Skip to content

Update js-yaml to 4.1.1 #971

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
evman182 wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Update js-yaml to 4.1.1 #971

evman182 wants to merge 1 commit into from
+6 −5

Conversation

@evman182
Copy link

@evman182 evman182 commented Dec 10, 2025
edited
Loading

@CLAassistant
Copy link

CLAassistant commented Dec 10, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@cypress-app-bot
Copy link

cypress-app-bot commented Dec 10, 2025

jpage-godaddy
jpage-godaddy reviewed Dec 30, 2025
View reviewed changes
package.json
"execa": "4.1.0",
"istanbul-lib-coverage": "^3.0.0",
"js-yaml": "4.1.0",
"js-yaml": "4.1.1",
Copy link

@jpage-godaddy jpage-godaddy Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe we could also make this more future-proof? Not sure why we have ^ versioning for some but not all dependencies.

Suggested change
"js-yaml": "4.1.1",
"js-yaml": "^4.1.1",

Copy link

@fyodorio fyodorio Jan 22, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Taking into account the recent amount of npm supply chain vulnerabilities where unsolicited (and vulnerable) patch versions caused drastic mayhem, I would highly recommend the opposite — switching to strict dependency package versioning.

Copy link

@woody-li woody-li Feb 4, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@fyodorio
I think using strict package version is a good way.
But it requires more timely maintenance to upgrade the dependency versions.

This vulnerability issue was reported at Nov 13, 2025
But the dependency upgrade is still in progress for now (almost 3 months).

@jlocke2
Copy link

jlocke2 commented Jan 20, 2026

@jpage-godaddy @AtofStryker @jennifer-shehane - Apologies for the ping (not sure who the right person would be in this case), but would it be possible to review/merge this change as it relates to GHSA-mh29-5h37-fv8m. Happy to help if needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

3 more reviewers

@woody-li woody-li woody-li left review comments

@fyodorio fyodorio fyodorio left review comments

@jpage-godaddy jpage-godaddy jpage-godaddy left review comments

Reviewers whose approvals may not affect merge requirements

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security vulnerability: Update js-yaml from 4.1.0 to 4.1.1 to fix prototype pollution (BDSA-2025-27523)

7 participants

@evman182 @CLAassistant @cypress-app-bot @jlocke2 @woody-li @fyodorio @jpage-godaddy