Skip to content

build(deps): Bump the npm_and_yarn group across 1 directory with 2 updates #262

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dcalhoun merged 1 commit into from
Dec 19, 2025
Merged

build(deps): Bump the npm_and_yarn group across 1 directory with 2 updates #262

dcalhoun merged 1 commit into from
Dec 19, 2025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Dec 19, 2025

Bumps the npm_and_yarn group with 2 updates in the / directory: @babel/runtime and js-yaml.

Updates @babel/runtime from 7.25.7 to 7.28.4

Release notes

Sourced from @​babel/runtime's releases.

v7.28.4 (2025-09-05)

Thanks @​gwillen and @​mrginglymus for your first PRs!

🏠 Internal

Committers: 5

v7.28.3 (2025-08-14)

👓 Spec Compliance

  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env

🐛 Bug Fix

💅 Polish

  • babel-plugin-transform-regenerator, babel-plugin-transform-runtime

📝 Documentation

🏠 Internal

🔬 Output optimization

  • babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions

Committers: 5

... (truncated)

Changelog

Sourced from @​babel/runtime's changelog.

v7.28.4 (2025-09-05)

🏠 Internal

v7.28.3 (2025-08-14)

👓 Spec Compliance

  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-static-block, babel-preset-env

🐛 Bug Fix

💅 Polish

  • babel-plugin-transform-regenerator, babel-plugin-transform-runtime

📝 Documentation

🏠 Internal

🔬 Output optimization

  • babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions

v7.28.2 (2025-07-24)

🐛 Bug Fix

  • babel-types
  • babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3

v7.28.1 (2025-07-12)

🐛 Bug Fix

  • babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator

📝 Documentation

... (truncated)

Commits

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
build(deps): Bump the npm_and_yarn group across 1 directory with 2 up…
eb248d3 
…dates

Bumps the npm_and_yarn group with 2 updates in the / directory: [@babel/runtime](https://github.com/babel/babel/tree/HEAD/packages/babel-runtime) and [js-yaml](https://github.com/nodeca/js-yaml).


Updates `@babel/runtime` from 7.25.7 to 7.28.4
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.28.4/packages/babel-runtime)

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

---
updated-dependencies:
- dependency-name: "@babel/runtime"
  dependency-version: 7.28.4
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Dec 19, 2025
@dcalhoun
Copy link
Member

dcalhoun commented Dec 19, 2025

@claude

@dcalhoun dcalhoun self-assigned this Dec 19, 2025
@claude
Copy link

claude bot commented Dec 19, 2025
edited
Loading

Claude finished @dcalhoun's task in 1m 16s —— View job

Code Review for Dependency Updates

Tasks

  • Read package-lock.json changes
  • Check CI status
  • Review security implications
  • Review compatibility and breaking changes
  • Provide comprehensive review feedback

Review Summary

This Dependabot PR updates two npm dependencies with important improvements. The changes look good overall, with one critical security fix included.

1. Security Review ✅

js-yaml (4.1.0 → 4.1.1) - CRITICAL SECURITY FIX

  • Fixed: Prototype pollution vulnerability in YAML merge (<<) operator
  • Impact: This is a security patch that addresses a potential prototype pollution attack vector
  • Recommendation: This update should be merged promptly to address the security vulnerability

@babel/runtime (7.25.7 → 7.28.4) - No known security issues

  • Internal improvements and optimizations

2. Code Quality & Compatibility ✅

@babel/runtime changes:

  • Reduced bundle size: Removed regenerator-runtime dependency (now internalized)
  • Better optimization: Multiple improvements to regenerator/async generator output
  • Non-breaking: All changes are backward compatible (minor version bump)
  • The removal of regenerator-runtime as an external dependency is actually an improvement - Babel now internalizes this more efficiently

js-yaml changes:

  • Patch version: Only bug/security fixes, no breaking changes
  • Minimal impact: Only one security fix included

3. Performance Considerations ✅

The @babel/runtime update includes several performance optimizations:

  • Smaller bundle size (removed external regenerator-runtime dependency)
  • Optimized do-expression output
  • More efficient handling of async generators and yield statements

4. Testing Status ⚠️

Note: No CI runs are currently showing for this PR. This could mean:

  • CI hasn't been triggered yet
  • CI is configured to skip Dependabot PRs
  • CI is still queued

Recommendation: Ensure tests pass before merging, especially:

  • Unit tests (npm run test:unit)
  • Build process (npm run build)
  • Linting (npm run lint:js)

5. Documentation ✅

No documentation updates needed - these are dependency updates only.

Overall Recommendation: APPROVE & MERGE

Reasons to merge:

  1. Critical security fix in js-yaml for prototype pollution
  2. Performance improvements in @babel/runtime
  3. No breaking changes
  4. Reduced bundle size
  5. Both are well-maintained, high-quality packages

Before merging:

  • ✅ Changes are minimal and focused (only package-lock.json)
  • ⚠️ Verify CI tests pass (none showing currently)
  • ✅ Dependencies are from trusted sources (Babel team, js-yaml maintainers)

Additional Notes

The diff shows clean changes:

  • @babel/runtime: 7.25.7 → 7.28.4 (removes regenerator-runtime dependency)
  • js-yaml: 4.1.0 → 4.1.1 (security fix)
  • regenerator-runtime package removed entirely (no longer needed)

No action items for the codebase - this is a straightforward dependency update.

@dcalhoun dcalhoun merged commit 5fae0db into trunk Dec 19, 2025
9 checks passed
@dcalhoun dcalhoun deleted the dependabot/npm_and_yarn/npm_and_yarn-4d0e4dd316 branch December 19, 2025 13:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dcalhoun dcalhoun dcalhoun approved these changes

Assignees

@dcalhoun dcalhoun

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@dcalhoun