Alerts
Dependabot alerts #36 and #37 (both moderate, package-lock.json):
| Alert |
js-yaml range |
Patched |
Scope |
| #37 |
< 3.15.0 |
3.15.0 |
runtime |
| #36 |
>= 4.0.0, <= 4.1.1 |
4.2.0 |
development |
Advisory: JS-YAML quadratic-complexity DoS in merge-key (<<) handling via repeated aliases.
Fix
Both are (likely transitive) lockfile entries — check npm ls js-yaml for the dependents, then bump via npm audit fix or lockfile override so the 3.x consumer gets >= 3.15.0 and the 4.x consumer gets >= 4.2.0. No API changes expected within those ranges.
Acceptance
npm ls js-yaml shows only patched versions
npm run build + tests pass
- Both dependabot alerts auto-resolve after merge
Alerts
Dependabot alerts #36 and #37 (both moderate, package-lock.json):
Advisory: JS-YAML quadratic-complexity DoS in merge-key (
<<) handling via repeated aliases.Fix
Both are (likely transitive) lockfile entries — check
npm ls js-yamlfor the dependents, then bump vianpm audit fixor lockfile override so the 3.x consumer gets >= 3.15.0 and the 4.x consumer gets >= 4.2.0. No API changes expected within those ranges.Acceptance
npm ls js-yamlshows only patched versionsnpm run build+ tests pass