chore(deps): bump js-yaml#49
Conversation
Bumps and [js-yaml](https://github.com/nodeca/js-yaml). These dependencies needed to be updated together. Updates `js-yaml` from 4.1.0 to 4.1.1 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) Updates `js-yaml` from 3.14.1 to 3.14.2 - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.0...4.1.1) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 4.1.1 dependency-type: indirect - dependency-name: js-yaml dependency-version: 3.14.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
ChenLi0830
left a comment
There was a problem hiding this comment.
🔬 Automated PR Review — #49 chore(deps): bump js-yaml
Value Assessment
Low — Dependabot security patch bumping js-yaml (4.1.0→4.1.1, 3.14.1→3.14.2) in package-lock.json only. Fixes prototype pollution in YAML merge (<<) operator. Dev-only transitive dependency.
Three-Lens Analysis
Bug Analysis: 0 issues. No source code changes; js-yaml is never imported in application code.
Architecture Analysis: 1 low informational note — dual major versions of js-yaml (v3 + v4) coexist in the lockfile as transitive deps. Not actionable on this PR; consider collapsing during a future toolchain upgrade.
Security Analysis: The PR itself fixes the known prototype pollution vulnerability. No residual security concerns.
Verification
- 2 raw findings → 1 verified (low/informational), 1 rejected (the prototype pollution finding was the fix itself, not a remaining issue)
Test Results
✅ All 51 tests pass (6 suites).
Verdict
✅ APPROVED — Clean dependabot security patch. Only package-lock.json touched (+18/−18). Dev-only transitive dependency, no production impact. All tests pass. Safe to merge.
ChenLi0830
left a comment
There was a problem hiding this comment.
Value Assessment: Low — lockfile-only transitive dependency update for js-yaml; no application source changes.
Verification: 3 raw candidates → 0 verified, 3 false alarms
Verified Issues:
- None.
What I Checked:
- Reviewed the full diff (package-lock.json only).
- Verified there are no package.json changes and no repository source references to js-yaml.
- Confirmed the lockfile installs cleanly and the existing Jest suite still passes on the PR head.
Test Results:
- PASS —
npm ci --silent - PASS —
npm test -- --runInBand(6 suites, 51 tests)
Verdict: ✅ COMMENTED — no blocking issues found in this lockfile-only dependency bump.
ChenLi0830
left a comment
There was a problem hiding this comment.
Value Assessment
- Low — lockfile-only dependency refresh for transitive dev/test tooling; no application code changes.
Verification stats
- 3 raw candidates -> 0 verified / 3 false alarms
Verified Issues with severity
- None.
What I Checked
- Reviewed the full diff: only
package-lock.jsonentries changed. - Confirmed the updated
js-yamlversions land in the eslint and ts-jest dependency trees vianpm ls js-yaml. - Searched
src/andtest/for directjs-yaml/ YAML usage and found no application-level coupling to this bump.
Test Results
npm ci --silent✅npm test✅ (6 suites, 51 tests passed)
Verdict
- ✅ COMMENTED — no verified issues found; this looks safe to merge from a code-review perspective.
ChenLi0830
left a comment
There was a problem hiding this comment.
Value Assessment
Low — this is a lockfile-only transitive security update for js-yaml, with no application source changes.
Verification stats
3 raw candidates → 0 verified, 3 false alarms.
Verified Issues with severity
- None.
What I Checked
- Reviewed the full PR diff in package-lock.json to confirm the scope is limited to js-yaml resolution updates.
- Verified the installed dependency tree resolves to js-yaml 4.1.1 under eslint and 3.14.2 under the ts-jest / istanbul chain.
- Confirmed the lockfile remains installable and consistent after a clean install.
- Reviewed the repository test entrypoint and ran the existing automated test suite.
Test Results
npm ci --silent && npm test✅ passed- 6 test suites passed, 51 tests passed
Verdict
✅ COMMENTED — no verified issues found. The PR applies the patched js-yaml releases and the current test suite still passes.
ChenLi0830
left a comment
There was a problem hiding this comment.
Value Assessment
Medium — this is a small lockfile-only security dependency update for js-yaml (4.1.0 -> 4.1.1 and 3.14.1 -> 3.14.2). The code surface is tiny, but it addresses a relevant prototype-pollution fix in a transitive dev dependency.
