Skip to content

chore(deps): bump js-yaml from 4.1.1 to 4.3.0#242

Merged
lawreka merged 1 commit into
mainfrom
dependabot/npm_and_yarn/js-yaml-4.3.0
Jul 1, 2026
Merged

chore(deps): bump js-yaml from 4.1.1 to 4.3.0#242
lawreka merged 1 commit into
mainfrom
dependabot/npm_and_yarn/js-yaml-4.3.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 28, 2026

Copy link
Copy Markdown
Contributor

Bumps js-yaml from 4.1.1 to 4.3.0.

Changelog

Sourced from js-yaml's changelog.

4.3.0, 3.15.0 - 2026-06-27

Security

  • Backported maxTotalMergeKeys option.

[5.2.0] - 2026-06-26

Added

  • Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.
  • Added maxAliases (-1) loader option to limit the number of YAML aliases per document.

Removed

  • maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

Fixed

  • Round-trip of integers with exponential form (>= 1e21)

[5.1.0] - 2026-06-23

Added

  • Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

  • [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.

[5.0.0] - 2026-06-20

Added

  • Added named exports for schemas, tags, parser events and AST utilities.
  • Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
  • Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
  • Added dump() transform option for changing the generated AST before rendering.
  • Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and tagBeforeAnchor.
  • Added formal data layers (events and AST) for modular data pipelines.
    • Added low-level parser (to events), presenter and visitor APIs.
  • Added the YAML Test Suite to the test set.

Changed

  • See the migration guide for upgrade notes.
  • Rewritten in TypeScript and reorganized the public API around flat named exports.

... (truncated)

Commits
  • 33d05b5 4.3.0 released
  • 663bfab Drop demo publish, to not override new v5 one.
  • 1cb8c7b Add v4-legacy tag for publish
  • 02f27af Restore umd builds back to es5
  • 8be84ed Fix es5 compatibility
  • 59423c6 Replace maxMergeSeqLength option with maxTotalMergeKeys (more robust). Ba...
  • 6842ef6 doc polish
  • 590dbab 4.2.0 released
  • f944dc5 Add package.json funding field
  • f692719 Changelog update
  • Additional commits viewable in compare view


Note

Low Risk
Lockfile-only dependency bump with a targeted YAML-loader security hardening; no application source changes, with limited runtime exposure via ESLint config parsing.

Overview
Updates js-yaml from 4.1.1 to 4.3.0 in pnpm-lock.yaml, including the @eslint/eslintrc dependency that uses it to parse ESLint config YAML.

4.3.0 backports maxTotalMergeKeys to cap YAML merge (<<) processing during load() / loadAll(), addressing merge-related abuse. The lockfile diff also reflects routine transitive version shifts (e.g. Babel packages, acorn, brace-expansion) from the resolved tree.

Reviewed by Cursor Bugbot for commit 81ce99a. Bugbot is set up for automated code reviews on this repo. Configure here.

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 28, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/js-yaml-4.3.0 branch from dbe159d to 7f0ea99 Compare July 1, 2026 18:19
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.1 to 4.3.0.
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.1...4.3.0)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.3.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/js-yaml-4.3.0 branch from 7f0ea99 to 81ce99a Compare July 1, 2026 18:25
@lawreka lawreka self-requested a review July 1, 2026 18:27
@lawreka lawreka merged commit 0a4681f into main Jul 1, 2026
3 checks passed
@lawreka lawreka deleted the dependabot/npm_and_yarn/js-yaml-4.3.0 branch July 1, 2026 18:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant