chore(deps): Bump js-yaml from 4.1.1 to 4.2.0#11
Conversation
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.1 to 4.2.0. - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.1...4.2.0) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 4.2.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
|
| Filename | Overview |
|---|---|
| packages/lib/package.json | Bumps js-yaml specifier from ^4.1.0 to ^4.2.0; includes a behavioral change for YAML values that use underscore-separated numbers |
| pnpm-lock.yaml | Locks js-yaml to 4.2.0 as intended, but also bumps @voidzero-dev/vite-plus-core from 0.1.24 to 0.2.4 across all workspace packages — an unintended side effect because vite is declared as npm:@voidzero-dev/vite-plus-core@latest |
Comments Outside Diff (1)
-
pnpm-lock.yaml, line 27-40 (link)Unintended toolchain bump bundled into this js-yaml PR
Every workspace package silently picked up
@voidzero-dev/vite-plus-core@0.2.4(from0.1.24) becauseviteis declared asnpm:@voidzero-dev/vite-plus-core@latest. Regenerating the lockfile to landjs-yaml@4.2.0also resolved the newlatestfor core. The two upgrades are unrelated; mixing them makes the diff harder to audit and means a build/test regression from the toolchain change would appear in a js-yaml bump PR. Additionally,@voidzero-dev/vite-plus-core@0.2.4narrows Node 22 support to^22.18.0(from>=22.12.0), which could break CI environments running 22.12–22.17.
Reviews (1): Last reviewed commit: "chore(deps): Bump js-yaml from 4.1.1 to ..." | Re-trigger Greptile
| "exiftool-vendored": "^35.20.0", | ||
| "fast-xml-parser": "^5.2.3", | ||
| "js-yaml": "^4.1.0", | ||
| "js-yaml": "^4.2.0", |
There was a problem hiding this comment.
Underscore-numeric parsing behavior change in js-yaml 4.2.0
js-yaml@4.2.0 stops resolving numbers written with underscores as numeric scalars (e.g. 1_000_000 is now the string "1_000_000" rather than the integer 1000000). Any YAML the pipeline reads that uses this notation will silently yield strings where code previously received numbers, potentially breaking numeric comparisons or arithmetic downstream. It is worth scanning the YAML files this library parses to confirm none rely on underscore-delimited numbers.
Bumps js-yaml from 4.1.1 to 4.2.0.
Changelog
Sourced from js-yaml's changelog.
Commits
590dbab4.2.0 releasedf944dc5Add package.json funding fieldf692719Changelog update9971a06Fix digits in YAML named tag handles464a5b8Fix flow scalar trailing whitespace folding, close #3071fda4f7Tests for #567, #565031ad07Stop resolving numbers with underscores as numeric scalars, #627e46d223CI config update9023feeAdd lockfile990e6f4Docs updateDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.