Skip to content

chore(deps): bump js-yaml from 4.1.1 to 4.2.0#4286

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/js-yaml-4.2.0
Open

chore(deps): bump js-yaml from 4.1.1 to 4.2.0#4286
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/js-yaml-4.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 1, 2026

Copy link
Copy Markdown
Contributor

Bumps js-yaml from 4.1.1 to 4.2.0.

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

  • Added docs/safety.md with notes about processing untrusted YAML.
  • Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
  • Added a loader option limiting merge sequence length. Not a problem after merge fix, but an additional restriction for safety.
  • Added sourcemaps to dist/ builds.

Changed

  • Stop resolving numbers with underscores as numeric scalars, #627.
  • Switched dev toolchains to Vite / neostandard.
  • Updated demo.
  • Reorganized tests.
  • dist/ files are no longer kept in the repository.

Fixed

  • Fix parsing of properties on the first implicit block mapping key, #62.
  • Fix trailing whitespace handling when folding flow scalar lines, #307.
  • Reject top-level block scalars without content indentation, #280.
  • Ensure numbers survive round-trip, #737.
  • Fix test coverage for issue #221.
  • Fix flow scalar trailing whitespace folding, #307.
  • Fix digits in YAML named tag handles.

Security

  • Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

  • Backported v4.1.1 fix to v3
Commits


Note

Low Risk
Dependency-only bump with no code changes; low risk overall, with a small chance of YAML parse differences where external/untrusted YAML is loaded.

Overview
Bumps direct js-yaml dependencies from 4.1.x to ^4.2.0 in cron_service, packages_worker, and security_best_practices_worker, with pnpm-lock.yaml pinning resolved 4.3.0 and updating transitive consumers (e.g. ESLint, cosmiconfig, OpenAPI tooling) off 4.1.1.

There are no application code changes—only version ranges and lockfile churn (including unrelated lockfile edits such as needle git resolution and AWS SDK peer-dependency wiring).

4.2.x brings parser hardening (merge-related DoS fix, default maxDepth, merge-length limits) and behavior changes such as no longer treating numbers with underscores as numeric scalars; services that yaml.load external YAML (e.g. OpenStack governance, Security Insights) may see stricter or slightly different parse results without any call-site updates in this PR.

Reviewed by Cursor Bugbot for commit 659bd74. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 1, 2026
@CLAassistant

Copy link
Copy Markdown

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.
You have signed the CLA already but the status is still pending? Let us recheck it.

@github-actions

github-actions Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

⚠️ Jira Issue Key Missing

Your PR title doesn't contain a Jira issue key. Consider adding it for better traceability.

Example:

  • feat: add user authentication (CM-123)
  • feat: add user authentication (IN-123)

Projects:

  • CM: Community Data Platform
  • IN: Insights

Please add a Jira issue key to your PR title.

Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.1 to 4.2.0.
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.1...4.2.0)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.2.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/js-yaml-4.2.0 branch from d1f11ba to 659bd74 Compare July 2, 2026 10:09
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant