From c52d0ba7990995785b4eb91be75297fb8109a4f8 Mon Sep 17 00:00:00 2001 From: ConnorQi01 Date: Tue, 16 Jun 2026 10:06:14 +0800 Subject: [PATCH 1/2] security: update tar and js-yaml in smoke tests Fixes Dependabot alerts: - tar 7.5.11 -> 7.5.16 (GHSA-vmf3-w455-68vh) - js-yaml 4.1.1 -> 4.2.0 (GHSA-h67p-54hq-rp68) --- test/smoke/package-lock.json | 26 ++++++++++++++++++-------- test/smoke/package.json | 4 ++-- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/test/smoke/package-lock.json b/test/smoke/package-lock.json index ce7a68849..d1d2ad14c 100644 --- a/test/smoke/package-lock.json +++ b/test/smoke/package-lock.json @@ -19,7 +19,7 @@ "@types/url-parse": "^1.4.11", "adm-zip": "^0.5.17", "ansi-styles": "^6.2.1", - "js-yaml": "4.1.1", + "js-yaml": "^4.2.0", "minimatch": "^10.2.4", "mkdirp": "^3.0.1", "mocha": "11.7.2", @@ -29,7 +29,7 @@ "playwright": "^1.55.1", "rimraf": "^6.0.1", "shell-quote": "^1.8.4", - "tar": "7.5.11", + "tar": "^7.5.16", "tree-kill": "^1.2.2", "ts-node": "10.9.2", "typescript": "5.9.2", @@ -1044,10 +1044,20 @@ } }, "node_modules/js-yaml": { - "version": "4.1.1", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz", - "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==", + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz", + "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==", "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/puzrin" + }, + { + "type": "github", + "url": "https://github.com/sponsors/nodeca" + } + ], "license": "MIT", "dependencies": { "argparse": "^2.0.1" @@ -1868,9 +1878,9 @@ } }, "node_modules/tar": { - "version": "7.5.11", - "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.11.tgz", - "integrity": "sha512-ChjMH33/KetonMTAtpYdgUFr0tbz69Fp2v7zWxQfYZX4g5ZN2nOBXm1R2xyA+lMIKrLKIoKAwFj93jE/avX9cQ==", + "version": "7.5.16", + "resolved": "https://registry.npmjs.org/tar/-/tar-7.5.16.tgz", + "integrity": "sha512-56adEpPMouktRlBLXiaYFFzZ/3+JXa8P9n7WbR+ibIjtviN55mEaOkiysCnPnWm+7kkui1Dn8J9l+g6zV8731w==", "dev": true, "license": "BlueOak-1.0.0", "dependencies": { diff --git a/test/smoke/package.json b/test/smoke/package.json index 4eab45db6..4d43c6ec5 100644 --- a/test/smoke/package.json +++ b/test/smoke/package.json @@ -18,7 +18,7 @@ "@types/url-parse": "^1.4.11", "adm-zip": "^0.5.17", "ansi-styles": "^6.2.1", - "js-yaml": "4.1.1", + "js-yaml": "4.2.0", "minimatch": "^10.2.4", "mkdirp": "^3.0.1", "mocha": "11.7.2", @@ -28,7 +28,7 @@ "playwright": "^1.55.1", "rimraf": "^6.0.1", "shell-quote": "^1.8.4", - "tar": "7.5.11", + "tar": "7.5.16", "tree-kill": "^1.2.2", "ts-node": "10.9.2", "typescript": "5.9.2", From afc180641d5427e043f5afa193421f5052a6470f Mon Sep 17 00:00:00 2001 From: ConnorQi01 Date: Wed, 17 Jun 2026 10:04:13 +0800 Subject: [PATCH 2/2] security: bump js-yaml override from 4.1.1 to 4.2.0 --- package-lock.json | 32 +++++++++++++++++++++----------- package.json | 2 +- 2 files changed, 22 insertions(+), 12 deletions(-) diff --git a/package-lock.json b/package-lock.json index 06b941166..68664a14e 100644 --- a/package-lock.json +++ b/package-lock.json @@ -7738,10 +7738,20 @@ "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==" }, "node_modules/js-yaml": { - "version": "4.1.1", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz", - "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==", + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz", + "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==", "dev": true, + "funding": [ + { + "type": "github", + "url": "https://github.com/sponsors/puzrin" + }, + { + "type": "github", + "url": "https://github.com/sponsors/nodeca" + } + ], "license": "MIT", "dependencies": { "argparse": "^2.0.1" @@ -13176,7 +13186,7 @@ "globals": "^12.1.0", "ignore": "^4.0.6", "import-fresh": "^3.2.1", - "js-yaml": "4.1.1", + "js-yaml": "4.2.0", "lodash": "^4.17.20", "minimatch": "^3.0.5", "strip-json-comments": "^3.1.1" @@ -13355,7 +13365,7 @@ "camelcase": "^5.3.1", "find-up": "^4.1.0", "get-package-type": "^0.1.0", - "js-yaml": "4.1.1", + "js-yaml": "4.2.0", "resolve-from": "^5.0.0" }, "dependencies": { @@ -16097,7 +16107,7 @@ "import-fresh": "^3.0.0", "imurmurhash": "^0.1.4", "is-glob": "^4.0.0", - "js-yaml": "4.1.1", + "js-yaml": "4.2.0", "json-stable-stringify-without-jsonify": "^1.0.1", "levn": "^0.4.1", "lodash": "^4.17.20", @@ -17763,7 +17773,7 @@ "find-up": "^5.0.0", "glob": "^8.1.0", "he": "^1.2.0", - "js-yaml": "4.1.1", + "js-yaml": "4.2.0", "log-symbols": "^4.1.0", "minimatch": "^5.1.6", "ms": "^2.1.3", @@ -18679,9 +18689,9 @@ "integrity": "sha512-RdJUflcE3cUzKiMqQgsCu06FPu9UdIJO0beYbPhHN4k6apgJtifcoCtT9bcxOpYBtpD2kCM6Sbzg4CausW/PKQ==" }, "js-yaml": { - "version": "4.1.1", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.1.tgz", - "integrity": "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==", + "version": "4.2.0", + "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz", + "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==", "dev": true, "requires": { "argparse": "^2.0.1" @@ -19209,7 +19219,7 @@ "glob": "^10.4.5", "he": "^1.2.0", "is-path-inside": "^3.0.3", - "js-yaml": "4.1.1", + "js-yaml": "4.2.0", "log-symbols": "^4.1.0", "minimatch": "^9.0.5", "ms": "^2.1.3", diff --git a/package.json b/package.json index c1cc905c6..a61325f66 100644 --- a/package.json +++ b/package.json @@ -1546,7 +1546,7 @@ "ms-vscode.js-debug" ], "overrides": { - "js-yaml": "4.1.1", + "js-yaml": "4.2.0", "serialize-javascript": "7.0.5", "mochawesome": { "uuid": "11.1.1"