Verification stats
3 raw candidates -> 0 verified, 3 false alarms.
Verified Issues
None.
What I Checked
- Reviewed the full PR diff; only
package-lock.jsonchanges. - Confirmed the lockfile resolves the affected
js-yamlinstances to4.1.1and3.14.2. - Checked the dependency tree with
npm ls js-yaml --all. - Checked for introduced package metadata drift;
npm cidid not modifypackage.jsonorpackage-lock.json. - Ran
npm audit --omit=optional --json; remaining audit findings are pre-existing/out of scope for this lockfile-only PR and are not caused by thejs-yamlbump.
Test Results
Passed — npm ci --silent && npm test completed successfully.
- Test Suites: 6 passed, 6 total
- Tests: 51 passed, 51 total
Verdict
✅ COMMENTED — no blocking issues found in this PR.
ChenLi0830
left a comment
There was a problem hiding this comment.
Value Assessment: Medium — this is a focused lockfile-only Dependabot security update for transitive js-yaml copies used by the build/test toolchain. It has a small functional surface area but reduces parser-related supply-chain risk.
Verification stats: 4 raw candidates → 0 verified / 4 false alarms.
Verified Issues with severity: None.
What I Checked:
- Reviewed the full diff in package-lock.json; the PR only updates js-yaml 4.1.0 → 4.1.1 under eslint/@eslint/eslintrc and js-yaml 3.14.1 → 3.14.2 under the older transitive tree.
- Confirmed package.json dependency ranges remain compatible with the lockfile-only update.
- Ran npm ls js-yaml --all and confirmed the installed tree now resolves the affected copies to 4.1.1 and 3.14.2.
- Checked npm audit output; remaining reported vulnerabilities are unrelated existing dependencies, and no js-yaml advisory remains in the installed tree.
Test Results: PASS — npm ci --silent && npm test completed successfully; 6 test suites passed, 51 tests passed.
Verdict: ✅ COMMENTED — no verified issues found; this PR looks safe to merge from the reviewed diff and test evidence.
ChenLi0830
left a comment
There was a problem hiding this comment.
Value Assessment
Medium — this is a small lockfile-only Dependabot security maintenance PR for js-yaml, so the implementation risk is low, but the value depends on whether it actually clears the current advisory state for that package.
Verification stats
4 raw candidates → 1 verified, 3 false alarms.
Verified Issues
- Medium —
js-yamlis still reported vulnerable after this lockfile bump. The PR locksnode_modules/@eslint/eslintrc/node_modules/js-yamlandnode_modules/eslint/node_modules/js-yamlto4.1.1, and rootnode_modules/js-yamlto3.14.2(package-lock.json). On the PR head,npm audit --omit=optional --audit-level=moderateexits with code 1 and still reports GHSA-h67p-54hq-rp68 forjs-yaml <=3.14.2 || 4.0.0 - 4.1.1, with fixes available vianpm audit fix. So although this branch updates the older prototype-pollution ranges, it is stale against the currentjs-yamladvisory data and would still leave the repo's audit gate failing onjs-yamlitself. Regenerating the lockfile to currently non-vulnerablejs-yamlreleases (for example the latest satisfiable 3.x/4.x ranges) should clear the target package.
What I Checked
- Reviewed the full PR diff; only
package-lock.jsonchanges, updatingjs-yamlfrom4.1.0 → 4.1.1in eslint-related nested entries and3.14.1 → 3.14.2in the Jest/Istanbul path. - Verified GitHub reports the PR as mergeable (
MERGEABLE, merge stateBLOCKED, no conflict state). - Ran
npm ls js-yaml --allto confirm the resolved dependency paths and versions. - Ran
git diff --check origin/master...HEADto check for whitespace/patch formatting issues. - Ran
npm audit --omit=optional --audit-level=moderateto verify the current security state for the changed package.
Test Results
npm ci --silent && npm test— passed. Jest ran 6 suites / 51 tests successfully.git diff --check origin/master...HEAD— passed.npm audit --omit=optional --audit-level=moderate— failed;js-yamlremains reported under GHSA-h67p-54hq-rp68.
