Skip to content

Chore(deps): Bump js-yaml from 5.0.0 to 5.2.0#270

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/js-yaml-5.2.0
Closed

Chore(deps): Bump js-yaml from 5.0.0 to 5.2.0#270
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/js-yaml-5.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

⚠️ Dependabot is rebasing this PR ⚠️

Rebasing might not happen immediately, so don't worry if this takes some time.

Note: if you make any changes to this PR yourself, they will take precedence over the rebase.


Bumps js-yaml from 5.0.0 to 5.2.0.

Changelog

Sourced from js-yaml's changelog.

[5.2.0] - 2026-06-26

Added

  • Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.
  • Added maxAliases (-1) loader option to limit the number of YAML aliases per document.

Removed

  • maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

Fixed

  • Round-trip of integers with exponential form (>= 1e21)

[5.1.0] - 2026-06-23

Added

  • Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

  • [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.
Commits
  • c28ed5e 5.2.0 released
  • 125cd5a Add maxAliases option
  • 3105455 Replace maxMergeSeqLengthoption with maxTotalMergeKeys (more robust)
  • 39d00d6 numbers: Drop boxed numbers support, simplify .identify() checks, clarify rou...
  • eb5cb5b fix: round-trip integers that stringify in exponential notation (#771)
  • 89024c4 Update migration info, close #770
  • f1e45cd 5.1.0 released
  • 53b22be Fix constructor coverage
  • a1eaa2b Fix quote style options and restore forceQuotes
  • 0532e7d Add finalizers for immutable collection tags
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 5.0.0 to 5.2.0.
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@5.0.0...5.2.0)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 5.2.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 29, 2026
ymnao added a commit that referenced this pull request Jul 1, 2026
CI test job で live-preview 系 (tables.test.ts / wikilinks.test.ts) と
electron-e2e (image-rendering / mermaid-rendering) が fail。原因は
@codemirror/state 6.6→6.7 (or 関連 4 件) + mermaid 11.15→11.16 の
Decoration/parser 挙動変化と判定。ローカル vitest 2230 pass は node_modules が
前 install から未更新 (--lockfile-only) だったため、CI で新 version 反映後に
regression 発現。

追加見送り:
- #263 @codemirror/{commands,language,state,view} を元 version に戻す
- #269 mermaid 11.15.0 に戻す (@mermaid-js/parser も 1.1.1 に戻る)

残 combine 対象 (7 件):
- #261 actions/cache 5.0.5 → 6.1.0
- #262 electron 42.4.1 → 42.5.0 (実 42.5.1)
- #264 vite group (vite 8.1.1 / @vitejs/plugin-react 6.0.3)
- #265 @biomejs/biome 2.5.0 → 2.5.1
- #266 @playwright/test 1.61.0 → 1.61.1
- #267 @types/node 26.0.0 → 26.0.1
- #270 js-yaml 5.0.0 → 5.2.0

verify:
- biome check clean
- typecheck 3 config (web / node / e2e) clean
- vitest 2230 pass / 2 skipped

Refs #263 (codemirror), #269 (mermaid) — 次回別 PR で対応 (live-preview の
Table/FencedCode SyntaxTree 判定 / image widget / mermaid render を新 API に
追従させる必要あり)
ymnao added a commit that referenced this pull request Jul 2, 2026
#274)

* chore(deps): dependabot PR 9 件を 1 branch に combine (p-limit #268 除外)

順次 merge を避けて CI 空回りと lockfile conflict を回避する目的で dependabot
9 件を単一 branch に combine。#268 (p-limit 3→7 major) は ESM interop リスクの
ため本 batch から除外し次回別 PR で対応。

## Dependencies (production)

- #263 @codemirror/{commands,language,state,view} を group 更新
  (6.10.4 / 6.12.4 / 6.7.0 / 6.43.4)
- #269 mermaid 11.15.0 → 11.16.0
- #270 js-yaml 5.0.0 → 5.2.0

## Dev dependencies

- #262 electron 42.4.1 → 42.5.0 (実 resolved は 42.5.1、patch 更に進行)
- #264 vite group (vite 8.1.1 / @vitejs/plugin-react 6.0.3)
- #265 @biomejs/biome 2.5.0 → 2.5.1
- #266 @playwright/test 1.61.0 → 1.61.1
- #267 @types/node 26.0.0 → 26.0.1

## GitHub Actions

- #261 actions/cache 5.0.5 → 6.1.0 (major、v6 は ESM 化のみで workflow
  consumer 側 input/output API 不変)

## 追加変更

- biome.json を `biome migrate` で 2.5.0 schema へ更新
  ($schema URL 2.4.16 → 2.5.0 / `linter.rules.recommended: true` →
  `preset: "recommended"`)

## p-limit #268 見送り理由

/code-review high の 8 finder のうち 3 finder (line-by-line / removed-behavior /
cross-file trace) が同一 mechanism を指摘:

- p-limit v7 は ESM only (v4+ で type: "module" 化)
- `electron.vite.config.ts:43` の main は `format: "cjs"` + `externalizeDepsPlugin`
  で p-limit を external 化 → build 後の `require("p-limit")` が Electron 42
  同梱 Node 24 の require(esm) 挙動と Electron 独自の require implementation
  divergent 懸念 + asar 内 resolve 差異の可能性
- 既存の `electron/main/ipc/search.ts:17 pLimit(16)` usage は v3 v7 とも
  API 不変で benefit なし

対応方針: 次回別 PR で以下を検討:
1. p-limit を main の noExternal (bundle 化) で cjs 内 emit、または
2. p-limit を dynamic import 化 (search.ts の top-level `ioLimit` 廃止)、または
3. 現状の 3.1.0 継続で Dependabot `@dependabot ignore this major version` 指示

## Verify

- biome check clean
- typecheck 3 config (web / node / e2e) clean
- vitest 2230 pass / 2 skipped
- pnpm-lock.yaml fresh regen: `rm pnpm-lock.yaml && CI=true pnpm install --lockfile-only`
  で「Lockfile passes supply-chain policies (verified 4d ago)」による resolution
  cache を bypass (実際に importer section の specifier / version が更新される
  ことを確認済)

Closes #261, #262, #263, #264, #265, #266, #267, #269, #270

* fix(deps): CodeMirror + mermaid bump を見送りに戻す

CI test job で live-preview 系 (tables.test.ts / wikilinks.test.ts) と
electron-e2e (image-rendering / mermaid-rendering) が fail。原因は
@codemirror/state 6.6→6.7 (or 関連 4 件) + mermaid 11.15→11.16 の
Decoration/parser 挙動変化と判定。ローカル vitest 2230 pass は node_modules が
前 install から未更新 (--lockfile-only) だったため、CI で新 version 反映後に
regression 発現。

追加見送り:
- #263 @codemirror/{commands,language,state,view} を元 version に戻す
- #269 mermaid 11.15.0 に戻す (@mermaid-js/parser も 1.1.1 に戻る)

残 combine 対象 (7 件):
- #261 actions/cache 5.0.5 → 6.1.0
- #262 electron 42.4.1 → 42.5.0 (実 42.5.1)
- #264 vite group (vite 8.1.1 / @vitejs/plugin-react 6.0.3)
- #265 @biomejs/biome 2.5.0 → 2.5.1
- #266 @playwright/test 1.61.0 → 1.61.1
- #267 @types/node 26.0.0 → 26.0.1
- #270 js-yaml 5.0.0 → 5.2.0

verify:
- biome check clean
- typecheck 3 config (web / node / e2e) clean
- vitest 2230 pass / 2 skipped

Refs #263 (codemirror), #269 (mermaid) — 次回別 PR で対応 (live-preview の
Table/FencedCode SyntaxTree 判定 / image widget / mermaid render を新 API に
追従させる必要あり)

* chore(deps): CodeMirror 4 件 + mermaid を再 bump (#263 #269、dual copy 根本対策込み)

d51947e で見送った @codemirror/{commands,language,state,view} (#263) と
mermaid (#269) を再 bump。2ba2df6 の CI 失敗 (test 224 assertion +
electron-e2e image/mermaid widget) の root cause を特定し根本対策を実施:

## Root cause: @codemirror/language / commands の dual copy

2ba2df6 の lockfile では language@6.12.3 と 6.12.4、commands@6.10.3 と
6.10.4 が共存していた (root は ^6.12.4 を解決、lang-markdown 等の
transitive range は pnpm metadata cache の古い packument から 6.12.3 を解決)。

@codemirror package は module-level singleton (StateField / Facet / NodeProp)
を含むため、lang-markdown 側 copy が state に入れた `Language.state` field を
アプリ側 copy の `syntaxTree()` が引けず常に空 tree になり、FencedCode /
Table / Image ノードが見えず live-preview 全域が破綻した
(unit 224 fail + e2e image/mermaid widget 消失)。

ローカルで新 4 package を物理単一 copy に差し替えた再現実験では
83/83 pass → 「新 version の API 変化」ではなく「copy 重複」が原因と確定。

## 対策: pnpm-workspace.yaml overrides を @codemirror 全 direct dep に拡張

state / view のみだった self-ref pin (`$@codemirror/state` 記法) を
autocomplete / commands / lang-markdown / language / language-data / search
にも拡張し、@codemirror package の単一 version を lockfile レベルで強制。
既存の autocomplete 6.20.2/6.20.3 dual も副次的に解消。

## 変更内容

- package.json: @codemirror/commands ^6.10.4 / language ^6.12.4 /
  state ^6.7.0 / view ^6.43.4 / mermaid ^11.16.0
- pnpm-workspace.yaml: overrides 拡張 + incident 記録コメント
- pnpm-lock.yaml: fresh regen (rm + CI=true pnpm install --lockfile-only)、
  @codemirror 全 package 単一 version を grep で確認済

## Verify

- biome check clean
- typecheck 3 config clean (新 CodeMirror .d.ts に対して)
- vitest 2230 pass / 2 skipped (新 CodeMirror dist を物理差し替えて実行)
- mermaid 11.16 は release notes 上 additive のみ (cynefin-beta 等の新
  diagram type 追加)。electron-e2e の mermaid-rendering は CI で最終確認

Refs #263, #269
@ymnao

ymnao commented Jul 2, 2026

Copy link
Copy Markdown
Owner

@dependabot close

@ymnao

ymnao commented Jul 2, 2026

Copy link
Copy Markdown
Owner

PR #274 に含めて merged (5.2.0)。

@ymnao ymnao closed this Jul 2, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown
Contributor Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version. You can also ignore all major, minor, or patch releases for a dependency by adding an ignore condition with the desired update_types to your config file.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/js-yaml-5.2.0 branch July 2, 2026 02:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant