Skip to content

chore(deps): bump js-yaml from 4.2.0 to 5.2.1#496

Merged
LukasHirt merged 1 commit into
mainfrom
dependabot/npm_and_yarn/js-yaml-5.2.1
Jul 14, 2026
Merged

chore(deps): bump js-yaml from 4.2.0 to 5.2.1#496
LukasHirt merged 1 commit into
mainfrom
dependabot/npm_and_yarn/js-yaml-5.2.1

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 5, 2026

Copy link
Copy Markdown
Contributor

Bumps js-yaml from 4.2.0 to 5.2.1.

Changelog

Sourced from js-yaml's changelog.

[5.2.1] - 2026-07-02

Fixed

  • Add Map support to !!omap (should work when realMapTag used)

Security

  • Remove quadratic complexity from !!omap addItem. Regression from v5 (usually not critical, because YAML11_SCHEMA is not default anymore).

4.3.0, 3.15.0 - 2026-06-27

Security

  • Backported maxTotalMergeKeys option.

[5.2.0] - 2026-06-26

Added

  • Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.
  • Added maxAliases (-1) loader option to limit the number of YAML aliases per document.

Removed

  • maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

Fixed

  • Round-trip of integers with exponential form (>= 1e21)

[5.1.0] - 2026-06-23

Added

  • Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

  • [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.

[5.0.0] - 2026-06-20

Added

  • Added named exports for schemas, tags, parser events and AST utilities.
  • Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
  • Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
  • Added dump() transform option for changing the generated AST before rendering.
  • Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and

... (truncated)

Commits
  • ac16b42 5.2.1 released
  • 4a864e5 Deps bump
  • 39f3211 !!omap: add Map support and remove quadratic complexity
  • ff17f1e Changelog update
  • 8ed15f1 deps bump
  • 1a562dc Fix changelog link
  • c28ed5e 5.2.0 released
  • 125cd5a Add maxAliases option
  • 3105455 Replace maxMergeSeqLengthoption with maxTotalMergeKeys (more robust)
  • 39d00d6 numbers: Drop boxed numbers support, simplify .identify() checks, clarify rou...
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 5, 2026
@kw-security

kw-security commented Jul 5, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues
Code Security 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/js-yaml-5.2.1 branch from 18b18f4 to b858de2 Compare July 7, 2026 13:38
@dependabot
dependabot Bot requested a review from a team as a code owner July 7, 2026 13:39
dj4oC
dj4oC previously approved these changes Jul 7, 2026

@dj4oC dj4oC left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Bumps js-yaml ^4.1.0^5.2.1 in web-app-file-comments (a real runtime dependency, not just dev tooling — used via dump/load in src/services/commentFormat.ts to serialize/parse the YAML front-matter of file comments).

Findings

Security. load() here parses comment front-matter text (not fully trusted input, since comments can come from other users of a shared file) but only ever uses the default-safe load()/dump() API with plain options (lineWidth, noRefs, sortKeys) — no loadAll, no custom Schema/Type, nothing from the removed safeLoad/unsafeLoad/Schema.create surface that changed between v4 and v5. Nothing here is affected by the major version bump.

Stability (verified by actually running it). Checked out this branch, ran pnpm install --frozen-lockfile (clean), then pnpm --filter web-app-file-comments check:types (clean) and pnpm --filter web-app-file-comments test:unit — all 16 tests pass, including tests/unit/commentFormat.spec.ts which directly exercises the dump/load round-trip this bump touches.

Performance / Coverage. No concerns — existing unit tests already cover the affected code path.

Deployment topology check

N/A — client-side web extension bundle only, no service/deployment-topology impact.

Verdict

Approved.

🤖 Automated review by Claude Code (security · stability · performance · coverage)


Generated by Claude Code

@dj4oC dj4oC left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Investigated the red check-tests-passed job (failing since 2026-07-07, not yet reviewed by this bot).

Findings

  • Stability (blocking): test (web-app-ai-data-insights-sidebar) fails on this js-yaml 4.2.0→5.2.1 bump. The check (lint) job itself passes clean (0 errors), so the break is confined to that one package's unit-test run. Given the identical package fails the same way on PRs #487/#488/#495 in this same CI window, this looks like the same shared-fixture/gettext-injection issue rather than something js-yaml 5.x itself introduces — but I could not fully isolate js-yaml's own contribution from the concurrent CI environment without re-running this PR's job in isolation.
  • Recommend re-running CI once #488 (vue3-gettext test-harness fix) lands, to confirm whether this PR is independently broken or just inheriting the shared symptom.

Test coverage

n/a — dependency bump.

Verdict

Changes requested (blocked on CI) — do not merge while red; re-verify after the vue3-gettext harness fix from #488 lands, since the failure signature matches that issue rather than an obvious js-yaml v5 break.

🤖 Automated review by Claude Code (security · stability · performance · coverage)


Generated by Claude Code

@DeepDiver1975

Copy link
Copy Markdown
Member

Holding: CI is failing (not a rebase conflict): check-tests-passed, test (web-app-ai-data-insights-sidebar). A rebase won't fix this — needs a human/upstream fix.

Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.2.0 to 5.2.1.
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.2.0...5.2.1)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 5.2.1
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/js-yaml-5.2.1 branch from b858de2 to bd15f28 Compare July 13, 2026 16:22
@LukasHirt
LukasHirt merged commit ee0959a into main Jul 14, 2026
31 checks passed
@LukasHirt
LukasHirt deleted the dependabot/npm_and_yarn/js-yaml-5.2.1 branch July 14, 2026 17:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants