Skip to content

chore(deps): bump js-yaml to fix prototype pollution in merge#5709

Open
antonis wants to merge 1 commit intomainfrom
antonis/bump-js-yaml
Open

chore(deps): bump js-yaml to fix prototype pollution in merge#5709
antonis wants to merge 1 commit intomainfrom
antonis/bump-js-yaml

Conversation

@antonis
Copy link
Contributor

@antonis antonis commented Feb 24, 2026

Summary

  • Fixes prototype pollution via merge (<<) in both the 3.x and 4.x series
  • 3.x (3.14.13.14.2): uses parent-scoped resolutions for the four 3.x consumers (@istanbuljs/load-nyc-config, @yarnpkg/parsers, cosmiconfig, front-matter) to preserve 3.x API compatibility — js-yaml 4.x has breaking API changes (safeLoad removed)
  • 4.x (4.1.04.1.1): unscoped resolution covers all remaining consumers

Dependabot alerts

Test plan

  • yarn install resolves 3.x consumers to 3.14.2 and 4.x consumers to 4.1.1
  • yarn build passes
  • yarn test passes

🤖 Generated with Claude Code

@antonis antonis added the ready-to-merge Triggers the full CI test suite label Feb 24, 2026
@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2026
edited
Loading

Semver Impact of This PR

None (no version bump detected)

📋 Changelog Preview

This is how your changes will appear in the changelog.
Entries from this PR are highlighted with a left border (blockquote style).

  • chore(deps): bump js-yaml to fix prototype pollution in merge by antonis in #5709
  • ci: Cancel in-progress CI jobs when a PR is closed or merged by antonis in #5725

🤖 This preview updates automatically when you update the PR.

@antonis antonis mentioned this pull request Feb 24, 2026
Open
@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2026

Android (legacy) Performance metrics 🚀

  Plain With Sentry Diff
Startup time 402.84 ms 427.48 ms 24.64 ms
Size 43.75 MiB 48.46 MiB 4.71 MiB

Baseline results on branch: main

Startup times

Revision Plain With Sentry Diff
df1f7df+dirty 442.64 ms 427.16 ms -15.48 ms
a483f9f+dirty 396.82 ms 453.28 ms 56.46 ms
a0b15d6 423.06 ms 437.77 ms 14.71 ms
7091004+dirty 416.11 ms 423.90 ms 7.79 ms
5526494 440.84 ms 448.36 ms 7.52 ms
8a4ce6f 422.88 ms 408.33 ms -14.55 ms
526494a+dirty 422.80 ms 438.90 ms 16.10 ms
60cd796+dirty 445.84 ms 492.45 ms 46.61 ms
3bd3f0d+dirty 447.21 ms 472.31 ms 25.10 ms
769e11c+dirty 409.15 ms 446.06 ms 36.91 ms

App size

Revision Plain With Sentry Diff
df1f7df+dirty 43.75 MiB 48.08 MiB 4.33 MiB
a483f9f+dirty 43.75 MiB 48.41 MiB 4.66 MiB
a0b15d6 17.75 MiB 20.15 MiB 2.41 MiB
7091004+dirty 43.75 MiB 47.99 MiB 4.23 MiB
5526494 17.75 MiB 19.68 MiB 1.93 MiB
8a4ce6f 17.75 MiB 19.68 MiB 1.94 MiB
526494a+dirty 43.75 MiB 47.99 MiB 4.24 MiB
60cd796+dirty 43.75 MiB 48.07 MiB 4.32 MiB
3bd3f0d+dirty 17.75 MiB 19.70 MiB 1.95 MiB
769e11c+dirty 43.75 MiB 48.41 MiB 4.66 MiB

@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2026

iOS (legacy) Performance metrics 🚀

  Plain With Sentry Diff
Startup time 1209.67 ms 1212.80 ms 3.13 ms
Size 3.38 MiB 4.78 MiB 1.40 MiB

Baseline results on branch: main

Startup times

Revision Plain With Sentry Diff
c08359e+dirty 1235.25 ms 1233.96 ms -1.29 ms
90e7cb3+dirty 1206.61 ms 1209.46 ms 2.84 ms
4e6d7d7+dirty 1206.72 ms 1214.19 ms 7.47 ms
4997892+dirty 1217.98 ms 1222.57 ms 4.60 ms
8e653ac+dirty 1218.63 ms 1223.88 ms 5.24 ms
6bd9054+dirty 1212.20 ms 1217.89 ms 5.70 ms
d751a5d+dirty 1215.57 ms 1220.56 ms 4.99 ms
2f9fb30+dirty 1189.51 ms 1190.71 ms 1.20 ms
8334e91+dirty 1205.45 ms 1210.90 ms 5.45 ms
f8d19f8+dirty 1203.98 ms 1209.74 ms 5.77 ms

App size

Revision Plain With Sentry Diff
c08359e+dirty 2.63 MiB 3.81 MiB 1.18 MiB
90e7cb3+dirty 3.41 MiB 4.58 MiB 1.17 MiB
4e6d7d7+dirty 3.38 MiB 4.60 MiB 1.22 MiB
4997892+dirty 3.38 MiB 4.60 MiB 1.22 MiB
8e653ac+dirty 2.63 MiB 4.01 MiB 1.38 MiB
6bd9054+dirty 3.41 MiB 4.67 MiB 1.25 MiB
d751a5d+dirty 2.63 MiB 3.98 MiB 1.34 MiB
2f9fb30+dirty 3.41 MiB 4.59 MiB 1.18 MiB
8334e91+dirty 3.38 MiB 4.78 MiB 1.40 MiB
f8d19f8+dirty 3.44 MiB 4.59 MiB 1.15 MiB

