Skip to content

chore(deps): bump js-yaml from 4.2.0 to 5.2.1#114

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/js-yaml-5.2.0
Closed

chore(deps): bump js-yaml from 4.2.0 to 5.2.1#114
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/js-yaml-5.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps js-yaml from 4.2.0 to 5.2.1.

Changelog

Sourced from js-yaml's changelog.

[5.2.1] - 2026-07-02

Fixed

  • Add Map support to !!omap (should work when realMapTag used)

Security

  • Remove quadratic complexity from !!omap addItem. Regression from v5 (usually not critical, because YAML11_SCHEMA is not default anymore).

4.3.0, 3.15.0 - 2026-06-27

Security

  • Backported maxTotalMergeKeys option.

[5.2.0] - 2026-06-26

Added

  • Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.
  • Added maxAliases (-1) loader option to limit the number of YAML aliases per document.

Removed

  • maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

Fixed

  • Round-trip of integers with exponential form (>= 1e21)

[5.1.0] - 2026-06-23

Added

  • Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

  • [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.

[5.0.0] - 2026-06-20

Added

  • Added named exports for schemas, tags, parser events and AST utilities.
  • Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
  • Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
  • Added dump() transform option for changing the generated AST before rendering.
  • Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and

... (truncated)

Commits
  • ac16b42 5.2.1 released
  • 4a864e5 Deps bump
  • 39f3211 !!omap: add Map support and remove quadratic complexity
  • ff17f1e Changelog update
  • 8ed15f1 deps bump
  • 1a562dc Fix changelog link
  • c28ed5e 5.2.0 released
  • 125cd5a Add maxAliases option
  • 3105455 Replace maxMergeSeqLengthoption with maxTotalMergeKeys (more robust)
  • 39d00d6 numbers: Drop boxed numbers support, simplify .identify() checks, clarify rou...
  • Additional commits viewable in compare view

@dependabot
dependabot Bot requested a review from Medformatik as a code owner June 29, 2026 04:29
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/js-yaml-5.2.0 branch 2 times, most recently from 177ab87 to 7ffbdeb Compare June 29, 2026 04:46
@dependabot dependabot Bot changed the title chore(deps): bump js-yaml from 4.2.0 to 5.2.0 chore(deps): bump js-yaml from 4.2.0 to 5.2.1 Jul 3, 2026
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/js-yaml-5.2.0 branch from 7ffbdeb to 9d30480 Compare July 3, 2026 16:43
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.2.0 to 5.2.1.
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.2.0...5.2.1)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 5.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/js-yaml-5.2.0 branch from 9d30480 to e8f182b Compare July 3, 2026 21:05
@Medformatik

Copy link
Copy Markdown
Collaborator

Closing this one — as generated it would reintroduce a bug that was just fixed, and it's internally inconsistent.

The diff sets js-yaml to ^5.2.1 in packages/core and packages/integration-framework, but the PR's own pnpm-lock.yaml still resolves js-yaml to 4.3.0 — because the unscoped js-yaml: ^4.1.2 override in pnpm-workspace.yaml forces the 4.x line. So the manifests would declare ^5.2.1 while 4.3.0 is what actually installs. That 'manifest lies about the installed version' mismatch is exactly what was cleaned up recently (the manifests were deliberately set to ^4.1.2 to match the override-forced reality), and CI passes here only because the override masks the change.

A real move to js-yaml 5 is a deliberate migration, not an auto-bump: the js-yaml: ^4.1.2 override closes a changesets transitive DoS advisory (GHSA-h67p-54hq-rp68), and read-yaml-file@^2.1.0 is pinned specifically because it relies on js-yaml 4's load API. Both need to be re-verified (plus compose-renderer's load/dump usage) before the override can be dropped and 5.x adopted.

Closing so it doesn't get auto-merged in this defective state. If a proper js-yaml 5 migration is done later, dependabot will regenerate this.

@Medformatik Medformatik closed this Jul 3, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 3, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot
dependabot Bot deleted the dependabot/npm_and_yarn/js-yaml-5.2.0 branch July 3, 2026 21:27
@github-actions github-actions Bot locked and limited conversation to collaborators Jul 3, 2026
@Medformatik

Copy link
Copy Markdown
Collaborator

Follow-up: the js-yaml 5 upgrade turned out to be feasible and has now been done properly on main in 7fafa26 — but as a deliberate migration rather than this auto-bump.

Key findings that made it safe:

  • js-yaml 5.x is a dual CJS/ESM package (its exports map has both import and require entries), so the @changesets/cliread-yaml-file@2.1.0 chain that does require('js-yaml').load() keeps working. That was my main worry when closing this.
  • The merge-key DoS (GHSA-h67p-54hq-rp68) is addressed structurally in 5.2.x (load() defaults to CORE_SCHEMA without !!merge, plus maxTotalMergeKeys/maxAliases caps), so the security reason for the old ^4.1.2 override is satisfied.
  • js-yaml 5 ships its own TypeScript types, so @types/js-yaml was dropped.

What the migration did that this PR couldn't: set a consistent ^5.2.1 override (one version workspace-wide), removed the now-dead js-yaml dep from integration-framework, and added a changeset. Verified with check-types, the 45 compose-renderer tests, changeset status, pnpm audit --prod (clean), and the full suite (6153 passing). The only compose-render output change is cosmetic — a bare -c arg is no longer single-quoted and parses back to the same string.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant