Skip to content

Commit 7fafa26

Browse files
committed
chore(deps): upgrade js-yaml to 5.2 and drop @types/js-yaml
1 parent 421d3db commit 7fafa26

5 files changed

Lines changed: 26 additions & 43 deletions

File tree

.changeset/upgrade-js-yaml-5.md

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,5 @@
1+
---
2+
"@openmapx/core": patch
3+
---
4+
5+
Upgrade js-yaml from 4.x to 5.2.x. js-yaml 5 is a dual CJS/ESM package that addresses the merge-key DoS (GHSA-h67p-54hq-rp68) structurally and ships its own TypeScript types (the separate `@types/js-yaml` dev dependency is dropped). The Docker compose renderer's output is functionally identical; only cosmetic scalar quoting differs in one edge case (a bare `-c` argument is no longer single-quoted, and parses back to the same string).

packages/core/package.json

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -70,10 +70,9 @@
7070
"@turf/helpers": "^7.3.5",
7171
"@turf/nearest-point-on-line": "^7.3.5",
7272
"@types/geojson": "^7946.0.16",
73-
"@types/js-yaml": "^4.0.9",
7473
"@types/tz-lookup": "^6.1.2",
7574
"better-auth": "^1.6.18",
76-
"js-yaml": "^4.1.2",
75+
"js-yaml": "^5.2.1",
7776
"opening_hours": "^3.13.0",
7877
"react": "19.2.7",
7978
"tz-lookup": "^6.1.25",

packages/integration-framework/package.json

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -43,7 +43,6 @@
4343
"@openmapx/poi-source-registry": "workspace:^",
4444
"impit": "^0.14.1",
4545
"intl-messageformat": "^11.2.8",
46-
"js-yaml": "^4.1.2",
4746
"zod": "^4.4.3"
4847
},
4948
"peerDependencies": {
@@ -61,7 +60,6 @@
6160
},
6261
"devDependencies": {
6362
"@types/geojson": "^7946.0.16",
64-
"@types/js-yaml": "^4.0.9",
6563
"@types/node": "^24.13.2",
6664
"@types/react": "^19.2.17",
6765
"esbuild": "^0.28.0",

pnpm-lock.yaml

Lines changed: 10 additions & 32 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

pnpm-workspace.yaml

Lines changed: 10 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -52,13 +52,16 @@ overrides:
5252
"fast-uri": ">=3.1.2"
5353
"kysely": ">=0.28.17"
5454
"fast-xml-builder": ">=1.1.7"
55-
# >=4.1.2 closes GHSA-h67p-54hq-rp68 (quadratic-complexity DoS via merge-key
56-
# aliases). Pulled in transitively by @changesets/cli.
57-
"js-yaml": "^4.1.2"
58-
# read-yaml-file@1.1.0 (a @changesets/cli transitive) calls js-yaml's
59-
# `safeLoad`, removed in js-yaml 4 — so the js-yaml override above crashes
60-
# `changeset status`. 2.1.0 is the newest CJS release that uses js-yaml 4's
61-
# `load` API (3.0.0 is ESM-only and breaks the CJS changesets requires).
55+
# js-yaml 5.2.x is a dual CJS/ESM package that addresses the merge-key DoS
56+
# (GHSA-h67p-54hq-rp68) structurally: load() defaults to CORE_SCHEMA (no
57+
# `!!merge`), plus the maxTotalMergeKeys/maxAliases caps added in 5.2.0.
58+
# Pinned to keep one version workspace-wide — our compose-renderer and the
59+
# @changesets/cli transitive both resolve to 5.2.x.
60+
"js-yaml": "^5.2.1"
61+
# read-yaml-file@2.1.0 is a @changesets/cli transitive that does a CJS
62+
# `require("js-yaml").load(...)`. It works with js-yaml 5's `require` entry
63+
# (5.x is a dual package) and its `load`. 3.0.0 is ESM-only and breaks the
64+
# CJS changesets requires, so stay on 2.1.0.
6265
"read-yaml-file": "^2.1.0"
6366
# ^7.28.0 closes the 7 advisories pnpm audit reports against undici 7.27.2,
6467
# incl. GHSA-vmh5-mc38-953g, GHSA-vxpw-j846-p89q and GHSA-hm92-r4w5-c3mj

0 commit comments

Comments
 (0)