Skip to content

Bump js-yaml and react-scripts#12

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-f2b0864048
Open

Bump js-yaml and react-scripts#12
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/multi-f2b0864048

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown

Bumps js-yaml to 3.15.0 and updates ancestor dependency react-scripts. These dependencies need to be updated together.

Updates js-yaml from 3.10.0 to 3.15.0

Changelog

Sourced from js-yaml's changelog.

4.3.0, 3.15.0 - 2026-06-27

Security

  • Backported maxTotalMergeKeys option.

[5.2.0] - 2026-06-26

Added

  • Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.
  • Added maxAliases (-1) loader option to limit the number of YAML aliases per document.

Removed

  • maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

Fixed

  • Round-trip of integers with exponential form (>= 1e21)

[5.1.0] - 2026-06-23

Added

  • Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

  • [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.

[5.0.0] - 2026-06-20

Added

  • Added named exports for schemas, tags, parser events and AST utilities.
  • Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
  • Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
  • Added dump() transform option for changing the generated AST before rendering.
  • Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and tagBeforeAnchor.
  • Added formal data layers (events and AST) for modular data pipelines.
    • Added low-level parser (to events), presenter and visitor APIs.
  • Added the YAML Test Suite to the test set.

Changed

  • See the migration guide for upgrade notes.
  • Rewritten in TypeScript and reorganized the public API around flat named exports.

... (truncated)

Commits

Updates react-scripts from 1.0.13 to 5.0.1

Release notes

Sourced from react-scripts's releases.

v1.0.14

1.0.14 (September 26, 2017)

🐛 Bug Fix

  • react-dev-utils

    • #3098 Always reload the page on next compile after a runtime error. (@​Timer)
  • react-error-overlay

💅 Enhancement

  • react-dev-utils

📝 Documentation

🏠 Internal

... (truncated)

Changelog

Sourced from react-scripts's changelog.

2.0.3 and Newer Versions

Please refer to CHANGELOG-2.x.md for the 2.x range, and https://github.com/react/create-react-app/blob/main/CHANGELOG.md for the newer versions.

1.1.5 (August 24, 2018)

  • react-scripts

    • Update the webpack-dev-server dependency
  • react-dev-utils

    • #4866 Fix a Windows-only vulnerability (CVE-2018-6342) in the development server (@​acdlite)
    • Update the sockjs-client dependency

Committers: 1

Migrating from 1.1.4 to 1.1.5

Inside any created project that has not been ejected, run:

npm install --save --save-exact react-scripts@1.1.5

or

yarn add --exact react-scripts@1.1.5

1.1.4 (April 3, 2018)

🐛 Bug Fix

Committers: 1

Migrating from 1.1.3 to 1.1.4

Inside any created project that has not been ejected, run:

</tr></table> 

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by iansu, a new releaser for react-scripts since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [js-yaml](https://github.com/nodeca/js-yaml) to 3.15.0 and updates ancestor dependency [react-scripts](https://github.com/facebook/create-react-app/tree/HEAD/packages/react-scripts). These dependencies need to be updated together.


Updates `js-yaml` from 3.10.0 to 3.15.0
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.10.0...3.15.0)

Updates `react-scripts` from 1.0.13 to 5.0.1
- [Release notes](https://github.com/facebook/create-react-app/releases)
- [Changelog](https://github.com/react/create-react-app/blob/main/CHANGELOG-1.x.md)
- [Commits](https://github.com/facebook/create-react-app/commits/react-scripts@5.0.1/packages/react-scripts)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 3.15.0
  dependency-type: indirect
- dependency-name: react-scripts
  dependency-version: 5.0.1
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 6, 2026
Comment thread yarn.lock
range-parser "^1.2.1"
schema-utils "^4.0.0"

webpack-dev-server@^4.6.0:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium severity vulnerability may affect your project—review required:
Line 8512 lists a dependency (webpack-dev-server) with a known Medium severity vulnerability.

ℹ️ Why this matters

Affected versions of webpack-dev-server are vulnerable to Exposed Dangerous Method or Function. webpack-dev-server serves bundled assets without rejecting cross-origin classic script requests. Because such <script src> requests bypass the same-origin policy, a malicious website visited by a developer running the dev server can load the application bundle cross-origin and, via prototype pollution of the webpack runtime, extract the application source code.

References: GHSA, CVE

To resolve this comment:
Check if you are using webpack dev server CLI setup.

  • If you're affected, upgrade this dependency to at least version 5.2.1 at yarn.lock.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread yarn.lock
range-parser "^1.2.1"
schema-utils "^4.0.0"

webpack-dev-server@^4.6.0:

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium severity vulnerability may affect your project—review required:
Line 8512 lists a dependency (webpack-dev-server) with a known Medium severity vulnerability.

ℹ️ Why this matters

Affected versions of webpack-dev-server are vulnerable to Origin Validation Error. webpack-dev-server improperly validates the WebSocket connection Origin header, unconditionally accepting any IP-address-based Origin. A malicious website can perform a cross-site WebSocket hijack against a running dev server and exfiltrate the developer source code carried in Hot Module Reloading (HMR) messages. The insecure origin check is the package default and is reached on every WebSocket connection, so any project running an affected version is vulnerable.

References: GHSA, CVE

To resolve this comment:
Check if you are using webpack dev server CLI setup and access untrusted web site with non-Chromium based browser.

  • If you're affected, upgrade this dependency to at least version 5.2.1 at yarn.lock.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

@semgrep-code-auth0-samples

Copy link
Copy Markdown

Semgrep found 1 ssc-918a81a4-b70b-4c7a-8ce1-f999ac30e3dc finding:

Risk: Affected versions of bootstrap and bootstrap-sass are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Bootstrap's affix plugin passes its target option straight into the jQuery $() constructor, so a target/data-target value containing HTML is parsed as markup and can execute arbitrary JavaScript (DOM-based XSS).

Manual Review Advice: A vulnerability from this advisory is reachable if you are calling affix plugin via JavaScript

Fix: Upgrade this library to at least version 3.4.0 at react-redux-embedded-login/package-lock.json:5367.

Reference(s): GHSA-ph58-4vrj-w6hr, CVE-2018-20677

Semgrep found 1 ssc-484bb776-a960-4899-8ddd-675885fe6a95 finding:

Risk: Affected versions of webpack-dev-server are vulnerable to Exposed Dangerous Method or Function. webpack-dev-server serves bundled assets without rejecting cross-origin classic script requests. Because such <script src> requests bypass the same-origin policy, a malicious website visited by a developer running the dev server can load the application bundle cross-origin and, via prototype pollution of the webpack runtime, extract the application source code.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using webpack dev server CLI setup

Fix: Upgrade this library to at least version 5.2.1 at react-redux-embedded-login/package-lock.json:17348.

Reference(s): GHSA-4v9v-hfq4-rm2v, CVE-2025-30359

Semgrep found 1 ssc-013ecbde-4597-4af3-bcc3-06920828d5cc finding:

Risk: Affected versions of webpack-dev-server are vulnerable to Origin Validation Error. webpack-dev-server improperly validates the WebSocket connection Origin header, unconditionally accepting any IP-address-based Origin. A malicious website can perform a cross-site WebSocket hijack against a running dev server and exfiltrate the developer source code carried in Hot Module Reloading (HMR) messages. The insecure origin check is the package default and is reached on every WebSocket connection, so any project running an affected version is vulnerable.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using webpack dev server CLI setup and access untrusted web site with non-Chromium based browser

Fix: Upgrade this library to at least version 5.2.1 at react-redux-embedded-login/package-lock.json:17348.

Reference(s): GHSA-9jgg-88mc-972h, CVE-2025-30360

Semgrep found 1 ssc-9f75fd94-e484-4842-ba51-a6da2e792bae finding:

Risk: Affected versions of bootstrap are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Bootstrap's collapse plugin passes the data-parent HTML attribute value to jQuery's $() constructor without sanitization, allowing an attacker who can influence that attribute to inject and execute arbitrary JavaScript in a victim's browser (XSS).

Fix: Upgrade this library to at least version 3.4.0 at react-redux-embedded-login/package-lock.json:5367.

Reference(s): GHSA-3wqf-4x89-9g79, CVE-2018-14040

Semgrep found 1 ssc-11b5542a-cf1c-4aac-809a-ed44a7e0a895 finding:

Risk: Affected versions of bootstrap and bootstrap-sass are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting'). Bootstrap's JavaScript plugins (Alert, Carousel, Collapse, Dropdown, Modal, Tab) pass the data-target attribute value directly to jQuery's $() constructor without sanitization. Because jQuery parses HTML strings as live DOM nodes, an attacker who can control a data-target (or href) attribute on a Bootstrap trigger element can inject arbitrary HTML and execute JavaScript in the victim's browser, leading to session hijacking or sensitive data exposure.

Fix: Upgrade this library to at least version 3.4.0 at react-redux-embedded-login/package-lock.json:5367.

Reference(s): GHSA-4p24-vmcr-4gqj, CVE-2016-10735

Semgrep found 1 ssc-4759c514-b537-20ef-d52f-ebb0a5c388fa finding:

Risk: Affected versions of axios are vulnerable to Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') / Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') / Server-Side Request Forgery (SSRF). Axios can be used as a gadget for header injection: if another dependency enables prototype pollution, polluted properties can be merged into Axios request headers and written without CRLF sanitization, allowing request smuggling/SSRF that can reach internal services such as AWS IMDSv2 and potentially lead to credential theft or broader compromise.

Fix: Upgrade this library to at least version 0.31.0 at react-redux-embedded-login/package-lock.json:4952.

Reference(s): GHSA-fvcv-3m26-pcqx, CVE-2026-40175

Semgrep found 1 ssc-5ea2c631-7cef-a4e0-e641-d179af079827 finding:

Risk: Affected versions of axios are vulnerable to Server-Side Request Forgery (SSRF) / Unintended Proxy or Intermediary ('Confused Deputy'). Axios does not normalize hostnames before applying NO_PROXY, so requests to loopback or internal hosts such as localhost. or [::1] can be sent through a configured proxy instead of bypassing it. If an attacker can influence request URLs, they may force local/internal Axios traffic through an attacker-controlled proxy, undermining SSRF protections and exposing sensitive responses.

Manual Review Advice: A vulnerability from this advisory is reachable if you have NO_PROXY configured in your environment

Fix: Upgrade this library to at least version 0.31.0 at react-redux-embedded-login/package-lock.json:4952.

Reference(s): GHSA-3p68-rc4w-qgx5, CVE-2025-62718

Semgrep found 1 ssc-b1111744-f54b-4966-b3a9-9dfcb0019bac finding:

Risk: Affected versions of axios are vulnerable to Inefficient Regular Expression Complexity / Uncontrolled Resource Consumption. axios is vulnerable to a regular expression denial of service (ReDoS). The internal cookies.read() helper in lib/helpers/cookies.js builds a regular expression by concatenating the cookie name directly into the pattern without escaping regex metacharacters. When the cookie name flowing into the XSRF cookie read (e.g. via xsrfCookieName) contains a catastrophic-backtracking payload, evaluating the regex against document.cookie can freeze the JavaScript event loop, causing a denial of service in the browser tab or in Node.js/SSR applications. The affected code path is reached during ordinary axios request processing, so any importer of an affected version is exposed. Upgrade to a patched version (0.32.0 or 1.16.0), or set xsrfCookieName: null to disable XSRF cookie reading.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using axios in browser with untrusted xsrfCookieName value

Fix: Upgrade this library to at least version 0.32.0 at react-redux-embedded-login/package-lock.json:4952.

Reference(s): GHSA-hfxv-24rg-xrqf

Semgrep found 1 ssc-ae0261cf-6ee1-4026-8199-9d51d98e7718 finding:

Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. UAParser.js uses a vulnerable regular expression to parse User-Agent headers. A malicious header can trigger catastrophic backtracking in the regex, resulting in prolonged processing times and potential denial of service.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli

Fix: Upgrade this library to at least version 0.7.24 at react-redux-embedded-login/package-lock.json:16942.

Reference(s): GHSA-78cj-fxph-m83p, CVE-2021-27292

Semgrep found 1 ssc-00f64d4f-00eb-4fb4-845e-f30d8f6ed59e finding:

Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. A specially crafted user agent string can trigger catastrophic backtracking in the regex designed for Redmi Phones and Mi Pad Tablets. This may result in a Regular Expression Denial of Service, causing resource exhaustion when ua-parser-js attempts to parse the malicious input.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli

Fix: Upgrade this library to at least version 0.7.22 at react-redux-embedded-login/package-lock.json:16942.

Reference(s): GHSA-662x-fhqg-9p8v, CVE-2020-7733

Semgrep found 1 ssc-dbb9eafa-1a18-4071-96d8-a06789849c96 finding:

Risk: Affected versions of ua-parser-js are vulnerable to Uncontrolled Resource Consumption. UAParser.js is vulnerable to Regular Expression Denial of Service (ReDoS) attacks. Maliciously crafted user agent strings can trigger inefficient regex patterns, leading to excessive backtracking and high CPU consumption, which may ultimately cause service degradation or a denial of service.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using ua-parser-js via npx cli

Fix: Upgrade this library to at least version 0.7.23 at react-redux-embedded-login/package-lock.json:16942.

Reference(s): GHSA-394c-5j6w-4xmx, CVE-2020-7793

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants