Skip to content

Security/bump Js Yaml 4.3.0#96

Merged
jasperf merged 3 commits into
mainfrom
security/bump-js-yaml-4.3.0
Jul 6, 2026
Merged

Security/bump Js Yaml 4.3.0#96
jasperf merged 3 commits into
mainfrom
security/bump-js-yaml-4.3.0

Conversation

@jasperf

@jasperf jasperf commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

This resolves a security vulnerability in the js-yaml build dependency by bumping it from 4.1.1 to 4.3.0, addressing a denial-of-service vulnerability (GHSA-h67p-54hq-rp68). The package-lock.json was re-added with the patched version, and the theme version was bumped to 4.6.4 across style.css, readme.txt, and CHANGELOG.md in accordance with the project's version management convention. Additionally, a machine-specific session_logging configuration block was removed from .vibe/config.toml to eliminate a hardcoded local file path that should not be checked into the repository. This is a build-tooling-only change with no impact on theme templates, patterns, or runtime user-facing functionality.

Security:

  • Updated the transitive build dependency js-yaml from 4.1.1 to 4.3.0 to remediate a DoS vulnerability (GHSA-h67p-54hq-rp68), with the fix captured by re-adding package-lock.json.
  • No runtime theme behavior changes result from this update, as js-yaml is only used in the build/tooling chain, not in theme templates or patterns.

Version Management:

  • Bumped the theme version to 4.6.4 in style.css and readme.txt (Stable tag), per the project's convention of updating all version references together.
  • Added a corresponding ## [4.6.4] entry to CHANGELOG.md and a matching changelog block in readme.txt, documenting the security fix and clarifying it as a technical, non-user-facing change.

Configuration Cleanup:

  • Removed the [session_logging] block from .vibe/config.toml, which contained a hardcoded, machine-specific save_dir path (/Users/jasperfrumau/.vibe/logs/session) that had no place in shared project configuration.

Files Changed:

Dependency lock files updated: package-lock.json,

jasperf added 3 commits July 6, 2026 10:12
js-yaml build dependency updated from 4.1.1 to 4.3.0 to address a
denial-of-service vulnerability (GHSA-h67p-54hq-rp68). No runtime
theme changes.
The save_dir path pointed to a local user home directory that
doesn't apply generally to the repo.
Tracks the patched js-yaml version (GHSA-h67p-54hq-rp68) in git for
reproducible installs, consistent with other Imagewize themes.
Still excluded from the WP.org distribution zip via .distignore.
@jasperf jasperf merged commit bfe3563 into main Jul 6, 2026
3 checks passed
@jasperf jasperf deleted the security/bump-js-yaml-4.3.0 branch July 6, 2026 03:21
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant