Skip to content

security: resolve js-yaml DoS advisories (dependabot #36/#37) — fix on develop, pending release #1128

Description

@kokevidaurre

What

Dependabot reports 2 open medium-severity alerts on the default branch, both the js-yaml quadratic-complexity DoS in merge-key handling advisory:

State

Already fixed on develop: package.json overrides pin js-yaml to ~3.15.0 / ^4.2.0 and the lockfile resolves every instance to 3.15.0 / 4.3.0 (verified 2026-07-14). main still resolves 3.14.2 (runtime) and 4.1.1 (dev), which is what dependabot scans.

Action

Severity is moderate and the vector is YAML parsing of crafted input; no urgent out-of-band release needed.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions