From 999ad9da2032a8ed24fc26b0c2447bf2fdc81a13 Mon Sep 17 00:00:00 2001
From: fro-bot <80104189+fro-bot@users.noreply.github.com>
Date: Thu, 26 Mar 2026 05:23:25 +0000
Subject: [PATCH] fix(security): update yaml override to >=2.8.3

Addresses CVE-2026-33532 (GHSA-48c2-rrv3-qjmp)
- yaml package vulnerable to Stack Overflow via deeply nested YAML collections
- yaml is a transitive dependency via eslint-plugin-json-schema-validator
- Override forces resolution to patched version >=2.8.3
---
 package.json   | 3 ++-
 pnpm-lock.yaml | 9 +++++----
 2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/package.json b/package.json
index af80aa99b..67157c760 100644
--- a/package.json
+++ b/package.json
@@ -46,7 +46,8 @@
       "ajv@8": "8.18.0",
       "flatted": ">=3.4.2",
       "minimatch": ">=10.2.3",
-      "undici": ">=7.24.0"
+      "undici": ">=7.24.0",
+      "yaml": ">=2.8.3"
     }
   }
 }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 96f992c1d..d88f26e0a 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -9,6 +9,7 @@ overrides:
   flatted: '>=3.4.2'
   minimatch: '>=10.2.3'
   undici: '>=7.24.0'
+  yaml: '>=2.8.3'
 
 importers:
 
@@ -1411,8 +1412,8 @@ packages:
     resolution: {integrity: sha512-h0uDm97wvT2bokfwwTmY6kJ1hp6YDFL0nRHwNKz8s/VD1FH/vvZjAKoMUE+un0eaYBSG7/c6h+lJTP+31tjgTw==}
     engines: {node: ^20.19.0 || ^22.13.0 || >=24}
 
-  yaml@2.8.2:
-    resolution: {integrity: sha512-mplynKqc1C2hTVYxd0PU2xQAc22TI1vShAYGksCCfxbn/dFwnHTNi1bvYsBTkhdUNtGIf5xNOg938rrSSYvS9A==}
+  yaml@2.8.3:
+    resolution: {integrity: sha512-AvbaCLOO2Otw/lW5bmh9d/WEdcDFdQp2Z2ZUH3pX9U2ihyUY0nvLv7J6TrWowklRGPYbB/IuIMfYgxaCPg5Bpg==}
     engines: {node: '>= 14.6'}
     hasBin: true
 
@@ -3000,9 +3001,9 @@ snapshots:
   yaml-eslint-parser@2.0.0:
     dependencies:
       eslint-visitor-keys: 5.0.1
-      yaml: 2.8.2
+      yaml: 2.8.3
 
-  yaml@2.8.2: {}
+  yaml@2.8.3: {}
 
   yocto-queue@0.1.0: {}