[pull] master from nodeca:master

.github/workflows/ci.yml

@@ -21,8 +21,9 @@ jobs:
       uses: actions/setup-node@v6
       with:
         node-version: lts/*
+        cache: npm
 
-    - run: npm i
+    - run: npm ci
 
     - name: Test
       run: npm test

CHANGELOG.md

@@ -5,10 +5,42 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+
+## [4.2.0] - 2026-06-01
+### Added
+- Added `docs/safety.md` with notes about processing untrusted YAML.
+- Added `maxDepth` (100) loader option. Not a problem, but gives a better
+  exception instead of RangeError on stack overflow.
+- Added `maxMergeSeqLength` (20) loader option. Not a problem after `merge` fix,
+  but an additional restriction for safety.
+- Added sourcemaps to `dist/` builds.
+
+### Changed
+- Stop resolving numbers with underscores as numeric scalars, #627.
+- Switched dev toolchains to Vite / neostandard.
+- Updated demo.
+- Reorganized tests.
+- `dist/` files are no longer kept in the repository.
+
+### Fixed
+- Fix parsing of properties on the first implicit block mapping key, #62.
+- Fix trailing whitespace handling when folding flow scalar lines, #307.
+- Reject top-level block scalars without content indentation, #280.
+- Ensure numbers survive round-trip, #737.
+- Fix test coverage for issue #221.
+- Fix flow scalar trailing whitespace folding, #307.
+- Fix digits in YAML named tag handles.
+
+### Security
+- Fix potential DoS via quadratic complexity in merge - deduplicate repeated
+  elements (makes sense for malformed files > 10K).
+
+
 ## [3.14.2] - 2025-11-15
 ### Security
 - Backported v4.1.1 fix to v3
 
+
 ## [4.1.1] - 2025-11-12
 ### Security
 - Fix prototype pollution issue in yaml merge (<<) operator.
@@ -550,6 +582,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - First public release
 
 
+[4.2.0]: https://github.com/nodeca/js-yaml/compare/4.1.1...4.2.0
 [4.1.1]: https://github.com/nodeca/js-yaml/compare/4.1.0...4.1.1
 [4.1.0]: https://github.com/nodeca/js-yaml/compare/4.0.0...4.1.0
 [4.0.0]: https://github.com/nodeca/js-yaml/compare/3.14.0...4.0.0

README.md

@@ -88,6 +88,10 @@ options:
     https://www.yaml.org/spec/1.2/spec.html#id2804923
   - `DEFAULT_SCHEMA` - all supported YAML types.
 - `json` _(default: false)_ - compatibility with JSON.parse behaviour. If true, then duplicate keys in a mapping will override values rather than throwing an error.
+- `maxDepth` _(default: 100)_ - limits nesting depth for collections (does not
+  take aliasees into account).
+- `maxMergeSeqLength` _(default: 20)_ - limits the number of items in merge
+  (`<<`) sequences.
 
 NOTE: This function **does not** understand multi-document sources, it throws
 exception on those.
@@ -226,22 +230,3 @@ moment of adding them.
 ``` javascript
 { "foo,bar": ["baz"], "[object Object]": ["baz", "baz"] }
 ```
-
-Also, reading of properties on implicit block mapping keys is not supported yet.
-So, the following YAML document cannot be loaded.
-
-``` yaml
-&anchor foo:
-  foo: bar
-  *anchor: duplicate key
-  baz: bat
-  *anchor: duplicate key
-```
-
-
-js-yaml for enterprise
-----------------------
-
-Available as part of the Tidelift Subscription
-
-The maintainers of js-yaml and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open source dependencies you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact dependencies you use. [Learn more.](https://tidelift.com/subscription/pkg/npm-js-yaml?utm_source=npm-js-yaml&utm_medium=referral&utm_campaign=enterprise&utm_term=repo)