What
Dependabot reports 2 open medium-severity alerts on the default branch, both the js-yaml quadratic-complexity DoS in merge-key handling advisory:
State
Already fixed on develop: package.json overrides pin js-yaml to ~3.15.0 / ^4.2.0 and the lockfile resolves every instance to 3.15.0 / 4.3.0 (verified 2026-07-14). main still resolves 3.14.2 (runtime) and 4.1.1 (dev), which is what dependabot scans.
Action
Severity is moderate and the vector is YAML parsing of crafted input; no urgent out-of-band release needed.
What
Dependabot reports 2 open medium-severity alerts on the default branch, both the js-yaml quadratic-complexity DoS in merge-key handling advisory:
< 3.15.0(runtime, viagray-matter)>= 4.0.0, <= 4.1.1(dev)State
Already fixed on
develop:package.jsonoverrides pinjs-yamlto~3.15.0/^4.2.0and the lockfile resolves every instance to 3.15.0 / 4.3.0 (verified 2026-07-14).mainstill resolves 3.14.2 (runtime) and 4.1.1 (dev), which is what dependabot scans.Action
Severity is moderate and the vector is YAML parsing of crafted input; no urgent out-of-band release needed.