From 520a13aa59f9878948f440d9ffb52e070b6727a2 Mon Sep 17 00:00:00 2001 From: Mykhailo Chalyi Date: Wed, 24 Jun 2026 09:22:33 +0000 Subject: [PATCH] fix(js): bump js-yaml to >=4.2.0 to resolve GHSA-h67p-54hq-rp68 Dependabot alert #53 (medium): js-yaml <= 4.1.1 has a quadratic-complexity DoS in YAML merge-key handling via repeated aliases. The only consumer in the JS package tree was supertap@3.0.1 (transitive via ava), which pulled js-yaml 3.14.2. Force js-yaml >=4.2.0 via a pnpm override. supertap@3.0.1 still calls the v3-only `yaml.safeDump`, removed in v4, so it is patched (via pnpm patchedDependencies) to use `yaml.dump`, which is safe by default in v4 and has the same signature for this usage. Verified supertap's TAP error-diagnostic path still emits a valid YAML block under js-yaml 4.2.0, and `pnpm install --frozen-lockfile` is consistent. --- crates/bashkit-js/package.json | 8 +++- .../bashkit-js/patches/supertap@3.0.1.patch | 13 ++++++ crates/bashkit-js/pnpm-lock.yaml | 40 +++++-------------- 3 files changed, 28 insertions(+), 33 deletions(-) create mode 100644 crates/bashkit-js/patches/supertap@3.0.1.patch diff --git a/crates/bashkit-js/package.json b/crates/bashkit-js/package.json index 50e7fbf6e..18ae736ed 100644 --- a/crates/bashkit-js/package.json +++ b/crates/bashkit-js/package.json @@ -118,11 +118,15 @@ }, "pnpm": { "overrides": { - "esbuild": ">=0.28.1" + "esbuild": ">=0.28.1", + "js-yaml": ">=4.2.0" }, "onlyBuiltDependencies": [ "esbuild" - ] + ], + "patchedDependencies": { + "supertap@3.0.1": "patches/supertap@3.0.1.patch" + } }, "ava": { "files": [ diff --git a/crates/bashkit-js/patches/supertap@3.0.1.patch b/crates/bashkit-js/patches/supertap@3.0.1.patch new file mode 100644 index 000000000..33a19f87a --- /dev/null +++ b/crates/bashkit-js/patches/supertap@3.0.1.patch @@ -0,0 +1,13 @@ +diff --git a/dist/index.js b/dist/index.js +index ab236cc5173801c1efc330642ec112339786b779..aaa1355319147bba2f33049185c41967b074fa9e 100644 +--- a/dist/index.js ++++ b/dist/index.js +@@ -43,7 +43,7 @@ export const test = (title, options) => { + ]; + if (error) { + const object = error instanceof Error ? serializeErrorForTap(error) : error; +- output.push([' ---', indentString(yaml.safeDump(object).trim(), 4), ' ...'].join('\n')); ++ output.push([' ---', indentString(yaml.dump(object).trim(), 4), ' ...'].join('\n')); + } + return output.filter(Boolean).join('\n'); + }; diff --git a/crates/bashkit-js/pnpm-lock.yaml b/crates/bashkit-js/pnpm-lock.yaml index a3ce834a0..56a40939c 100644 --- a/crates/bashkit-js/pnpm-lock.yaml +++ b/crates/bashkit-js/pnpm-lock.yaml @@ -6,6 +6,12 @@ settings: overrides: esbuild: '>=0.28.1' + js-yaml: '>=4.2.0' + +patchedDependencies: + supertap@3.0.1: + hash: fb62acff1ae3d1587268fef569b79684229eeb16c6a833a14b115a253cc00112 + path: patches/supertap@3.0.1.patch importers: @@ -897,9 +903,6 @@ packages: resolution: {integrity: sha512-4Dj6M28JB+oAH8kFkTLUo+a2jwOFkuqb3yucU0CANcRRUbxS0cP0nZYCGjcc3BNXwRIsUVmDGgzawme7zvJHvg==} engines: {node: '>=12'} - argparse@1.0.10: - resolution: {integrity: sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==} - argparse@2.0.1: resolution: {integrity: sha512-8+9WqebbFzpX9OR+Wa6O29asIogeRMzcGtAINdpMHHyAg10f05aSFVBbcEqGf/PXw1EjAZ+q2/bEBg3DvurK3Q==} @@ -1098,11 +1101,6 @@ packages: resolution: {integrity: sha512-/veY75JbMK4j1yjvuUxuVsiS/hr/4iHs9FTT6cgTexxdE0Ly/glccBAkloH/DofkjRbZU3bnoj38mOmhkZ0lHw==} engines: {node: '>=12'} - esprima@4.0.1: - resolution: {integrity: sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==} - engines: {node: '>=4'} - hasBin: true - estree-walker@2.0.2: resolution: {integrity: sha512-Rfkk/Mp/DL7JVje3u18FxFujQlTNR2q6QfMSMB7AvCBx91NGj/ba3kCfza0f6dVDbw7YlRf/nDrn7pQrCCyQ/w==} @@ -1255,10 +1253,6 @@ packages: js-tiktoken@1.0.21: resolution: {integrity: sha512-biOj/6M5qdgx5TKjDnFT1ymSpM5tbd3ylwDtrQvFQSu0Z7bBYko2dF+W/aUkXUPuk6IVpRxk/3Q2sHOzGlS36g==} - js-yaml@3.14.2: - resolution: {integrity: sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==} - hasBin: true - js-yaml@4.2.0: resolution: {integrity: sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==} hasBin: true @@ -1487,9 +1481,6 @@ packages: resolution: {integrity: sha512-FC+lgizVPfie0kkhqUScwRu1O/lF6NOgJmlCgK+/LYxDCTk8sGelYaHDhFcDN+Sn3Cv+3VSa4Byeo+IMCzpMgQ==} engines: {node: '>=12'} - sprintf-js@1.0.3: - resolution: {integrity: sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==} - stack-utils@2.0.6: resolution: {integrity: sha512-XlkWvfIm6RmsWtNJx+uqtKLS8eqFbxUg0ZzLXqY0caEy9l7hruX8IpiDnjsLavoBgqCCR71TqWO8MaXYheJ3RQ==} engines: {node: '>=10'} @@ -2305,10 +2296,6 @@ snapshots: ansi-styles@6.2.3: {} - argparse@1.0.10: - dependencies: - sprintf-js: 1.0.3 - argparse@2.0.1: {} array-find-index@1.0.2: {} @@ -2357,7 +2344,7 @@ snapshots: resolve-cwd: 3.0.0 stack-utils: 2.0.6 strip-ansi: 7.2.0 - supertap: 3.0.1 + supertap: 3.0.1(patch_hash=fb62acff1ae3d1587268fef569b79684229eeb16c6a833a14b115a253cc00112) temp-dir: 3.0.0 write-file-atomic: 6.0.0 yargs: 17.7.2 @@ -2521,8 +2508,6 @@ snapshots: escape-string-regexp@5.0.0: {} - esprima@4.0.1: {} - estree-walker@2.0.2: {} esutils@2.0.3: {} @@ -2656,11 +2641,6 @@ snapshots: dependencies: base64-js: 1.5.1 - js-yaml@3.14.2: - dependencies: - argparse: 1.0.10 - esprima: 4.0.1 - js-yaml@4.2.0: dependencies: argparse: 2.0.1 @@ -2823,8 +2803,6 @@ snapshots: ansi-styles: 6.2.3 is-fullwidth-code-point: 4.0.0 - sprintf-js@1.0.3: {} - stack-utils@2.0.6: dependencies: escape-string-regexp: 2.0.0 @@ -2855,10 +2833,10 @@ snapshots: dependencies: ansi-regex: 6.2.2 - supertap@3.0.1: + supertap@3.0.1(patch_hash=fb62acff1ae3d1587268fef569b79684229eeb16c6a833a14b115a253cc00112): dependencies: indent-string: 5.0.0 - js-yaml: 3.14.2 + js-yaml: 4.2.0 serialize-error: 7.0.1 strip-ansi: 7.2.0