Skip to content
This repository was archived by the owner on Nov 18, 2025. It is now read-only.

chore(deps): update dependency js-yaml to v4.1.1 [security] #2271

Open
renovate wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore(deps): update dependency js-yaml to v4.1.1 [security] #2271

renovate wants to merge 1 commit into from

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Nov 15, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
js-yaml 4.1.0 -> 4.1.1 age confidence

GitHub Vulnerability Alerts

CVE-2025-64718

Impact

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

Release Notes

nodeca/js-yaml (js-yaml)

v4.1.1

Compare Source

Security
  • Fix prototype pollution issue in yaml merge (<<) operator.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot added the dependencies Pull requests that update a dependency file label Nov 15, 2025
@renovate renovate bot enabled auto-merge (rebase) November 15, 2025 13:41
@renovate renovate bot changed the title chore(deps): update dependency js-yaml to v4.1.1 [security] chore(deps): update dependency js-yaml to v4.1.1 [security] - autoclosed Nov 17, 2025
@renovate renovate bot closed this Nov 17, 2025
auto-merge was automatically disabled November 17, 2025 02:39

Pull request was closed

@renovate renovate bot deleted the renovate/npm-js-yaml-vulnerability branch November 17, 2025 02:39
@renovate renovate bot changed the title chore(deps): update dependency js-yaml to v4.1.1 [security] - autoclosed chore(deps): update dependency js-yaml to v4.1.1 [security] Nov 18, 2025
@renovate renovate bot reopened this Nov 18, 2025
@renovate renovate bot force-pushed the renovate/npm-js-yaml-vulnerability branch 2 times, most recently from 3dfab9d to 2df6215 Compare November 18, 2025 02:57
@renovate renovate bot enabled auto-merge (rebase) November 18, 2025 11:14
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant