Skip to content

Commit 983ce7b

Browse files
smorrisodssmorrisods
authored
chore(deps): update dependency js-yaml to v4.1.1 [security] (#143)
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [js-yaml](https://redirect.github.com/nodeca/js-yaml) | [`4.1.0` -> `4.1.1`](https://renovatebot.com/diffs/npm/js-yaml/4.1.0/4.1.1) | [![age](https://developer.mend.io/api/mc/badges/age/npm/js-yaml/4.1.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/js-yaml/4.1.0/4.1.1?slim=true)](https://docs.renovatebot.com/merge-confidence/) | ### GitHub Vulnerability Alerts #### [CVE-2025-64718](https://redirect.github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m) ### Impact In js-yaml 4.1.0 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. ### Patches Problem is patched in js-yaml 4.1.1. ### Workarounds You can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default). ### References https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html --- ### Release Notes <details> <summary>nodeca/js-yaml (js-yaml)</summary> ### [`v4.1.1`](https://redirect.github.com/nodeca/js-yaml/blob/HEAD/CHANGELOG.md#411---2025-11-12) [Compare Source](https://redirect.github.com/nodeca/js-yaml/compare/4.1.0...4.1.1) ##### Security - Fix prototype pollution issue in yaml merge (<<) operator. </details> --- ### Configuration 📅 **Schedule**: Branch creation - "" in timezone UTC, Automerge - At any time (no schedule defined). 🚦 **Automerge**: Enabled. ♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://redirect.github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xNzMuMSIsInVwZGF0ZWRJblZlciI6IjQxLjE3My4xIiwidGFyZ2V0QnJhbmNoIjoiZGV2ZWxvcCIsImxhYmVscyI6WyJkZXBlbmRlbmNpZXMiLCJyZW5vdmF0ZSJdfQ==-->
2 parents 238b7b6 + f096d4e commit 983ce7b

File tree

1 file changed

+4741
-7520
lines changed

1 file changed

+4741
-7520
lines changed

0 commit comments

Comments
 (0)