Thanks to visit codestin.com
Credit goes to github.com

Skip to content

fix(deps): Bump js-yaml to 3.14.2 and 4.1.1#19216

Merged
chargome merged 2 commits intodevelopfrom
fix/bump-js-yaml
Feb 7, 2026
Merged

fix(deps): Bump js-yaml to 3.14.2 and 4.1.1#19216
chargome merged 2 commits intodevelopfrom
fix/bump-js-yaml

Conversation

@chargome
Copy link
Member

@chargome chargome commented Feb 6, 2026

Addresses CVE-2025-64718 (GHSA-mh29-5h37-fv8m), a medium severity prototype pollution via proto in YAML merge (<<) when parsing untrusted documents.

@chargome @claude
fix(deps): Bump js-yaml to 3.14.2 and 4.1.1
69c0306 
Addresses CVE-2025-64718 (GHSA-mh29-5h37-fv8m), a medium severity
prototype pollution via __proto__ in YAML merge (<<) when parsing
untrusted documents.

Co-Authored-By: Claude <[email protected]>
@chargome chargome self-assigned this Feb 6, 2026
@chargome chargome requested a review from andreiborza February 6, 2026 16:07
@chargome chargome enabled auto-merge (squash) February 6, 2026 16:09
@chargome chargome requested a review from RulaKhaled February 6, 2026 16:09
cursor[bot]
cursor bot reviewed Feb 6, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Cursor Bugbot has reviewed your changes and found 1 potential issue.

Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.

@github-actions
Copy link
Contributor

github-actions bot commented Feb 6, 2026
edited
Loading

Codecov Results 📊

Generated by Codecov Action

@github-actions
Copy link
Contributor

github-actions bot commented Feb 6, 2026
edited
Loading

node-overhead report 🧳

Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.

Scenario Requests/s % of Baseline Prev. Requests/s Change %
GET Baseline 8,660 - 9,178 -6%
GET With Sentry 1,620 19% 1,725 -6%
GET With Sentry (error only) 6,023 70% 6,156 -2%
POST Baseline 1,164 - 1,217 -4%
POST With Sentry 581 50% 609 -5%
POST With Sentry (error only) 1,052 90% 1,068 -1%
MYSQL Baseline 3,231 - 3,347 -3%
MYSQL With Sentry 356 11% 485 -27%
MYSQL With Sentry (error only) 2,585 80% 2,735 -5%

View base workflow run

@chargome @claude
fix(deps): Fix yarn.lock stability for js-yaml entries
f103b5f 
Split the [email protected] exact specifier (from lerna) into its own
lockfile entry so it stays at 4.1.0, while js-yaml@^4.1.0 resolves
to the patched 4.1.1.

Co-Authored-By: Claude <[email protected]>
@chargome chargome merged commit 7bf099a into develop Feb 7, 2026
218 checks passed
@chargome chargome deleted the fix/bump-js-yaml branch February 7, 2026 07:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@Lms24 Lms24 Lms24 approved these changes

@andreiborza andreiborza Awaiting requested review from andreiborza

@RulaKhaled RulaKhaled Awaiting requested review from RulaKhaled

Assignees

@chargome chargome

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chargome @Lms24