Skip to content

chore(deps): Bump js-yaml and css-loader #2696

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
ankita10119 merged 1 commit into from
Dec 4, 2025
Merged

chore(deps): Bump js-yaml and css-loader #2696

ankita10119 merged 1 commit into from
Dec 4, 2025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 28, 2025
edited
Loading

Bumps js-yaml to 4.1.1 and updates ancestor dependencies js-yaml and css-loader. These dependencies need to be updated together.

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates css-loader from 0.28.11 to 7.1.2

Release notes

Sourced from css-loader's releases.

v7.1.2

7.1.2 (2024-05-22)

Bug Fixes

  • keep order of @imports with the webpackIgnore comment (#1600) (76757ef)

v7.1.1

7.1.1 (2024-04-10)

Bug Fixes

  • automatically rename class default to _default when named export is enabled (#1590) (d6c31a1)

v7.1.0

7.1.0 (2024-04-08)

Features

  • added the getJSON option to output CSS modules mapping (#1577) (af834b4)

v7.0.0

7.0.0 (2024-04-04)

⚠ BREAKING CHANGES

  • The modules.namedExport option is true by default if you enable the esModule option

Migration guide:

Before:

import style from "./style.css";
console.log(style.myClass);

After:

import * as style from "./style.css";
console.log(style.myClass);

... (truncated)

Changelog

Sourced from css-loader's changelog.

7.1.2 (2024-05-22)

Bug Fixes

  • keep order of @imports with the webpackIgnore comment (#1600) (76757ef)

7.1.1 (2024-04-10)

Bug Fixes

  • automatically rename class default to _default when named export is enabled (#1590) (d6c31a1)

7.1.0 (2024-04-08)

Features

  • added the getJSON option to output CSS modules mapping (#1577) (af834b4)

7.0.0 (2024-04-04)

⚠ BREAKING CHANGES

  • The modules.namedExport option is true by default if you enable the esModule option

Migration guide:

Before:

import style from "./style.css";
console.log(style.myClass);

After:

import * as style from "./style.css";
console.log(style.myClass);

To restore 6.x behavior, please use:

module.exports = {
</tr></table>

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by evilebottnawi, a new releaser for css-loader since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot dependabot bot added dependencies One or more dependencies are being bumped javascript Pull requests that update Javascript code labels Nov 28, 2025
@dependabot dependabot bot requested a review from a team as a code owner November 28, 2025 17:08
@dependabot dependabot bot added dependencies One or more dependencies are being bumped javascript Pull requests that update Javascript code labels Nov 28, 2025
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/multi-522bb8849b branch from 9b229f4 to f33de54 Compare November 28, 2025 17:15
@ankita10119
Copy link
Contributor

ankita10119 commented Nov 28, 2025

@claude

@github-actions
Copy link

github-actions bot commented Nov 28, 2025
edited
Loading

Claude finished @ankita10119's task —— View job

Review Progress

  • Read PR diff
  • Read project architecture documentation
  • Review dependency updates for security implications
  • Check for breaking changes in css-loader v7
  • Analyze impact on codebase
  • Provide review feedback

Overall Assessment

❌ This PR contains a critical breaking change that will cause build failures. The css-loader upgrade from v0.28.11 to v7.1.2 introduces breaking changes that are incompatible with the current codebase.

Critical Issues

1. css-loader v7 Breaking Change - Import Syntax

Location: src/core.js:22

The current code uses:

import css from '../css/index.styl';

In css-loader v7, when esModule is enabled (the default), the modules.namedExport option defaults to true. This requires using namespace imports:

import * as css from '../css/index.styl';

Impact: Without fixing this, the build will fail or CSS will not load correctly.

Resolution Options:

Option A (Recommended for compatibility): Update webpack.config.js to disable esModule mode for css-loader:

{
  test: /\.styl$/,
  use: [
    {
      loader: 'css-loader',
      options: {
        esModule: false
      }
    },
    'stylus-loader',
    {
      loader: 'stylus-loader',
      options: {
        paths: ['node_modules/bootstrap-stylus/stylus'],
        preferPathResolver: 'webpack'
      }
    }
  ]
}

Option B: Update the import statement in src/core.js:22 to use the new syntax and ensure the rest of the code handles the namespace import correctly.

Security Review

js-yaml v4.1.1 security update: This PR correctly addresses CVE-2025-XXXXX (prototype pollution vulnerability in the YAML merge operator). This security fix should be applied.

Additional Concerns

  1. Major version jump: css-loader jumped from v0.28.11 (released in 2018) to v7.1.2 (2024). This is a 7-year gap with 6+ major versions of breaking changes. Additional breaking changes may exist beyond the import syntax issue.

  2. Testing Required: After fixing the import syntax issue, comprehensive testing is needed:

    • Verify CSS is loading correctly
    • Check CSS modules functionality
    • Test in production build mode
    • Verify bundle size hasn't significantly increased

  3. Webpack 5 Compatibility: css-loader v7 requires webpack ^5.27.0. The project has webpack v5.75.0, which meets this requirement.

Recommendation

  1. Apply the js-yaml security update (keep this change)
  2. Fix the css-loader breaking change using Option A above
  3. Run the full test suite and build process
  4. Verify CSS rendering in the application

@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/multi-522bb8849b branch from f33de54 to 8d54b26 Compare December 1, 2025 09:27
@dependabot
chore(deps): Bump js-yaml and css-loader
c05d12f 
Bumps [js-yaml](https://github.com/nodeca/js-yaml) to 4.1.1 and updates ancestor dependencies [js-yaml](https://github.com/nodeca/js-yaml) and [css-loader](https://github.com/webpack-contrib/css-loader). These dependencies need to be updated together.


Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `js-yaml` from 3.14.1 to 3.14.2
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `css-loader` from 0.28.11 to 7.1.2
- [Release notes](https://github.com/webpack-contrib/css-loader/releases)
- [Changelog](https://github.com/webpack/css-loader/blob/main/CHANGELOG.md)
- [Commits](webpack/css-loader@v0.28.11...v7.1.2)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
- dependency-name: js-yaml
  dependency-version: 3.14.2
  dependency-type: indirect
- dependency-name: css-loader
  dependency-version: 7.1.2
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot force-pushed the dependabot/npm_and_yarn/multi-522bb8849b branch from 8d54b26 to c05d12f Compare December 3, 2025 11:07
ankita10119
ankita10119 approved these changes Dec 4, 2025
View reviewed changes
Copy link
Contributor

@ankita10119 ankita10119 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Verified changes locally, LGTM.

@ankita10119 ankita10119 merged commit bd906e9 into master Dec 4, 2025
5 of 6 checks passed
@ankita10119 ankita10119 deleted the dependabot/npm_and_yarn/multi-522bb8849b branch December 4, 2025 06:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ankita10119 ankita10119 ankita10119 approved these changes

Assignees

No one assigned

Labels

dependencies One or more dependencies are being bumped javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ankita10119