Verdict
❌ NEEDS FOLLOW-UP — tests pass and the lockfile is installable, but the PR is stale as a security bump because the changed js-yaml versions are still inside the current audited vulnerable ranges.
ChenLi0830
left a comment
There was a problem hiding this comment.
Value Assessment
Low — this is a lockfile-only Dependabot security update for transitive js-yaml versions, so the intended value is narrowly reducing dependency risk without changing application code.
Verification stats
3 raw candidates → 1 verified / 2 false alarms.
Verified Issues
- Medium —
js-yamlremains inside current audited vulnerable ranges. The diff updates the ESLint copies tojs-yaml@4.1.1and the Jest/Istanbul path tojs-yaml@3.14.2, but a clean install followed bynpm audit --omit=optional --audit-level=moderatestill exits 1. The audit report flags GHSA-h67p-54hq-rp68 for ranges<=3.14.2 || 4.0.0 - 4.1.1, with affected nodes atnode_modules/@eslint/eslintrc/node_modules/js-yaml,node_modules/eslint/node_modules/js-yaml, andnode_modules/js-yaml. In other words, this PR's pinned target versions are still considered vulnerable by the current npm advisory database.
What I Checked
- Confirmed the PR changes only
package-lock.jsonand only bumps transitivejs-yamllockfile entries. - Re-checked the previous verified finding against the current head
bb1858c6a54e56fd3d3da79d1ad50a483d17d9cd. - Verified package-lock consistency through
npm ci --silent. - Checked the installed dependency tree with
npm ls js-yaml --all. - Checked current registry advisories with
npm audit --omit=optional --audit-level=moderate.
Test Results
npm ci --silent && npm test: pass — 6 test suites passed, 51 tests passed.npm audit --omit=optional --audit-level=moderate: fail —js-yamlremains reported for GHSA-h67p-54hq-rp68.
Verdict
❌ NEEDS FOLLOW-UP — tests pass, but the security update does not actually clear the current js-yaml advisory. The lockfile needs to resolve to non-vulnerable js-yaml versions before this dependency PR provides its intended security value.
ChenLi0830
left a comment
There was a problem hiding this comment.
Value Assessment
Medium — this is a targeted security maintenance update that moves every installed js-yaml branch to the patched release for its dependency line without changing application code.
Verification
3 raw candidates → 0 verified, 3 false alarms.
Verified Issues
None.
What I Checked
- Reviewed the complete package-lock-only diff and the surrounding dependency graph.
- Confirmed npm resolves ESLint to js-yaml 4.1.1 and the Istanbul/ts-jest chain to js-yaml 3.14.2.
- Verified that retaining both major lines is required by their respective parents and that npm ci accepts the lockfile.
- Checked mergeability and whitespace errors; the PR is mergeable and git diff --check is clean.
- Investigated npm audit output. Its fast-xml-parser/uuid findings are pre-existing in unchanged AWS SDK dependencies and were not introduced by this PR.
Test Results
PASS — npm ci --silent completed; npm test passed 6/6 suites and 51/51 tests.
Verdict
✅ COMMENTED — no verified issue found; the lockfile-only security update is internally consistent and tests pass.
ChenLi0830
left a comment
There was a problem hiding this comment.
Reviewed as part of the legacy PR cleanup. The dependency-only change is mergeable, its CI matrix passes on Node 16 and 18, and no correctness issues were found.
Bumps and js-yaml. These dependencies needed to be updated together.
Updates
js-yamlfrom 4.1.0 to 4.1.1Changelog
Sourced from js-yaml's changelog.
Commits
cc482e74.1.1 released50968b8dist rebuildd092d86lint fix383665ffix prototype pollution in merge (<<)0d3ca7aREADME.md: HTTP => HTTPS (#678)49baadddoc: 'empty' style option for !!nullba3460eFix demo link (#618)Updates
js-yamlfrom 3.14.1 to 3.14.2Changelog
Sourced from js-yaml's changelog.
Commits
cc482e74.1.1 released50968b8dist rebuildd092d86lint fix383665ffix prototype pollution in merge (<<)0d3ca7aREADME.md: HTTP => HTTPS (#678)49baadddoc: 'empty' style option for !!nullba3460eFix demo link (#618)You can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.