Skip to content

Bump js-yaml from 4.1.1 to 4.3.0#1565

Merged
github-actions[bot] merged 1 commit into
masterfrom
dependabot/npm_and_yarn/js-yaml-4.2.0
Jun 28, 2026
Merged

Bump js-yaml from 4.1.1 to 4.3.0#1565
github-actions[bot] merged 1 commit into
masterfrom
dependabot/npm_and_yarn/js-yaml-4.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 21, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

Bumps js-yaml from 4.1.1 to 4.3.0.

Changelog

Sourced from js-yaml's changelog.

4.3.0 - 2026-06-27

Added

  • [backport] Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.

Fixed

  • Restore umd builds back to es5.

Removed

  • [backport] maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

[4.2.0] - 2026-06-01

Added

  • Added docs/safety.md with notes about processing untrusted YAML.
  • Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
  • Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
  • Added sourcemaps to dist/ builds.

Changed

  • Stop resolving numbers with underscores as numeric scalars, #627.
  • Switched dev toolchains to Vite / neostandard.
  • Updated demo.
  • Reorganized tests.
  • dist/ files are no longer kept in the repository.

Fixed

  • Fix parsing of properties on the first implicit block mapping key, #62.
  • Fix trailing whitespace handling when folding flow scalar lines, #307.
  • Reject top-level block scalars without content indentation, #280.
  • Ensure numbers survive round-trip, #737.
  • Fix test coverage for issue #221.
  • Fix flow scalar trailing whitespace folding, #307.
  • Fix digits in YAML named tag handles.

Security

  • Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

  • Backported v4.1.1 fix to v3
Commits
  • 33d05b5 4.3.0 released
  • 663bfab Drop demo publish, to not override new v5 one.
  • 1cb8c7b Add v4-legacy tag for publish
  • 02f27af Restore umd builds back to es5
  • 8be84ed Fix es5 compatibility
  • 59423c6 Replace maxMergeSeqLength option with maxTotalMergeKeys (more robust). Ba...
  • 6842ef6 doc polish
  • 590dbab 4.2.0 released
  • f944dc5 Add package.json funding field
  • f692719 Changelog update
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jun 21, 2026
@github-actions github-actions Bot enabled auto-merge June 21, 2026 17:34
@dependabot
Bump js-yaml from 4.1.1 to 4.3.0
42a2cc4 
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.1 to 4.3.0.
- [Changelog](https://github.com/nodeca/js-yaml/blob/4.3.0/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.1...4.3.0)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.2.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title Bump js-yaml from 4.1.1 to 4.2.0 Bump js-yaml from 4.1.1 to 4.3.0 Jun 28, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/js-yaml-4.2.0 branch from a35764d to 42a2cc4 Compare June 28, 2026 17:36
@github-actions github-actions Bot merged commit 7877d58 into master Jun 28, 2026
3 checks passed
@github-actions github-actions Bot deleted the dependabot/npm_and_yarn/js-yaml-4.2.0 branch June 28, 2026 17:38
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] approved these changes

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants