chore(deps): bump js-yaml from 4.2.0 to 5.2.1#496
Conversation
✅ Snyk checks have passed. No issues have been found so far.
💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse. |
18b18f4 to
b858de2
Compare
dj4oC
left a comment
There was a problem hiding this comment.
Bumps js-yaml ^4.1.0→^5.2.1 in web-app-file-comments (a real runtime dependency, not just dev tooling — used via dump/load in src/services/commentFormat.ts to serialize/parse the YAML front-matter of file comments).
Findings
Security. load() here parses comment front-matter text (not fully trusted input, since comments can come from other users of a shared file) but only ever uses the default-safe load()/dump() API with plain options (lineWidth, noRefs, sortKeys) — no loadAll, no custom Schema/Type, nothing from the removed safeLoad/unsafeLoad/Schema.create surface that changed between v4 and v5. Nothing here is affected by the major version bump.
Stability (verified by actually running it). Checked out this branch, ran pnpm install --frozen-lockfile (clean), then pnpm --filter web-app-file-comments check:types (clean) and pnpm --filter web-app-file-comments test:unit — all 16 tests pass, including tests/unit/commentFormat.spec.ts which directly exercises the dump/load round-trip this bump touches.
Performance / Coverage. No concerns — existing unit tests already cover the affected code path.
Deployment topology check
N/A — client-side web extension bundle only, no service/deployment-topology impact.
Verdict
Approved.
🤖 Automated review by Claude Code (security · stability · performance · coverage)
Generated by Claude Code
dj4oC
left a comment
There was a problem hiding this comment.
Investigated the red check-tests-passed job (failing since 2026-07-07, not yet reviewed by this bot).
Findings
- Stability (blocking):
test (web-app-ai-data-insights-sidebar)fails on thisjs-yaml4.2.0→5.2.1 bump. Thecheck(lint) job itself passes clean (0 errors), so the break is confined to that one package's unit-test run. Given the identical package fails the same way on PRs #487/#488/#495 in this same CI window, this looks like the same shared-fixture/gettext-injection issue rather than somethingjs-yaml5.x itself introduces — but I could not fully isolatejs-yaml's own contribution from the concurrent CI environment without re-running this PR's job in isolation. - Recommend re-running CI once #488 (vue3-gettext test-harness fix) lands, to confirm whether this PR is independently broken or just inheriting the shared symptom.
Test coverage
n/a — dependency bump.
Verdict
Changes requested (blocked on CI) — do not merge while red; re-verify after the vue3-gettext harness fix from #488 lands, since the failure signature matches that issue rather than an obvious js-yaml v5 break.
🤖 Automated review by Claude Code (security · stability · performance · coverage)
Generated by Claude Code
|
Holding: CI is failing (not a rebase conflict): check-tests-passed, test (web-app-ai-data-insights-sidebar). A rebase won't fix this — needs a human/upstream fix. |
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.2.0 to 5.2.1. - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.2.0...5.2.1) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 5.2.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
b858de2 to
bd15f28
Compare
Bumps js-yaml from 4.2.0 to 5.2.1.
Changelog
Sourced from js-yaml's changelog.
... (truncated)
Commits
ac16b425.2.1 released4a864e5Deps bump39f3211!!omap: addMapsupport and remove quadratic complexityff17f1eChangelog update8ed15f1deps bump1a562dcFix changelog linkc28ed5e5.2.0 released125cd5aAddmaxAliasesoption3105455ReplacemaxMergeSeqLengthoption withmaxTotalMergeKeys(more robust)39d00d6numbers: Drop boxed numbers support, simplify .identify() checks, clarify rou...