Skip to content

Bump js-yaml from 4.1.0 to 4.2.0 in the npm_and_yarn group across 1 directory#69

Open
dependabot[bot] wants to merge 3 commits into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-4e38a52fea
Open

Bump js-yaml from 4.1.0 to 4.2.0 in the npm_and_yarn group across 1 directory#69
dependabot[bot] wants to merge 3 commits into
mainfrom
dependabot/npm_and_yarn/npm_and_yarn-4e38a52fea

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps the npm_and_yarn group with 1 update in the / directory: js-yaml.

Updates js-yaml from 4.1.0 to 4.2.0

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

  • Added docs/safety.md with notes about processing untrusted YAML.
  • Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
  • Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
  • Added sourcemaps to dist/ builds.

Changed

  • Stop resolving numbers with underscores as numeric scalars, #627.
  • Switched dev toolchains to Vite / neostandard.
  • Updated demo.
  • Reorganized tests.
  • dist/ files are no longer kept in the repository.

Fixed

  • Fix parsing of properties on the first implicit block mapping key, #62.
  • Fix trailing whitespace handling when folding flow scalar lines, #307.
  • Reject top-level block scalars without content indentation, #280.
  • Ensure numbers survive round-trip, #737.
  • Fix test coverage for issue #221.
  • Fix flow scalar trailing whitespace folding, #307.
  • Fix digits in YAML named tag handles.

Security

  • Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

  • Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 15, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 15, 2026 21:59
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 15, 2026
@francinelucca

francinelucca commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

@dependabot recreate

@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-4e38a52fea branch from d5d369a to a94ad58 Compare June 17, 2026 17:55
@francinelucca

francinelucca commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

@dependabot recreate

@dependabot
Bump js-yaml in the npm_and_yarn group across 1 directory
0732c2c 
Bumps the npm_and_yarn group with 1 update in the / directory: [js-yaml](https://github.com/nodeca/js-yaml).


Updates `js-yaml` from 4.1.0 to 4.2.0
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nodeca/js-yaml/commits)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.2.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/npm_and_yarn-4e38a52fea branch from a94ad58 to 0732c2c Compare June 18, 2026 17:06
@francinelucca

francinelucca commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

@copilot fix CI failiures

Copilot AI added 2 commits June 18, 2026 21:06
Add eslint.config.js (WIP - investigating CI failures)
110e4f4
Fix CI failures: downgrade ESLint to v8 and fix plugin resolution
39714f2 
ESLint v10 removed support for the legacy .eslintrc.* config format.
Downgrade ESLint to v8.57.1 (which natively supports .eslintrc.json)
and add --resolve-plugins-relative-to flag so ESLint can find the
@typescript-eslint packages that are nested inside eslint-plugin-github.

Copilot AI commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

@copilot fix CI failiures

Fixed in the latest commit.

The root cause was that ESLint v10 (previously in package.json as ^10.4.0) removed support for the legacy .eslintrc.* config format entirely. There were two issues:

  1. ESLint v10 requires flat config (eslint.config.js)
  2. Even with v9, the @typescript-eslint packages bundled inside eslint-plugin-github weren't discoverable due to npm nesting

The fix downgrades ESLint to ^8.57.1 (which natively supports .eslintrc.json) and adds --resolve-plugins-relative-to ./node_modules/eslint-plugin-github to the lint script so ESLint can resolve the @typescript-eslint plugins that are nested as dependencies of eslint-plugin-github.

Copilot AI requested a review from francinelucca June 18, 2026 21:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@francinelucca francinelucca Awaiting requested review from francinelucca

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@francinelucca