Fix js-yaml merge-key DoS (GHSA-h67p-54hq-rp68)#2
Merged
Conversation
…-rp68) The changesets dev toolchain pulled js-yaml 3.14.2 transitively through read-yaml-file@1.1.0 (the only consumer of the 3.x line), which is in the advisory's vulnerable range (<= 4.1.1). Add pnpm overrides: read-yaml-file ^2.1.0 (uses js-yaml ^4.x and the load() API, API-compatible with @manypkg/get-packages) plus js-yaml ^4.2.0 to pin the patched release. Only js-yaml 4.2.0 now resolves; build, check, and changeset status all pass. Dev-only dependency — never shipped in dist/.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Closes the open Dependabot alert (#1): js-yaml quadratic-complexity DoS in merge-key handling via repeated aliases — GHSA-h67p-54hq-rp68, medium, vulnerable
<= 4.1.1, patched4.2.0.Root cause
The vulnerable
js-yaml@3.14.2was pulled in transitively by the changesets release toolchain:read-yaml-file@1.1.0pinsjs-yaml@^3and callsyaml.safeLoad(), an API removed in js-yaml 4.x — so a plainjs-yaml: ^4.2.0override would break it at runtime. There is no patched 3.x release; the fix only exists in 4.2.0.Fix
Add a pnpm
overridesblock:read-yaml-file: ^2.1.0— the 2.x line depends onjs-yaml@^4.0.0and uses the renamedload()API. Its public surface (default callable export +.sync) is identical to 1.x, so@manypkg/get-packageskeeps working unchanged.js-yaml: ^4.2.0— pins the patched release explicitly.read-yaml-file@1.1.0was the only consumer of js-yaml 3.x, so 3.14.2 is removed from the tree entirely — onlyjs-yaml@4.2.0resolves now.This is a dev-only dependency (changesets, used at release time). It is never part of the published package, which ships
dist/only.Verification
pnpm why js-yaml→ only4.2.0remains;js-yaml@3.14.2gone.pnpm run check(biome + tsc + vitest) → all pass (14/14 tests).pnpm run build→ bundle unchanged (library never depended on js-yaml).pnpm changeset status→ reads the package graph through the newread-yaml-file@2.1.0path successfully.