Skip to content

Fix vulnerabilities#309

Merged
imnutz merged 1 commit intomasterfrom
vulnerabilities_fix_122025
Dec 4, 2025
Merged

Fix vulnerabilities#309
imnutz merged 1 commit intomasterfrom
vulnerabilities_fix_122025

Conversation

@imnutz
Copy link
Collaborator

@imnutz imnutz commented Dec 3, 2025
edited
Loading

  • In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (proto). All users who parse untrusted yaml documents may be impacted.

@imnutz imnutz requested a review from a team as a code owner December 3, 2025 02:30
@imnutz imnutz requested a review from kietdo360 December 3, 2025 02:32
kietdo360
kietdo360 approved these changes Dec 3, 2025
View reviewed changes
Copy link
Collaborator

@kietdo360 kietdo360 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM , but please add some info about the vulnerabilities in the description.

@kietdo360 kietdo360 requested a review from a team December 3, 2025 02:44
eddsteel
eddsteel approved these changes Dec 3, 2025
View reviewed changes
Copy link

@eddsteel eddsteel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Reviewed for data exfiltration.

@imnutz imnutz merged commit b66b136 into master Dec 4, 2025
3 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@eddsteel eddsteel eddsteel approved these changes

@kietdo360 kietdo360 kietdo360 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@imnutz @eddsteel @kietdo360

Comments