Date: November 17, 2025 Status: ACCEPTED (Moderate Risk) Decision By: Development Team
Package: js-yaml Current Version: 3.14.2 (in Jest test dependencies) Vulnerable Versions: < 4.1.1 Patched Version: 4.1.1
CVE: GHSA-mh29-5h37-fv8m
Severity: MODERATE (CVSS 5.3/10)
Attack Vector: Prototype Pollution in merge (<<)
CWE: CWE-1321 (Improperly Controlled Modification of Object Prototype Attributes)
Where js-yaml is Used:
- ✅ ESLint (devDependency) - Uses js-yaml 4.1.1 (PATCHED)
⚠️ Jest (devDependency) - Uses js-yaml 3.14.2 via @istanbuljs/load-nyc-config (VULNERABLE)
Production Impact: ZERO
- js-yaml is only used in devDependencies
- Jest test runner does NOT ship to production
- ESLint (which parses
.eslintrc.yml) uses the patched version
To Exploit This Vulnerability, An Attacker Would Need To:
- Have access to backend test environment
- Inject malicious YAML into Jest's configuration
- Trigger prototype pollution during test execution
Realistic Threat Level: VERY LOW
- Tests run in isolated CI environment
- No user-supplied YAML is processed during testing
- Attack would only affect test runs, not production
Jest 29.7.0 depends on:
@jest/core@29.7.0
└── @jest/transform@29.7.0
└── babel-plugin-istanbul@6.1.1
└── @istanbuljs/load-nyc-config@1.1.0
└── js-yaml@^3.13.1 ⬅️ Vulnerable dependency
Attempted Solutions:
- ❌ Upgrade Jest to 30.x → Introduced
localStorageerrors in Node environment - ❌ Use npm
overridesto force js-yaml 4.1.1 → Broke Jest's environment initialization - ❌ Wait for @istanbuljs/load-nyc-config update → No update planned (last release: 2020)
@istanbuljs/load-nyc-config@1.1.0 is unmaintained and locked to js-yaml ^3.13.1
- Last updated: February 2020
- No plans to update js-yaml dependency
- Jest team has not migrated away from this package
-
Severity is MODERATE, not HIGH or CRITICAL
- CVSS score: 5.3/10
- Not a remote code execution or data breach
-
Zero Production Impact
- Jest is devDependency only
- Does not ship to production
- Vulnerability only exists in test environment
-
ESLint Uses Patched Version
- ESLint (which parses YAML config files) uses js-yaml 4.1.1 ✅
- No risk from parsing
.eslintrc.ymlor other config files
-
No User Input
- Backend tests don't process user-supplied YAML
- Attack surface is negligible
-
CI Tests Pass
- GitHub Actions CI passes all backend tests
- Confirms this is a local environment issue, not a code problem
-
Upgrade Risks Outweigh Benefits
- Jest 30 breaks test environment (localStorage errors)
- Fixing a moderate devDependency vulnerability isn't worth breaking tests
-
Isolated Test Environment
- Tests run in GitHub Actions with restricted permissions
- No external network access during tests (nock mocks all HTTP)
-
ESLint Uses Patched Version
- Config file parsing (the main YAML use case) is secure
-
No YAML Parsing in Production
- Production code does not parse YAML files
- Zero attack surface in production
We will revisit this decision when:
- Jest releases a version that doesn't depend on @istanbuljs/load-nyc-config
- @istanbuljs/load-nyc-config updates to js-yaml 4.1.1+
- The vulnerability is upgraded to HIGH or CRITICAL severity
- A viable workaround is discovered
Decision: ACCEPT THE RISK
Reasoning:
- Moderate severity (5.3/10 CVSS)
- Zero production impact (devDependency only)
- No realistic attack vector
- ESLint (production-adjacent) uses patched version
- Upgrade attempts break test infrastructure
Review Date: January 2026 or when Jest releases major version update
- Advisory: https://github.com/advisories/GHSA-mh29-5h37-fv8m
- CWE-1321: https://cwe.mitre.org/data/definitions/1321.html
- Jest Issue: Backend tests pass in CI but fail locally with localStorage error (environment-specific)
- @istanbuljs/load-nyc-config: https://www.npmjs.com/package/@istanbuljs/load-nyc-config (last update: 2020)
Last Updated: November 17, 2025 Next Review: January 2026 Status: ✅ Risk Accepted
🤖 Generated with Claude Code
Co-Authored-By: Claude noreply@anthropic.com