Bump js-yaml from 3.14.1 to 3.14.2 #1099
Conversation
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 3.14.1 to 3.14.2. - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@3.14.1...3.14.2) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 3.14.2 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
bot
added
dependencies
dependabot
bot
requested review from
alexcos20,
andreip136,
bogdanfazakas,
denisiuriet,
giurgiur99 and
ndrpp
as code owners
|
@dependabot rebase |
alexcos20
left a comment
alexcos20
left a comment
There was a problem hiding this comment.
AI automated code review (Gemini 3).
Overall risk: low
Summary:
This pull request is a Dependabot automated update to bump the js-yaml package versions in package-lock.json. Specifically, it updates js-yaml from 3.14.1 to 3.14.2 and from 4.1.0 to 4.1.1. These are patch version updates, indicating minor bug fixes or non-breaking improvements. The update also reflects changes in transitive dependencies, such as the removal of string_decoder entries.
Comments:
• [INFO][other] This PR updates js-yaml to patch versions 3.14.2 and 4.1.1. Patch versions typically contain bug fixes and are generally safe to merge. The changes are confined to the package-lock.json file, which is expected for a dependency update. Please ensure CI passes and consider a quick npm install locally to verify dependency resolution if possible.
• [INFO][other] Noticed the removal of the string_decoder dependency block. This is likely a natural resolution change due to the js-yaml update or an updated npm/yarn version resolving transitive dependencies more efficiently. It doesn't appear to be an issue.
|
Looks like js-yaml is up-to-date now, so this is no longer needed. |
alexcos20
left a comment
alexcos20
left a comment
There was a problem hiding this comment.
AI automated code review (Gemini 3).
Overall risk: low
Summary:
Dependabot PR to bump js-yaml from 3.14.1 to 3.14.2 and 4.1.0 to 4.1.1. Both updates address critical security vulnerabilities (CVE-2020-14399 and CVE-2021-2479 respectively). The changes are confined to package-lock.json and include a minor cleanup of a string_decoder entry, which is a common artifact of dependency resolution. This is a crucial security update.
Comments:
• [INFO][security] This PR updates js-yaml to 3.14.2 and 4.1.1. The update to 3.14.2 addresses a critical remote code execution vulnerability (CVE-2020-14399) in js-yaml versions prior to 3.14.2. The update to 4.1.1 also addresses a security issue (CVE-2021-2479). This is a vital security patch and should be merged promptly.
• [INFO][other] The removal of the string_decoder dependency under rdfxml-streaming-parser/node_modules (and at root level) is likely a consequence of npm's dependency resolution and deduplication logic, as the updated js-yaml versions or other updated dependencies no longer require this specific nested version, or a higher-level version satisfies the requirement. This is generally a safe and positive cleanup.
alexcos20
left a comment
alexcos20
left a comment
There was a problem hiding this comment.
AI automated code review (Gemini 3).
Overall risk: low
Summary:
This pull request, initiated by Dependabot, updates the js-yaml package across different dependency trees within package-lock.json.
Specifically:
node_modules/@istanbuljs/load-nyc-config/node_modules/js-yamlis updated from3.14.1to3.14.2.- The top-level
node_modules/js-yamlis updated from4.1.0to4.1.1. - Corresponding
resolvedURLs andintegrityhashes are updated. - Some
string_decoderentries underrdfxml-streaming-parserandnode_modulesare removed, likely due to dependency resolution changes or optimizations by npm/yarn.
The update to js-yaml 3.14.2 primarily addresses a security vulnerability (CVE-2021-3918 - regular expression denial of service). The update to js-yaml 4.1.1 includes a bug fix for a regression in flow style when using the dump method.
This is a beneficial dependency update that improves the security and stability of the project's dependencies without introducing any direct code changes.
Comments:
• [INFO][security] This update includes a patch for js-yaml version 3.x (to 3.14.2), which addresses a security vulnerability (CVE-2021-3918, a regular expression denial of service). This is a good and important update to pull in.
The js-yaml 4.x update (to 4.1.1) also includes a bug fix for a regression in flow style. It's great to keep dependencies up-to-date, especially for security and stability improvements.
• [INFO][other] The removal of the rdfxml-streaming-parser/node_modules/string_decoder and string_decoder entries in node_modules is likely a result of improved dependency resolution or deduplication by the package manager, now that js-yaml and its sub-dependencies have been updated. This is generally a benign change indicating a cleaner dependency tree. Ensure CI still passes to confirm no unexpected issues arise from these changes.
Bumps js-yaml from 3.14.1 to 3.14.2.
Changelog
Sourced from js-yaml's changelog.
... (truncated)
Commits
9963d363.14.2 released10d3c8edist rebuild5278870fix prototype pollution in merge (<<) (#731)Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.