Skip to content

fix(deps): bump js-yaml to patched 4.2.0/4.3.0 for DoS advisory (supersedes #10843)#10873

Open
mrveiss wants to merge 2 commits into
Dev_new_guifrom
issue-jsyaml-sec
Open

fix(deps): bump js-yaml to patched 4.2.0/4.3.0 for DoS advisory (supersedes #10843)#10873
mrveiss wants to merge 2 commits into
Dev_new_guifrom
issue-jsyaml-sec

Conversation

@mrveiss

@mrveiss mrveiss commented Jul 2, 2026

Copy link
Copy Markdown
Owner

Thinking Path

Dependabot #10843 (js-yaml DoS advisory) opened against main — security updates bypass dependabot.yml's target-branch, so the deployed branch Dev_new_gui stays unpatched. Retarget + @dependabot rebase just reverts base to main. Dev_new_gui's lockfiles are at the identical baseline as #10843's base, so the npm-validated hunks apply cleanly here.

What Changed

  • autobot-frontend/package-lock.json: js-yaml 4.1.1 → 4.2.0 (+ @redocly/openapi-core 1.34.15 → 1.34.17, which pins js-yaml exactly).
  • autobot-infrastructure/.../mcp-task-manager-server/package-lock.json: js-yaml 4.1.1 → 4.3.0.
  • Lockfile-only; both js-yaml usages are transitive + dev/build-time. Dropped an unrelated license: ISC→GPL-3.0-only metadata flip from the Dependabot diff to keep this security-focused.

Verification

  • Advisory: js-yaml >=4.0.0,<=4.1.1 MODERATE quadratic-complexity DoS in merge-key handling → patched 4.2.0. Confirmed via GH securityVulnerabilities API.
  • Both lockfiles parse as valid JSON; zero js-yaml-4.1.1.tgz refs remain.
  • Hunks are byte-identical to Dependabot's npm output (integrity hashes match registry).

Model Used

Opus 4.8 (1M context)

Supersedes #10843 (closed as mis-targeted at main).

…rsedes #10843)

js-yaml >=4.0.0,<=4.1.1 has a MODERATE quadratic-complexity DoS in merge-key
handling (GHSA, patched in 4.2.0). Dependabot's security scan opened #10843
against main (security updates bypass dependabot.yml target-branch), leaving
the deployed branch Dev_new_gui unpatched. This applies the same npm-validated
lockfile changes directly on Dev_new_gui:

- autobot-frontend: js-yaml 4.1.1 -> 4.2.0 (+ @redocly/openapi-core 1.34.15 ->
  1.34.17, which pins js-yaml exactly at 4.2.0)
- mcp-task-manager-server: js-yaml 4.1.1 -> 4.3.0

Both transitive/dev-only (build-time). Lockfile-only; no package.json changes.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions

github-actions Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

✅ SSOT Configuration Compliance: Passing

🎉 No hardcoded values detected that have SSOT config equivalents!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant