fix(ui): update dependency js-yaml to v4.2.0 [security]

[renovate]

This PR contains the following updates:

Package	Type	Update	Change	OpenSSF
js-yaml	dependencies	minor	4.1.1 → 4.2.0

---

JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases

CVE-2026-53550 / GHSA-h67p-54hq-rp68

More information

Details

Summary

A crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence.
This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service.

Details

The issue is in merge handling inside lib/loader.js:

• storeMappingPair(...) iterates every element of a merge sequence when key tag is tag:yaml.org,2002:merge.
• For each element, it calls mergeMappings(...).
• mergeMappings(...) computes Object.keys(source) and performs _hasOwnProperty.call(destination, key) checks for each key.

When input is of the form:

a: &a {k0:0, k1:0, ..., kK:0}
b: {<<: [*a, *a, *a, ... repeated M times ...]}
all *a entries refer to the same anchored object. After the first merge, subsequent merges are semantically no-ops, but the parser still reprocesses all keys each time.
Resulting work is O(K * M), while input size is O(K + M), giving quadratic scaling as payload grows.
Relevant code path:
lib/loader.js in storeMappingPair(...) merge branch (keyTag === 'tag:yaml.org,2002:merge')
lib/loader.js mergeMappings(...)

Root cause

File: lib/loader.js
Function: storeMappingPair(state, _result, overridableKeys, keyTag, keyNode,
valueNode, startLine, startLineStart, startPos)
Lines: ~359-366

if (keyTag === 'tag:yaml.org,2002:merge') {
  if (Array.isArray(valueNode)) {
    for (index = 0, quantity = valueNode.length; index < quantity; index += 1) {
      mergeMappings(state, _result, valueNode[index], overridableKeys);
    }
  } else {
    mergeMappings(state, _result, valueNode, overridableKeys);
  }
}

When the merge value is a sequence (YAML 1.1 <<: [ *a, *a, ... ]), each element
is handed to mergeMappings() without deduplication. mergeMappings() then does

sourceKeys = Object.keys(source);
for (index = 0; index < sourceKeys.length; index += 1) {
  key = sourceKeys[index];
  if (!_hasOwnProperty.call(destination, key)) {
    setProperty(destination, key, source[key]);
    overridableKeys[key] = true;
  }
}

Every alias reference in the sequence resolves (by design) to the SAME object
via state.anchorMap. After the first merge, every subsequent merge of that same
reference is a pure no-op semantically, but still performs:

• one Object.keys(source) call (O(K))
• K _hasOwnProperty.call checks on the destination

Total: M * K hasOwnProperty checks + M Object.keys allocations, while the final
object and all observable side effects are identical to a single merge.

YAML semantics for <<: are idempotent and commutative over duplicate sources,
so collapsing duplicates preserves behavior exactly; this isn't a spec trade-off.

PoC

Environment:
js-yaml version: 4.1.1
Node.js: v24.5.0
Platform: arm64 macOS (reproduced consistently)
Reproduction script:
Create many keys in one anchored map (&a).
Merge that same alias repeatedly via <<: [*a, *a, ...].
Measure parse time and compare with control payload using single merge (<<: *a).
Observed repeated runs (same machine):
K=M=1000, input 9,909 bytes: ~33–36 ms
K=M=2000, input 20,909 bytes: ~121–123 ms
K=M=4000, input 42,909 bytes: ~524–537 ms
K=M=6000, input 64,909 bytes: ~1,608–1,829 ms
K=M=8000, input 86,909 bytes: ~3,395–3,565 ms
Control (single merge, similar key counts):
K=2000: ~1–2 ms
K=4000: ~3 ms
K=8000: ~5 ms
Also verified: repeated-merge output equals single-merge output (same key count and same JSON), confirming excess time is redundant computation.

Impact

This is a denial-of-service vulnerability (CPU exhaustion / algorithmic complexity).
Any service parsing untrusted YAML with js-yaml can be impacted, including API backends, CI tools, config processors, and automation services. An attacker can submit crafted YAML to significantly increase CPU time and reduce availability.

Suggested fix:

Dedupe the merge source list by reference before invoking mergeMappings. Any of
the following are minimal and preserve YAML 1.1 merge semantics:

dedupe in storeMappingPair:

if (keyTag === 'tag:yaml.org,2002:merge') {
  if (Array.isArray(valueNode)) {
    var seen = new Set();
    for (index = 0, quantity = valueNode.length; index < quantity; index += 1) {
      var src = valueNode[index];
      if (seen.has(src)) continue;   // idempotent; skip redundant alias
      seen.add(src);
      mergeMappings(state, _result, src, overridableKeys);
    }
  } else {
    mergeMappings(state, _result, valueNode, overridableKeys);
  }
}

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68
• https://github.com/advisories/GHSA-h67p-54hq-rp68

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

nodeca/js-yaml (js-yaml)

v4.2.0

Compare Source

Added

• Added docs/safety.md with notes about processing untrusted YAML.
• Added maxDepth (100) loader option. Not a problem, but gives a better
  exception instead of RangeError on stack overflow.
• Added maxMergeSeqLength (20) loader option. Not a problem after merge fix,
  but an additional restriction for safety.
• Added sourcemaps to dist/ builds.

Changed

• Stop resolving numbers with underscores as numeric scalars, #​627.
• Switched dev toolchains to Vite / neostandard.
• Updated demo.
• Reorganized tests.
• dist/ files are no longer kept in the repository.

Fixed

• Fix parsing of properties on the first implicit block mapping key, #​62.
• Fix trailing whitespace handling when folding flow scalar lines, #​307.
• Reject top-level block scalars without content indentation, #​280.
• Ensure numbers survive round-trip, #​737.
• Fix test coverage for issue #​221.
• Fix flow scalar trailing whitespace folding, #​307.
• Fix digits in YAML named tag handles.

Security

• Fix potential DoS via quadratic complexity in merge - deduplicate repeated
  elements (makes sense for malformed files > 10K).

---

Configuration

📅 Schedule: (in timezone Europe/Madrid)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: ui/pnpm-lock.yaml

<--- Last few GCs --->

[960:0x1ff36000]   120950 ms: Mark-Compact (reduce) 1496.8 (1500.7) -> 1496.8 (1499.7) MB, pooled: 0 MB, 1000.27 / 0.00 ms  (+ 389.6 ms in 20 steps since start of marking, biggest step 19.7 ms, walltime since start of marking 1422 ms) (average mu = 0.334,[960:0x1ff36000]   123470 ms: Mark-Compact (reduce) 1497.8 (1499.7) -> 1497.8 (1500.7) MB, pooled: 0 MB, 1684.13 / 0.00 ms  (+ 273.1 ms in 14 steps since start of marking, biggest step 20.2 ms, walltime since start of marking 1984 ms) (average mu = 0.273,
FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory
----- Native stack trace -----

 1: 0x72dece node::OOMErrorHandler(char const*, v8::OOMDetails const&) [/opt/containerbase/tools/node/24.13.0/bin/node]
 2: 0xba1b20  [/opt/containerbase/tools/node/24.13.0/bin/node]
 3: 0xba1c0f  [/opt/containerbase/tools/node/24.13.0/bin/node]
 4: 0xe3a745  [/opt/containerbase/tools/node/24.13.0/bin/node]
 5: 0xe4b8cc  [/opt/containerbase/tools/node/24.13.0/bin/node]
 6: 0xe21513  [/opt/containerbase/tools/node/24.13.0/bin/node]
 7: 0xdf67c4  [/opt/containerbase/tools/node/24.13.0/bin/node]
 8: 0xde1978  [/opt/containerbase/tools/node/24.13.0/bin/node]
 9: 0xfade20  [/opt/containerbase/tools/node/24.13.0/bin/node]
10: 0xfb3b47  [/opt/containerbase/tools/node/24.13.0/bin/node]
11: 0xfb497b  [/opt/containerbase/tools/node/24.13.0/bin/node]
12: 0xfb3d58  [/opt/containerbase/tools/node/24.13.0/bin/node]
13: 0xfb3a5a  [/opt/containerbase/tools/node/24.13.0/bin/node]
14: 0xfb3a5a  [/opt/containerbase/tools/node/24.13.0/bin/node]
15: 0xfb4f5a  [/opt/containerbase/tools/node/24.13.0/bin/node]
16: 0xfb51e5  [/opt/containerbase/tools/node/24.13.0/bin/node]
17: 0xc2a22b  [/opt/containerbase/tools/node/24.13.0/bin/node]
18: 0x19f6576  [/opt/containerbase/tools/node/24.13.0/bin/node]
/usr/local/bin/node: line 18:   960 Aborted                 /opt/containerbase/tools/node/24.13.0/bin/node "$@"

[coderabbitai]

📝 Walkthrough

Walkthrough

js-yaml is bumped from 4.1.1 to 4.2.0 in ui/package.json. A corresponding minimumReleaseAgeExclude entry for js-yaml@4.2.0 is added to ui/pnpm-workspace.yaml to exempt that specific version from the workspace's minimum release age rule.

Changes

js-yaml 4.2.0 dependency update

Layer / File(s)	Summary
Version bump and release age exemption ui/package.json, ui/pnpm-workspace.yaml	js-yaml updated from 4.1.1 to 4.2.0 in package.json; pnpm-workspace.yaml gains a minimumReleaseAgeExclude entry scoped to js-yaml@4.2.0 to bypass the release age guard for this version.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The PR description is missing several required checklist items from the template, particularly package-health evidence and UI testing documentation required for npm dependency updates.	Add package-health analysis covering maintenance, popularity, known vulnerabilities, license, and release age for js-yaml 4.2.0. Include screenshots/video evidence of UI functionality testing across mobile, tablet, and desktop breakpoints. Add or reference CHANGELOG.md entry in ui/CHANGELOG.md if applicable.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely summarizes the main change: updating js-yaml to v4.2.0 for a security fix, which directly aligns with the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch renovate/npm-js-yaml-vulnerability

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

✅ Conflict Markers Resolved

All conflict markers have been successfully resolved in this pull request.

[github-actions]

⚠️ Changes detected in the following folders without a corresponding update to the CHANGELOG.md:

• ui

Please add an entry to the corresponding CHANGELOG.md file to maintain a clear history of changes.