Skip to content

build(deps-dev): bump js-yaml from 4.1.1 to 4.2.0 in /tests/workflows#2442

Open
dependabot[bot] wants to merge 1 commit into
development/2.15from
dependabot/npm_and_yarn/tests/workflows/js-yaml-4.2.0
Open

build(deps-dev): bump js-yaml from 4.1.1 to 4.2.0 in /tests/workflows#2442
dependabot[bot] wants to merge 1 commit into
development/2.15from
dependabot/npm_and_yarn/tests/workflows/js-yaml-4.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026
edited
Loading

Copy link
Copy Markdown

Bumps js-yaml from 4.1.1 to 4.2.0.

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

  • Added docs/safety.md with notes about processing untrusted YAML.
  • Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
  • Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
  • Added sourcemaps to dist/ builds.

Changed

  • Stop resolving numbers with underscores as numeric scalars, #627.
  • Switched dev toolchains to Vite / neostandard.
  • Updated demo.
  • Reorganized tests.
  • dist/ files are no longer kept in the repository.

Fixed

  • Fix parsing of properties on the first implicit block mapping key, #62.
  • Fix trailing whitespace handling when folding flow scalar lines, #307.
  • Reject top-level block scalars without content indentation, #280.
  • Ensure numbers survive round-trip, #737.
  • Fix test coverage for issue #221.
  • Fix flow scalar trailing whitespace folding, #307.
  • Fix digits in YAML named tag handles.

Security

  • Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

  • Backported v4.1.1 fix to v3
Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 15, 2026
@bert-e

bert-e commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Hello dependabot[bot],

My role is to assist you with the merge of this
pull request. Please type @bert-e help to get information
on this process, or consult the user documentation.

Available options
name description privileged authored
/after_pull_request Wait for the given pull request id to be merged before continuing with the current one.
/bypass_author_approval Bypass the pull request author's approval
/bypass_build_status Bypass the build and test status
/bypass_commit_size Bypass the check on the size of the changeset TBA
/bypass_incompatible_branch Bypass the check on the source branch prefix
/bypass_jira_check Bypass the Jira issue check
/bypass_peer_approval Bypass the pull request peers' approval
/bypass_leader_approval Bypass the pull request leaders' approval
/approve Instruct Bert-E that the author has approved the pull request. ✍️
/create_pull_requests Allow the creation of integration pull requests.
/create_integration_branches Allow the creation of integration branches.
/no_octopus Prevent Wall-E from doing any octopus merge and use multiple consecutive merge instead
/unanimity Change review acceptance criteria from one reviewer at least to all reviewers
/wait Instruct Bert-E not to run until further notice.
Available commands
name description privileged
/help Print Bert-E's manual in the pull request.
/status Print Bert-E's current status in the pull request TBA
/clear Remove all comments from Bert-E from the history TBA
/retry Re-start a fresh build TBA
/build Re-start a fresh build TBA
/force_reset Delete integration branches & pull requests, and restart merge process from the beginning.
/reset Try to remove integration branches unless there are commits on them which do not appear on the source branch.

Status report is not available.

The following options are set: bypass_author_approval, bypass_jira_check

@bert-e

bert-e commented Jun 15, 2026

Copy link
Copy Markdown
Contributor

Waiting for approval

The following approvals are needed before I can proceed with the merge:

  • the author

  • 2 peers

The following options are set: bypass_author_approval, bypass_jira_check

github-actions[bot]
github-actions Bot approved these changes Jun 15, 2026
View reviewed changes

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependency Bump Evaluation

Version change: js-yaml 4.1.1 -> 4.2.0 (minor)
Breaking changes: None affecting this codebase
Security concerns: None — includes a beneficial security fix (DoS via quadratic complexity in merge deduplication)
Impact on codebase: Low — dev dependency used only in tests/workflows/parse-deps.spec.ts via yaml.load() to parse solution/deps.yaml and test fixtures. The behavioral change (numbers with underscores no longer resolved as numeric scalars) does not affect any YAML files parsed in this repo.
Recommendation: SAFE TO MERGE

Notes:

  • Added loader options (maxDepth, maxMergeSeqLength) are additive and non-breaking
  • Parsing edge-case fixes (block mapping keys, whitespace folding, number round-trip) improve correctness
  • CI checks are still in progress at time of review — verify they pass before merging

— Claude Code

@dependabot
build(deps-dev): bump js-yaml from 4.1.1 to 4.2.0 in /tests/workflows
98a003e 
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.1 to 4.2.0.
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nodeca/js-yaml/commits)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.2.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/tests/workflows/js-yaml-4.2.0 branch from 2b6bf8a to 98a003e Compare June 18, 2026 18:45
github-actions[bot]
github-actions Bot approved these changes Jun 18, 2026
View reviewed changes

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Dependency Bump Evaluation

Version change: 4.1.1 -> 4.2.0 (minor)
Breaking changes: None affecting this codebase
Security concerns: None — includes a beneficial DoS fix (quadratic complexity in merge deduplication)
Impact on codebase: js-yaml is a dev dependency used only in tests/workflows/parse-deps.spec.ts via yaml.load() for YAML-to-JSON conversion. The key behavioral change (numbers with underscores no longer resolved as numeric scalars) has no impact — no underscore-delimited numbers exist in project YAML files. New loader options (maxDepth, maxMergeSeqLength) are additive with sensible defaults. Parsing edge-case fixes are safe for well-formed YAML.
Recommendation: SAFE TO MERGE

Notes: CI checks are still running at time of evaluation; merge after CI passes.

— Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@bert-e