chore(deps): bump js-yaml from 4.1.1 to 4.2.0#144
Conversation
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.1 to 4.2.0. - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.1...4.2.0) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 4.2.0 dependency-type: direct:production ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
Scope — Updates direct production dependency js-yaml from 4.1.1 to 4.2.0 in package.json and yarn.lock, refreshing transitive resolutions. Worth merging for upstream security hardening (merge-key DoS mitigation, loader depth/merge limits) and parsing fixes that benefit YAML load/dump paths in meta-schema.ts and cli.ts.
CI — Checks are still pending; branch protection will gate merge—no code-level blockers identified in the dependency diff.
Regression risk — Low for a semver-minor bump within v4; the main behavior change (underscores no longer parsed as numeric scalars) is unlikely to affect typical one-schema YAML definitions.
Upstream: nodeca/js-yaml (4.1.1→4.2.0 release; see compare link in PR body)
Residual risks / follow-ups
None — because the diff is manifest/lockfile-only, stays within the declared ^4.x range, and existing yaml-focused tests (meta-schema.test.ts, cli.test.ts) should cover load/dump behavior once CI completes.
Note: Review generated using Cursor model
composer-2.5.
This review was generated by review-bot.
Bumps js-yaml from 4.1.1 to 4.2.0.
Changelog
Sourced from js-yaml's changelog.
Commits
590dbab4.2.0 releasedf944dc5Add package.json funding fieldf692719Changelog update9971a06Fix digits in YAML named tag handles464a5b8Fix flow scalar trailing whitespace folding, close #3071fda4f7Tests for #567, #565031ad07Stop resolving numbers with underscores as numeric scalars, #627e46d223CI config update9023feeAdd lockfile990e6f4Docs updateDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.