Skip to content

Fix Dependabot alert #18: upgrade js-yaml to 4.2.0 via override#8

Merged
tidy-dev merged 1 commit into
mainfrom
tidy-dev/fix-js-yaml-dependabot-alert-18
Jun 18, 2026
Merged

Fix Dependabot alert #18: upgrade js-yaml to 4.2.0 via override#8
tidy-dev merged 1 commit into
mainfrom
tidy-dev/fix-js-yaml-dependabot-alert-18

Conversation

@tidy-dev

@tidy-dev tidy-dev commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

Summary

Resolves Dependabot alert #18CVE-2026-53550 (medium severity, CVSS 5.3).

Vulnerability

js-yaml ≤ 4.1.1 is susceptible to a quadratic-complexity DoS via repeated alias merge keys (<<: [*a, *a, ...]), which can block the Node.js event loop with relatively small payloads.

Fix

Added an npm override for js-yaml^4.2.0, which includes the fix. The vulnerable js-yaml 3.14.2 was a transitive dev dependency pulled in via @istanbuljs/load-nyc-config (used by Jest/Istanbul for coverage). Since the latest version of that package still pins ^3.13.1, an override is the appropriate fix.

Testing

All 42 existing tests pass with the upgraded dependency.

@tidy-dev
Fix Dependabot alert #18: upgrade js-yaml to 4.2.0 via override
4ae958c 
Add npm override for js-yaml ^4.2.0 to resolve CVE-2026-53550, a
quadratic-complexity DoS vulnerability in merge key handling.
The vulnerable js-yaml <=4.1.1 was a transitive dev dependency via
@istanbuljs/load-nyc-config.

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Copilot AI review requested due to automatic review settings June 18, 2026 11:19
@tidy-dev tidy-dev requested a review from a team as a code owner June 18, 2026 11:19
GitHub Advanced Security started work on behalf of tidy-dev June 18, 2026 11:19 View session
GitHub Advanced Security finished work on behalf of tidy-dev June 18, 2026 11:20
Copilot AI reviewed Jun 18, 2026
View reviewed changes

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Updates the repo’s Node.js dependency resolution to address Dependabot alert #18 by forcing a patched js-yaml version via npm overrides, and updates the lockfile accordingly.

Changes:

  • Add an npm overrides entry to force js-yaml to ^4.2.0.
  • Update package-lock.json to reflect js-yaml@4.2.0 and its new transitive dependency graph (e.g., argparse@2.0.1, removal of esprima/sprintf-js).
Show a summary per file
File Description
package.json Adds an override to force js-yaml@^4.2.0 for the security fix.
package-lock.json Locks js-yaml@4.2.0 and updates transitive dependencies impacted by the override.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

  • Files reviewed: 1/2 changed files
  • Comments generated: 1

Comment thread package.json
Comment on lines 29 to 33
"overrides": {
"undici": "^6.24.1",
"handlebars": "^4.7.9"
"handlebars": "^4.7.9",
"js-yaml": "^4.2.0"
},
@tidy-dev tidy-dev merged commit 9eea0a5 into main Jun 18, 2026
5 checks passed
@tidy-dev tidy-dev deleted the tidy-dev/fix-js-yaml-dependabot-alert-18 branch June 18, 2026 11:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@babakks babakks babakks approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@tidy-dev @babakks