Skip to content

chore(deps): bump js-yaml#49

Merged
ChenLi0830 merged 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-75e6bc5210
Jul 12, 2026
Merged

chore(deps): bump js-yaml#49
ChenLi0830 merged 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-75e6bc5210

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Nov 17, 2025

Copy link
Copy Markdown
Contributor

Bumps and js-yaml. These dependencies needed to be updated together.
Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

Bumps  and [js-yaml](https://github.com/nodeca/js-yaml). These dependencies needed to be updated together.

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `js-yaml` from 3.14.1 to 3.14.2
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
- dependency-name: js-yaml
  dependency-version: 3.14.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Nov 17, 2025

@ChenLi0830 ChenLi0830 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔬 Automated PR Review — #49 chore(deps): bump js-yaml

Value Assessment

Low — Dependabot security patch bumping js-yaml (4.1.0→4.1.1, 3.14.1→3.14.2) in package-lock.json only. Fixes prototype pollution in YAML merge (<<) operator. Dev-only transitive dependency.

Three-Lens Analysis

Bug Analysis: 0 issues. No source code changes; js-yaml is never imported in application code.

Architecture Analysis: 1 low informational note — dual major versions of js-yaml (v3 + v4) coexist in the lockfile as transitive deps. Not actionable on this PR; consider collapsing during a future toolchain upgrade.

Security Analysis: The PR itself fixes the known prototype pollution vulnerability. No residual security concerns.

Verification

  • 2 raw findings → 1 verified (low/informational), 1 rejected (the prototype pollution finding was the fix itself, not a remaining issue)

Test Results

✅ All 51 tests pass (6 suites).

Verdict

APPROVED — Clean dependabot security patch. Only package-lock.json touched (+18/−18). Dev-only transitive dependency, no production impact. All tests pass. Safe to merge.

@ChenLi0830 ChenLi0830 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Value Assessment: Low — lockfile-only transitive dependency update for js-yaml; no application source changes.

Verification: 3 raw candidates → 0 verified, 3 false alarms

Verified Issues:

  • None.

What I Checked:

  • Reviewed the full diff (package-lock.json only).
  • Verified there are no package.json changes and no repository source references to js-yaml.
  • Confirmed the lockfile installs cleanly and the existing Jest suite still passes on the PR head.

Test Results:

  • PASS — npm ci --silent
  • PASS — npm test -- --runInBand (6 suites, 51 tests)

Verdict: ✅ COMMENTED — no blocking issues found in this lockfile-only dependency bump.

@ChenLi0830 ChenLi0830 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Value Assessment

  • Low — lockfile-only dependency refresh for transitive dev/test tooling; no application code changes.

Verification stats

  • 3 raw candidates -> 0 verified / 3 false alarms

Verified Issues with severity

  • None.

What I Checked

  • Reviewed the full diff: only package-lock.json entries changed.
  • Confirmed the updated js-yaml versions land in the eslint and ts-jest dependency trees via npm ls js-yaml.
  • Searched src/ and test/ for direct js-yaml / YAML usage and found no application-level coupling to this bump.

Test Results

  • npm ci --silent
  • npm test ✅ (6 suites, 51 tests passed)

Verdict

  • ✅ COMMENTED — no verified issues found; this looks safe to merge from a code-review perspective.

@ChenLi0830 ChenLi0830 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Value Assessment
Low — this is a lockfile-only transitive security update for js-yaml, with no application source changes.

Verification stats
3 raw candidates → 0 verified, 3 false alarms.

Verified Issues with severity

  • None.

What I Checked

  • Reviewed the full PR diff in package-lock.json to confirm the scope is limited to js-yaml resolution updates.
  • Verified the installed dependency tree resolves to js-yaml 4.1.1 under eslint and 3.14.2 under the ts-jest / istanbul chain.
  • Confirmed the lockfile remains installable and consistent after a clean install.
  • Reviewed the repository test entrypoint and ran the existing automated test suite.

Test Results

  • npm ci --silent && npm test ✅ passed
  • 6 test suites passed, 51 tests passed

Verdict
✅ COMMENTED — no verified issues found. The PR applies the patched js-yaml releases and the current test suite still passes.

@ChenLi0830 ChenLi0830 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Value Assessment

Medium — this is a small lockfile-only security dependency update for js-yaml (4.1.0 -> 4.1.1 and 3.14.1 -> 3.14.2). The code surface is tiny, but it addresses a relevant prototype-pollution fix in a transitive dev dependency.

Verification stats

3 raw candidates -> 0 verified, 3 false alarms.

Verified Issues

None.

What I Checked

  • Reviewed the full PR diff; only package-lock.json changes.
  • Confirmed the lockfile resolves the affected js-yaml instances to 4.1.1 and 3.14.2.
  • Checked the dependency tree with npm ls js-yaml --all.
  • Checked for introduced package metadata drift; npm ci did not modify package.json or package-lock.json.
  • Ran npm audit --omit=optional --json; remaining audit findings are pre-existing/out of scope for this lockfile-only PR and are not caused by the js-yaml bump.

Test Results

Passed — npm ci --silent && npm test completed successfully.

  • Test Suites: 6 passed, 6 total
  • Tests: 51 passed, 51 total

Verdict

✅ COMMENTED — no blocking issues found in this PR.

@ChenLi0830 ChenLi0830 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Value Assessment: Medium — this is a focused lockfile-only Dependabot security update for transitive js-yaml copies used by the build/test toolchain. It has a small functional surface area but reduces parser-related supply-chain risk.

Verification stats: 4 raw candidates → 0 verified / 4 false alarms.

Verified Issues with severity: None.

What I Checked:

  • Reviewed the full diff in package-lock.json; the PR only updates js-yaml 4.1.0 → 4.1.1 under eslint/@eslint/eslintrc and js-yaml 3.14.1 → 3.14.2 under the older transitive tree.
  • Confirmed package.json dependency ranges remain compatible with the lockfile-only update.
  • Ran npm ls js-yaml --all and confirmed the installed tree now resolves the affected copies to 4.1.1 and 3.14.2.
  • Checked npm audit output; remaining reported vulnerabilities are unrelated existing dependencies, and no js-yaml advisory remains in the installed tree.

Test Results: PASS — npm ci --silent && npm test completed successfully; 6 test suites passed, 51 tests passed.

Verdict: ✅ COMMENTED — no verified issues found; this PR looks safe to merge from the reviewed diff and test evidence.

@ChenLi0830 ChenLi0830 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Value Assessment

Medium — this is a small lockfile-only Dependabot security maintenance PR for js-yaml, so the implementation risk is low, but the value depends on whether it actually clears the current advisory state for that package.

Verification stats

4 raw candidates → 1 verified, 3 false alarms.

Verified Issues

  • Medium — js-yaml is still reported vulnerable after this lockfile bump. The PR locks node_modules/@eslint/eslintrc/node_modules/js-yaml and node_modules/eslint/node_modules/js-yaml to 4.1.1, and root node_modules/js-yaml to 3.14.2 (package-lock.json). On the PR head, npm audit --omit=optional --audit-level=moderate exits with code 1 and still reports GHSA-h67p-54hq-rp68 for js-yaml <=3.14.2 || 4.0.0 - 4.1.1, with fixes available via npm audit fix. So although this branch updates the older prototype-pollution ranges, it is stale against the current js-yaml advisory data and would still leave the repo's audit gate failing on js-yaml itself. Regenerating the lockfile to currently non-vulnerable js-yaml releases (for example the latest satisfiable 3.x/4.x ranges) should clear the target package.

What I Checked

  • Reviewed the full PR diff; only package-lock.json changes, updating js-yaml from 4.1.0 → 4.1.1 in eslint-related nested entries and 3.14.1 → 3.14.2 in the Jest/Istanbul path.
  • Verified GitHub reports the PR as mergeable (MERGEABLE, merge state BLOCKED, no conflict state).
  • Ran npm ls js-yaml --all to confirm the resolved dependency paths and versions.
  • Ran git diff --check origin/master...HEAD to check for whitespace/patch formatting issues.
  • Ran npm audit --omit=optional --audit-level=moderate to verify the current security state for the changed package.

