From b105eddb5ea6e0b4a6fa3238f0de49ca9e5b64db Mon Sep 17 00:00:00 2001 From: John Carmack Date: Wed, 17 Jun 2026 15:52:44 -0500 Subject: [PATCH] Bump transitive js-yaml to 4.2.0 to fix merge-key DoS (GHSA-h67p-54hq-rp68) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The changesets dev toolchain pulled js-yaml 3.14.2 transitively through read-yaml-file@1.1.0 (the only consumer of the 3.x line), which is in the advisory's vulnerable range (<= 4.1.1). Add pnpm overrides: read-yaml-file ^2.1.0 (uses js-yaml ^4.x and the load() API, API-compatible with @manypkg/get-packages) plus js-yaml ^4.2.0 to pin the patched release. Only js-yaml 4.2.0 now resolves; build, check, and changeset status all pass. Dev-only dependency — never shipped in dist/. --- package.json | 6 ++++++ pnpm-lock.yaml | 50 +++++++++++++++----------------------------------- 2 files changed, 21 insertions(+), 35 deletions(-) diff --git a/package.json b/package.json index bbe4522..a176605 100644 --- a/package.json +++ b/package.json @@ -76,5 +76,11 @@ "typescript": "~6.0.3", "vite": "^8.0.16", "vitest": "^4.1.9" + }, + "pnpm": { + "overrides": { + "js-yaml": "^4.2.0", + "read-yaml-file": "^2.1.0" + } } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 2486d61..1b06c4e 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -4,6 +4,10 @@ settings: autoInstallPeers: true excludeLinksFromLockfile: false +overrides: + js-yaml: ^4.2.0 + read-yaml-file: ^2.1.0 + importers: .: @@ -748,11 +752,6 @@ packages: es-module-lexer@2.1.0: resolution: {integrity: sha512-n27zTYMjYu1aj4MjCWzSP7G9r75utsaoc8m61weK+W8JMBGGQybd43GstCXZ3WNmSFtGT9wi59qQTW6mhTR5LQ==} - esprima@4.0.1: - resolution: {integrity: sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==} - engines: {node: '>=4'} - hasBin: true - estree-walker@3.0.3: resolution: {integrity: sha512-7RUKfXgSMMkzt6ZuXmqapOurLGPPfgj6l9uRZ7lRGolvk0y2yocc35LdcxKC5PQZdn2DMqioAQ2NoWcrTKmm6g==} @@ -905,10 +904,6 @@ packages: isexe@2.0.0: resolution: {integrity: sha512-RHxMLp9lnKHGHRng9QFhRCMbYAcVpn69smSGcq3f36xjgVVWThj4qqLbTLlq7Ssj8B+fIQ1EuCEGI2lKsyQeIw==} - js-yaml@3.14.2: - resolution: {integrity: sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==} - hasBin: true - js-yaml@4.2.0: resolution: {integrity: sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==} hasBin: true @@ -1116,10 +1111,6 @@ packages: resolution: {integrity: sha512-QP88BAKvMam/3NxH6vj2o21R6MjxZUAd6nlwAS/pnGvN9IVLocLHxGYIzFhg6fUQ+5th6P4dv4eW9jX3DSIj7A==} engines: {node: '>=12'} - pify@4.0.1: - resolution: {integrity: sha512-uB80kBFb/tfd68bVleG9T5GGsGPjJrLAUpR5PZIrhBnIaRTQRjqdJSsIKkOP6OAIFbj7GOrcudc5pNjZ+geV2g==} - engines: {node: '>=6'} - postcss@8.5.15: resolution: {integrity: sha512-FfR8sjd4em2T6fb3I2MwAJU7HWVMr9zba+enmQeeWFfCbm+UOC/0X4DS8XtpUTMwWMGbjKYP7xjfNekzyGmB3A==} engines: {node: ^10 || ^12 || >=14} @@ -1141,9 +1132,9 @@ packages: queue-microtask@1.2.3: resolution: {integrity: sha512-NuaNSa6flKT5JaSYQzJok04JzTL1CA6aGhv5rfLW3PgqA+M2ChpZQnAC8h8i4ZFkBS8X5RqkDBHA7r4hej3K9A==} - read-yaml-file@1.1.0: - resolution: {integrity: sha512-VIMnQi/Z4HT2Fxuwg5KrY174U1VdUIASQVWXXyqtNRtxSr9IYkn1rsI6Tb6HsrHCmB7gVpNwX6JxPTHcH6IoTA==} - engines: {node: '>=6'} + read-yaml-file@2.1.0: + resolution: {integrity: sha512-UkRNRIwnhG+y7hpqnycCL/xbTk7+ia9VuVTC0S+zVbwd65DI9eUpRMfsWIGrCWxTU/mi+JW8cHQCrv+zfCbEPQ==} + engines: {node: '>=10.13'} readable-stream@2.3.8: resolution: {integrity: sha512-8p0AUk4XODgIewSi0l8Epjs+EVnWiK7NoDIEGU0HhE7+ZyY8D1IMY7odu5lRrFXGg71L15KG8QrPmum45RTtdA==} @@ -1226,9 +1217,9 @@ packages: resolution: {integrity: sha512-Y38VPSHcqkFrCpFnQ9vuSXmquuv5oXOKpGeT6aGrr3o3Gc9AlVa6JBfUSOCnbxGGZF+/0ooI7KrPuUSztUdU5A==} engines: {node: '>=8'} - strip-bom@3.0.0: - resolution: {integrity: sha512-vavAMRXOgBVNF6nyEEmL3DBK19iRpDcoIwW+swQ+CbGiu7lju6t+JklA1MHweoWtadgt4ISVUsXLyDq34ddcwA==} - engines: {node: '>=4'} + strip-bom@4.0.0: + resolution: {integrity: sha512-3xurFv5tEgii33Zi8Jtp55wEIILR9eh34FAW00PZf+JnSsTmV/ioewSgQl97JHvgjoRGwPShsWm+IdrxB35d0w==} + engines: {node: '>=8'} strnum@2.4.0: resolution: {integrity: sha512-sHrVyWWdq28RbhjuJdZsA1SnGRJV6NiXbk6AXBxDOsgAcA+lmpUZCYjOdLBxkXMwis6RRe7dlZt4VlIWFVzkmg==} @@ -1972,7 +1963,7 @@ snapshots: '@manypkg/find-root': 1.1.0 fs-extra: 8.1.0 globby: 11.1.0 - read-yaml-file: 1.1.0 + read-yaml-file: 2.1.0 '@mapbox/martini@0.2.0': {} @@ -2341,8 +2332,6 @@ snapshots: es-module-lexer@2.1.0: {} - esprima@4.0.1: {} - estree-walker@3.0.3: dependencies: '@types/estree': 1.0.9 @@ -2472,11 +2461,6 @@ snapshots: isexe@2.0.0: {} - js-yaml@3.14.2: - dependencies: - argparse: 1.0.10 - esprima: 4.0.1 - js-yaml@4.2.0: dependencies: argparse: 2.0.1 @@ -2634,8 +2618,6 @@ snapshots: picomatch@4.0.4: {} - pify@4.0.1: {} - postcss@8.5.15: dependencies: nanoid: 3.3.12 @@ -2652,12 +2634,10 @@ snapshots: queue-microtask@1.2.3: {} - read-yaml-file@1.1.0: + read-yaml-file@2.1.0: dependencies: - graceful-fs: 4.2.11 - js-yaml: 3.14.2 - pify: 4.0.1 - strip-bom: 3.0.0 + js-yaml: 4.2.0 + strip-bom: 4.0.0 readable-stream@2.3.8: dependencies: @@ -2745,7 +2725,7 @@ snapshots: dependencies: ansi-regex: 5.0.1 - strip-bom@3.0.0: {} + strip-bom@4.0.0: {} strnum@2.4.0: dependencies: