Skip to content

security(deps): bump js-yaml — 2 moderate dependabot alerts (quadratic-complexity DoS in merge-key handling) #1127

Description

@agents-squads

Alerts

Dependabot alerts #36 and #37 (both moderate, package-lock.json):

Alert js-yaml range Patched Scope
#37 < 3.15.0 3.15.0 runtime
#36 >= 4.0.0, <= 4.1.1 4.2.0 development

Advisory: JS-YAML quadratic-complexity DoS in merge-key (<<) handling via repeated aliases.

Fix

Both are (likely transitive) lockfile entries — check npm ls js-yaml for the dependents, then bump via npm audit fix or lockfile override so the 3.x consumer gets >= 3.15.0 and the 4.x consumer gets >= 4.2.0. No API changes expected within those ranges.

Acceptance

  • npm ls js-yaml shows only patched versions
  • npm run build + tests pass
  • Both dependabot alerts auto-resolve after merge

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions