From 0ad95691721ed7003d05e737c81e74f4c8e5a2ca Mon Sep 17 00:00:00 2001 From: Antonis Lilis Date: Thu, 26 Feb 2026 14:10:36 +0100 Subject: [PATCH 1/3] chore(deps): bump js-yaml to fix prototype pollution in merge Fixes prototype pollution via merge (<<) in two series: - 3.x: bumps 3.14.1 -> 3.14.2 via parent-scoped resolutions for the four 3.x consumers (@istanbuljs/load-nyc-config, @yarnpkg/parsers, cosmiconfig, front-matter), preserving 3.x API compatibility - 4.x: bumps 4.1.0 -> 4.1.1 via unscoped resolution Co-Authored-By: Claude Sonnet 4.6 --- package.json | 5 +++++ yarn.lock | 23 ++++++----------------- 2 files changed, 11 insertions(+), 17 deletions(-) diff --git a/package.json b/package.json index bd69d55849..ced8645189 100644 --- a/package.json +++ b/package.json @@ -60,8 +60,13 @@ ], "resolutions": { "appium-chromedriver@npm:5.6.73/@xmldom/xmldom": "0.8.10", + "@istanbuljs/load-nyc-config@npm:1.1.0/js-yaml": "^3.14.2", + "@yarnpkg/parsers@npm:3.0.0-rc.46/js-yaml": "^3.14.2", + "cosmiconfig@npm:5.2.1/js-yaml": "^3.14.2", + "front-matter@npm:4.0.2/js-yaml": "^3.14.2", "fast-xml-parser": "^5.3.6", "form-data": "4.0.4", + "js-yaml": "^4.1.1", "qs": "^6.14.2", "lodash": "^4.17.23", "tar-fs": "^3.1.1", diff --git a/yarn.lock b/yarn.lock index d9063b15cf..25b60074f3 100644 --- a/yarn.lock +++ b/yarn.lock @@ -23507,26 +23507,15 @@ __metadata: languageName: node linkType: hard -"js-yaml@npm:4.1.0, js-yaml@npm:^4.1.0": - version: 4.1.0 - resolution: "js-yaml@npm:4.1.0" +"js-yaml@npm:^3.14.2": + version: 3.14.2 + resolution: "js-yaml@npm:3.14.2" dependencies: - argparse: "npm:^2.0.1" - bin: - js-yaml: bin/js-yaml.js - checksum: c7830dfd456c3ef2c6e355cc5a92e6700ceafa1d14bba54497b34a99f0376cecbb3e9ac14d3e5849b426d5a5140709a66237a8c991c675431271c4ce5504151a - languageName: node - linkType: hard - -"js-yaml@npm:^3.10.0, js-yaml@npm:^3.13.1": - version: 3.14.1 - resolution: "js-yaml@npm:3.14.1" - dependencies: - argparse: "npm:^1.0.7" - esprima: "npm:^4.0.0" + argparse: ^1.0.7 + esprima: ^4.0.0 bin: js-yaml: bin/js-yaml.js - checksum: bef146085f472d44dee30ec34e5cf36bf89164f5d585435a3d3da89e52622dff0b188a580e4ad091c3341889e14cb88cac6e4deb16dc5b1e9623bb0601fc255c + checksum: 626fc207734a3452d6ba84e1c8c226240e6d431426ed94d0ab043c50926d97c509629c08b1d636f5d27815833b7cfd225865631da9fb33cb957374490bf3e90b languageName: node linkType: hard From 34c84591cd7cc84e06f0e0fb6d2759fdce58626a Mon Sep 17 00:00:00 2001 From: Antonis Lilis Date: Fri, 27 Feb 2026 13:11:02 +0100 Subject: [PATCH 2/3] Remove duplicate entry --- package.json | 1 - 1 file changed, 1 deletion(-) diff --git a/package.json b/package.json index 0c526a0411..8ba0b27755 100644 --- a/package.json +++ b/package.json @@ -65,7 +65,6 @@ "cosmiconfig@npm:5.2.1/js-yaml": "^3.14.2", "front-matter@npm:4.0.2/js-yaml": "^3.14.2", "fast-xml-parser": "^5.3.6", - "form-data": "4.0.4", "js-yaml": "^4.1.1", "axios": "^1.13.5", "fast-xml-parser": "^5.3.6", From e4bd0e20e8c5de05632bdac8642b860af661738e Mon Sep 17 00:00:00 2001 From: Antonis Lilis Date: Fri, 27 Feb 2026 15:18:28 +0100 Subject: [PATCH 3/3] Remove duplicate entry --- package.json | 1 - 1 file changed, 1 deletion(-) diff --git a/package.json b/package.json index 8ba0b27755..284492ec75 100644 --- a/package.json +++ b/package.json @@ -64,7 +64,6 @@ "@yarnpkg/parsers@npm:3.0.0-rc.46/js-yaml": "^3.14.2", "cosmiconfig@npm:5.2.1/js-yaml": "^3.14.2", "front-matter@npm:4.0.2/js-yaml": "^3.14.2", - "fast-xml-parser": "^5.3.6", "js-yaml": "^4.1.1", "axios": "^1.13.5", "fast-xml-parser": "^5.3.6",