The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Jun 15, 2026 8:10pm

PR Summary

Low Risk
Dependency-only bump with patch/minor security hardening; email and YAML call sites are unchanged, though js-yaml’s new parsing limits could affect edge-case YAML inputs.

Overview
Bumps direct dependencies in apps/sim: js-yaml 4.1.1 → 4.2.0 and nodemailer 8.0.7 → 8.0.9, with bun.lock updated so the app resolves those versions at the top level.

There are no application code changes—only manifest and lockfile. js-yaml still backs YAML parsing in file/chunker paths; nodemailer still powers SMTP tooling and mail providers (SMTP/SES). Transitive packages may keep older pinned js-yaml entries in the lockfile.

nodemailer is a patch bump (security/bug fixes on the existing transport/sendMail API). js-yaml adds loader safety defaults (maxDepth, maxMergeSeqLength) and treats underscored numeric literals as strings—worth a quick sanity check on unusually deep or oddly formatted YAML inputs.

^{Reviewed by Cursor Bugbot for commit 64dedef. Configure here.}

Greptile Summary

Routine dependency maintenance bumping js-yaml from 4.1.1 to 4.2.0 and nodemailer from 8.0.7 to 8.0.9 in apps/sim, with the lock file correctly pinning the old js-yaml@4.1.1 for the handful of transitive consumers that still require it.

• nodemailer 8.0.9 is a pure security/bug-fix patch (strict TLS, SMTP stream-leak, CRLF-injection fixes) with no API changes to the createTransport/sendMail surface used in this app.
• js-yaml 4.2.0 introduces two safety-hardening behavioral changes: a new default maxDepth: 100 / maxMergeSeqLength: 20 (guarded by existing try/catch at both callsites) and a silent type change where underscored numeric literals like 1_000 now parse as strings instead of numbers — the latter is not surfaced by error handling and could silently affect downstream consumers of parsed YAML data.

Confidence Score: 4/5

Safe to merge; changes are limited to two well-understood dependency bumps with no API surface changes.

The nodemailer bump is straightforward. The js-yaml bump introduces a silent type change for underscored numeric literals that is not caught by the existing error-handling, so any YAML files in user data that rely on that syntax would silently change behavior without a visible failure.

The two js-yaml callsites — apps/sim/lib/file-parsers/yaml-parser.ts and apps/sim/lib/chunkers/json-yaml-chunker.ts — are worth verifying against representative YAML fixtures to confirm no user data uses underscore-separated numbers.

Important Files Changed

Sequence Diagram

sequenceDiagram
    participant Caller
    participant yaml_parser as yaml-parser.ts
    participant chunker as json-yaml-chunker.ts
    participant jsyaml as js-yaml@4.2.0

    Caller->>yaml_parser: parseYAML(filePath)
    yaml_parser->>jsyaml: yaml.load(content)
    Note over jsyaml: New: maxDepth=100, maxMergeSeqLength=20<br/>New: underscored numbers → string (silent)
    jsyaml-->>yaml_parser: parsed object (or throws YAMLException)
    alt Parse succeeds
        yaml_parser-->>Caller: FileParseResult (JSON string)
    else Parse throws (depth/merge limits)
        yaml_parser-->>Caller: throws "Invalid YAML: ..."
    end

    Caller->>chunker: JsonYamlChunker.chunk(content)
    chunker->>jsyaml: yaml.load(content)
    jsyaml-->>chunker: parsed object (or throws)
    alt Parse succeeds
        chunker-->>Caller: Chunk[]
    else Parse throws
        chunker-->>Caller: falls back to chunkAsText()
    end

_{Reviews (1): Last reviewed commit: "chore(deps): bump js-yaml to 4.2.0 and n..." | Re-trigger Greptile}