Skip to content

fix(deps): bump transitive js-yaml to patched versions#82

Merged
BCook98 merged 2 commits into
mainfrom
fix/js-yaml-dos
Jul 10, 2026
Merged

fix(deps): bump transitive js-yaml to patched versions#82
BCook98 merged 2 commits into
mainfrom
fix/js-yaml-dos

Conversation

@BCook98

@BCook98 BCook98 commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Resolves dependabot alert #2 — quadratic-complexity DoS in js-yaml merge-key handling, patched in 3.15.0.

Lockfile-only npm update js-yaml --package-lock-only within the existing semver ranges: 4.1.x → 4.3.0 and the 3.x copy under read-yaml-file (via @changesets/cli) → 3.15.0. npm audit now reports 0 vulnerabilities. Dev tooling only (changesets release scripts); no runtime impact.

🤖 Generated with Claude Code

BCook98 and others added 2 commits July 10, 2026 09:33
Resolves dependabot alert #2 (quadratic-complexity DoS in js-yaml
merge-key handling, patched in 3.15.0). Lockfile-only update within
existing semver ranges: 4.1.x -> 4.3.0 and 3.14.x -> 3.15.0 (via
read-yaml-file under @changesets/cli).

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
@BCook98
BCook98 merged commit 6876fb2 into main Jul 10, 2026
6 checks passed
@BCook98
BCook98 deleted the fix/js-yaml-dos branch July 10, 2026 01:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant