chore(deps): bump js-yaml from 3.14.1 to 3.15.0#401
Conversation
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 3.14.1 to 3.15.0. - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@3.14.1...3.15.0) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 3.15.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
Upstream: nodeca/js-yaml#731 (security backport via 3.14.1→3.15.0 compare)
Scope
Lockfile-only transitive bump of js-yaml from 3.14.1 to 3.15.0 in yarn.lock, backporting maxTotalMergeKeys to mitigate YAML merge (<<) abuse/prototype-pollution risk in tooling that parses untrusted YAML (eslint, istanbul, etc.). Worth merging for the security hygiene win with no application source changes.
CI
Checks are still pending; branch protection will gate merge—no code-level concerns identified in the lockfile diff.
Regression risk
Patch-level semver within the v3 line; risk is low though any YAML loader behavior change in dev/CI tooling should surface in existing tests once CI completes.
Residual risks / follow-ups
None — because the sole changed path is yarn.lock, the bump is an indirect security patch on a well-scoped minor release, and no securitySensitivePaths or application code are touched.
Note: Review generated using Cursor model
composer-2.5.
This review was generated by review-bot.
Bumps js-yaml from 3.14.1 to 3.15.0.
Changelog
Sourced from js-yaml's changelog.
... (truncated)
Commits
c34b6c43.15.0 released21e13d3dist rebuild4165c62Add v3-legacy tag for publishd8ff750Add package lock24f13e7AddedmaxTotalMergeKeys(10000) loader option (v5 backport)9963d363.14.2 released10d3c8edist rebuild5278870fix prototype pollution in merge (<<) (#731)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.