Test Results

  • npm ci --silent && npm test — passed. Jest ran 6 suites / 51 tests successfully.
  • git diff --check origin/master...HEAD — passed.
  • npm audit --omit=optional --audit-level=moderate — failed; js-yaml remains reported under GHSA-h67p-54hq-rp68.

Verdict

❌ NEEDS FOLLOW-UP — tests pass and the lockfile is installable, but the PR is stale as a security bump because the changed js-yaml versions are still inside the current audited vulnerable ranges.

@ChenLi0830 ChenLi0830 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Value Assessment

Low — this is a lockfile-only Dependabot security update for transitive js-yaml versions, so the intended value is narrowly reducing dependency risk without changing application code.

Verification stats

3 raw candidates → 1 verified / 2 false alarms.

Verified Issues

  • Medium — js-yaml remains inside current audited vulnerable ranges. The diff updates the ESLint copies to js-yaml@4.1.1 and the Jest/Istanbul path to js-yaml@3.14.2, but a clean install followed by npm audit --omit=optional --audit-level=moderate still exits 1. The audit report flags GHSA-h67p-54hq-rp68 for ranges <=3.14.2 || 4.0.0 - 4.1.1, with affected nodes at node_modules/@eslint/eslintrc/node_modules/js-yaml, node_modules/eslint/node_modules/js-yaml, and node_modules/js-yaml. In other words, this PR's pinned target versions are still considered vulnerable by the current npm advisory database.

What I Checked

  • Confirmed the PR changes only package-lock.json and only bumps transitive js-yaml lockfile entries.
  • Re-checked the previous verified finding against the current head bb1858c6a54e56fd3d3da79d1ad50a483d17d9cd.
  • Verified package-lock consistency through npm ci --silent.
  • Checked the installed dependency tree with npm ls js-yaml --all.
  • Checked current registry advisories with npm audit --omit=optional --audit-level=moderate.

Test Results

  • npm ci --silent && npm test: pass — 6 test suites passed, 51 tests passed.
  • npm audit --omit=optional --audit-level=moderate: failjs-yaml remains reported for GHSA-h67p-54hq-rp68.

Verdict

NEEDS FOLLOW-UP — tests pass, but the security update does not actually clear the current js-yaml advisory. The lockfile needs to resolve to non-vulnerable js-yaml versions before this dependency PR provides its intended security value.

@ChenLi0830 ChenLi0830 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Value Assessment
Medium — this is a targeted security maintenance update that moves every installed js-yaml branch to the patched release for its dependency line without changing application code.

Verification
3 raw candidates → 0 verified, 3 false alarms.

Verified Issues
None.

What I Checked

  • Reviewed the complete package-lock-only diff and the surrounding dependency graph.
  • Confirmed npm resolves ESLint to js-yaml 4.1.1 and the Istanbul/ts-jest chain to js-yaml 3.14.2.
  • Verified that retaining both major lines is required by their respective parents and that npm ci accepts the lockfile.
  • Checked mergeability and whitespace errors; the PR is mergeable and git diff --check is clean.
  • Investigated npm audit output. Its fast-xml-parser/uuid findings are pre-existing in unchanged AWS SDK dependencies and were not introduced by this PR.

Test Results
PASS — npm ci --silent completed; npm test passed 6/6 suites and 51/51 tests.

Verdict
✅ COMMENTED — no verified issue found; the lockfile-only security update is internally consistent and tests pass.

@ChenLi0830 ChenLi0830 left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed as part of the legacy PR cleanup. The dependency-only change is mergeable, its CI matrix passes on Node 16 and 18, and no correctness issues were found.

@ChenLi0830 ChenLi0830 merged commit ba4d7e9 into master Jul 12, 2026
2 checks passed
@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/multi-75e6bc5210 branch July 12, 2026 08:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant