Skip to content

fix(security): update yaml override to >=2.8.3#3022

Merged
marcusrbrown merged 1 commit intomainfrom
security/yaml-2.8.3-override
Mar 26, 2026
Merged

fix(security): update yaml override to >=2.8.3#3022
marcusrbrown merged 1 commit intomainfrom
security/yaml-2.8.3-override

Conversation

@fro-bot
Copy link
Copy Markdown
Owner

@fro-bot fro-bot commented Mar 26, 2026

Summary

Addresses CVE-2026-33532 (GHSA-48c2-rrv3-qjmp) - yaml package is vulnerable to Stack Overflow via deeply nested YAML collections.

Changes

  • Added `yaml: >=2.8.3` to pnpm overrides in package.json

Security Advisory Details

  • Vulnerability: Stack Overflow via deeply nested YAML collections
  • Affected versions: >= 2.0.0, < 2.8.3
  • Fixed in: 2.8.3
  • Severity: Medium

Dependency Chain

`yaml` is a transitive dependency:

  • `@fro-bot/.github`
    • `@bfra.me/eslint-config`
      • `eslint-plugin-json-schema-validator` / `eslint-plugin-yml`
        • `yaml-eslint-parser` → `yaml`

Testing

  • `pnpm check-format` passes
  • `pnpm check-types` passes
  • `pnpm lint` passes

@fro-bot
fix(security): update yaml override to >=2.8.3
999ad9d 
Addresses CVE-2026-33532 (GHSA-48c2-rrv3-qjmp)
- yaml package vulnerable to Stack Overflow via deeply nested YAML collections
- yaml is a transitive dependency via eslint-plugin-json-schema-validator
- Override forces resolution to patched version >=2.8.3
@fro-bot fro-bot requested a review from marcusrbrown as a code owner March 26, 2026 05:23
@fro-bot fro-bot mentioned this pull request Mar 26, 2026
Open
@marcusrbrown marcusrbrown merged commit 0dd47fa into main Mar 26, 2026
6 checks passed
@marcusrbrown marcusrbrown deleted the security/yaml-2.8.3-override branch March 26, 2026 07:59
@fro-bot fro-bot mentioned this pull request Mar 27, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@marcusrbrown marcusrbrown marcusrbrown approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fro-bot @marcusrbrown