@antonis antonis marked this pull request as ready for review February 24, 2026 13:07
@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2026

iOS (new) Performance metrics 🚀

  Plain With Sentry Diff
Startup time 1222.98 ms 1224.71 ms 1.73 ms
Size 3.38 MiB 4.78 MiB 1.40 MiB

Baseline results on branch: main

Startup times

Revision Plain With Sentry Diff
c08359e+dirty 1200.59 ms 1211.81 ms 11.22 ms
90e7cb3+dirty 1212.61 ms 1213.80 ms 1.19 ms
4e6d7d7+dirty 1204.87 ms 1212.74 ms 7.86 ms
4997892+dirty 1212.09 ms 1212.46 ms 0.37 ms
8e653ac+dirty 1215.46 ms 1220.20 ms 4.75 ms
6bd9054+dirty 1207.02 ms 1199.27 ms -7.76 ms
d751a5d+dirty 1212.22 ms 1217.94 ms 5.71 ms
2f9fb30+dirty 1219.06 ms 1223.38 ms 4.32 ms
8334e91+dirty 1220.96 ms 1224.70 ms 3.74 ms
f8d19f8+dirty 1212.06 ms 1219.53 ms 7.47 ms

App size

Revision Plain With Sentry Diff
c08359e+dirty 3.19 MiB 4.38 MiB 1.19 MiB
90e7cb3+dirty 3.41 MiB 4.58 MiB 1.17 MiB
4e6d7d7+dirty 3.38 MiB 4.60 MiB 1.22 MiB
4997892+dirty 3.38 MiB 4.60 MiB 1.22 MiB
8e653ac+dirty 3.19 MiB 4.58 MiB 1.39 MiB
6bd9054+dirty 3.41 MiB 4.67 MiB 1.25 MiB
d751a5d+dirty 3.19 MiB 4.54 MiB 1.36 MiB
2f9fb30+dirty 3.41 MiB 4.59 MiB 1.18 MiB
8334e91+dirty 3.38 MiB 4.78 MiB 1.40 MiB
f8d19f8+dirty 3.44 MiB 4.59 MiB 1.15 MiB

@github-actions
Copy link
Contributor

github-actions bot commented Feb 24, 2026

Android (new) Performance metrics 🚀

  Plain With Sentry Diff
Startup time 486.24 ms 531.04 ms 44.80 ms
Size 43.94 MiB 49.33 MiB 5.39 MiB

Baseline results on branch: main

Startup times

Revision Plain With Sentry Diff
df1f7df+dirty 374.68 ms 384.96 ms 10.28 ms
a483f9f+dirty 428.57 ms 475.98 ms 47.41 ms
7091004+dirty 377.76 ms 402.11 ms 24.35 ms
5526494+dirty 380.79 ms 432.70 ms 51.91 ms
98f632c+dirty 323.98 ms 375.39 ms 51.41 ms
5c16cdc+dirty 375.45 ms 426.62 ms 51.17 ms
8ece263+dirty 369.44 ms 414.65 ms 45.21 ms
a2bb688+dirty 371.19 ms 389.18 ms 17.99 ms
526494a+dirty 361.10 ms 410.84 ms 49.74 ms
60cd796+dirty 410.56 ms 439.00 ms 28.44 ms

App size

Revision Plain With Sentry Diff
df1f7df+dirty 43.94 MiB 48.91 MiB 4.97 MiB
a483f9f+dirty 43.94 MiB 49.27 MiB 5.33 MiB
7091004+dirty 43.94 MiB 48.81 MiB 4.88 MiB
5526494+dirty 7.15 MiB 8.41 MiB 1.26 MiB
98f632c+dirty 7.15 MiB 8.42 MiB 1.27 MiB
5c16cdc+dirty 7.15 MiB 8.41 MiB 1.26 MiB
8ece263+dirty 7.15 MiB 8.41 MiB 1.26 MiB
a2bb688+dirty 7.15 MiB 8.43 MiB 1.28 MiB
526494a+dirty 43.94 MiB 48.82 MiB 4.88 MiB
60cd796+dirty 43.94 MiB 48.90 MiB 4.96 MiB

@antonis antonis removed the ready-to-merge Triggers the full CI test suite label Feb 26, 2026
@antonis @claude
chore(deps): bump js-yaml to fix prototype pollution in merge
0ad9569 
Fixes prototype pollution via merge (<<) in two series:
- 3.x: bumps 3.14.1 -> 3.14.2 via parent-scoped resolutions for the
  four 3.x consumers (@istanbuljs/load-nyc-config, @yarnpkg/parsers,
  cosmiconfig, front-matter), preserving 3.x API compatibility
- 4.x: bumps 4.1.0 -> 4.1.1 via unscoped resolution

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
@antonis antonis force-pushed the antonis/bump-js-yaml branch from 71a886c to 0ad9569 Compare February 26, 2026 13:10
@github-actions
Copy link
Contributor

github-actions bot commented Feb 26, 2026

Fails
🚫 Pull request is not ready for merge, please add the "ready-to-merge" label to the pull request

Generated by 🚫 dangerJS against 0ad9569

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alwx alwx Awaiting requested review from alwx alwx is a code owner

@lucas-zimerman lucas-zimerman Awaiting requested review from lucas-zimerman lucas-zimerman is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@antonis