and added suppression] Bump js-yaml from 4.3.0 to 5.2.1#58

Merged
mcgroarty merged 3 commits into
mainfrom
dependabot/npm_and_yarn/js-yaml-5.2.1
Jul 16, 2026
Merged

[reverted and added suppression] Bump js-yaml from 4.3.0 to 5.2.1#58
mcgroarty merged 3 commits into
mainfrom
dependabot/npm_and_yarn/js-yaml-5.2.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 16, 2026

Copy link
Copy Markdown
Contributor

Bumps js-yaml from 4.3.0 to 5.2.1.

Changelog

Sourced from js-yaml's changelog.

[5.2.1] - 2026-07-02

Fixed

  • Add Map support to !!omap (should work when realMapTag used)

Security

  • Remove quadratic complexity from !!omap addItem. Regression from v5 (usually not critical, because YAML11_SCHEMA is not default anymore).
Commits
  • ac16b42 5.2.1 released
  • 4a864e5 Deps bump
  • 39f3211 !!omap: add Map support and remove quadratic complexity
  • ff17f1e Changelog update
  • 8ed15f1 deps bump
  • 1a562dc Fix changelog link
  • c28ed5e 5.2.0 released
  • 125cd5a Add maxAliases option
  • 3105455 Replace maxMergeSeqLengthoption with maxTotalMergeKeys (more robust)
  • 39d00d6 numbers: Drop boxed numbers support, simplify .identify() checks, clarify rou...
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.3.0 to 5.2.1.
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.3.0...5.2.1)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 5.2.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 16, 2026
@mcgroarty

Copy link
Copy Markdown
Contributor

@copilot Confirm compatibility with the proposed js-yaml update. Detail potential exposure and alternate mitigation if this is a security dependency that can't be updated.

Copilot AI commented Jul 16, 2026

Copy link
Copy Markdown
Contributor

@copilot Confirm compatibility with the proposed js-yaml update. Detail potential exposure and alternate mitigation if this is a security dependency that can't be updated.

js-yaml v5 is not compatible with the current stack — reverted to v4.3.0.

Why it breaks

astro@7.1.0 and @astrojs/starlight@0.41.3 both consume js-yaml using a default import:

File Import
astro/dist/content/loaders/file.js import yaml from "js-yaml"
astro/dist/core/config/settings.js import yaml from "js-yaml"
@astrojs/starlight/utils/translations-fs.ts import yaml from 'js-yaml'
@astrojs/starlight/schemas/head.ts import yaml from 'js-yaml'

js-yaml v5 is a major rewrite that removed the default export entirely (named exports only). The production build fails at the prerender phase with:

The requested module 'js-yaml' does not provide an export named 'default'

Security exposure

No known vulnerabilities exist in js-yaml 4.3.0 — both pnpm audit and the GitHub Advisory Database return clean results for this version. This bump is not a security fix; Dependabot appears to have flagged it as a routine major-version upgrade rather than a CVE-driven update.

Mitigation

js-yaml v4.x is safe to remain on. The path forward to v5 requires Astro and Starlight to update their own js-yaml imports to use named exports — that's an upstream change outside this project. Once astro and @astrojs/starlight ship compatible releases, the bump can be re-evaluated.

Copilot AI requested a review from mcgroarty July 16, 2026 22:14
js-yaml v5 removed its CommonJS default export. Astro and @astrojs/starlight
still consume js-yaml as `import yaml from 'js-yaml'`, so bumping to v5
breaks the production build at prerender:

  "The requested module 'js-yaml' does not provide an export named 'default'"

Add a targeted ignore rule so Dependabot stops proposing js-yaml major
bumps on every schedule. Security-driven updates are unaffected and will
still fire if a CVE lands against js-yaml 4.x.

Remove this ignore once upstream Astro/Starlight switch to named imports
from js-yaml.
@mcgroarty
mcgroarty merged commit 1a2fd7c into main Jul 16, 2026
6 checks passed
@mcgroarty
mcgroarty deleted the dependabot/npm_and_yarn/js-yaml-5.2.1 branch July 16, 2026 22:20
@mcgroarty mcgroarty changed the title Bump js-yaml from 4.3.0 to 5.2.1 [reverted and added suppression] Bump js-yaml from 4.3.0 to 5.2.1 Jul 16, 2026
@mcgroarty

Copy link
Copy Markdown
Contributor

I updated the dependabot config and rolled back the actual proposed update. See above from Copilot.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants