Skip to content

Bump js-yaml to 3.15.0 / 4.3.0 via lockfile re-resolution#1172

Merged
ChanTsune merged 1 commit into
masterfrom
fix/js-yaml-cve-2026-53550
Jul 3, 2026
Merged

Bump js-yaml to 3.15.0 / 4.3.0 via lockfile re-resolution#1172
ChanTsune merged 1 commit into
masterfrom
fix/js-yaml-cve-2026-53550

Conversation

@ChanTsune

Copy link
Copy Markdown
Owner

Bumps js-yaml to patched versions across both transitive paths: 3.14.2 → 3.15.0 and 4.1.1 → 4.3.0.

js-yaml is not a direct dependency. It enters through two paths, both re-resolved by re-solving the lockfile — no overrides were added and jest stays at 30.4.2 (Dependabot's own update path would have downgraded it to 25.0.0).

  • ts-jest@jest/transformbabel-plugin-istanbul@istanbuljs/load-nyc-configjs-yaml@3.14.23.15.0
  • standardeslint@8.57.1 (+ @eslint/eslintrc) → js-yaml@4.1.14.3.0

Security fix

Resolves GHSA-h67p-54hq-rp68 — JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases.

  • CVE: CVE-2026-53550
  • Severity: Moderate (CVSS 5.3)
  • Patched: js-yaml >= 3.15.0 (3.x line); 4.x re-resolved to 4.3.0

Commits

  • Bump js-yaml to 3.15.0 / 4.3.0 via lockfile re-resolution

Verification

  • npm ls js-yaml → 3.15.0 and 4.3.0 only; vulnerable 3.14.2 / 4.1.1 gone
  • npm ls jest → stays at 30.4.2 (no downgrade to 25.0.0)
  • npm audit → no js-yaml findings
  • npm run all → build, format, lint, package, test all pass

Re-resolve the transitive js-yaml dependency so the vulnerable 3.14.2
(under @istanbuljs/load-nyc-config, via ts-jest) and 4.1.1 (under
eslint@8.57.1, via standard) are replaced with patched 3.15.0 and 4.3.0.
No overrides added and jest stays at 30.4.2.

Fixes GHSA-h67p-54hq-rp68 (CVE-2026-53550).
@ChanTsune ChanTsune merged commit d8557bb into master Jul 3, 2026
8 checks passed
@ChanTsune ChanTsune deleted the fix/js-yaml-cve-2026-53550 branch July 3, 2026 13:55
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant