chore(deps): bump js-yaml from 4.1.1 to 4.3.0#40
Conversation
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.1 to 4.3.0. - [Changelog](https://github.com/nodeca/js-yaml/blob/4.3.0/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.1.1...4.3.0) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 4.3.0 dependency-type: indirect ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
Scope
Lockfile-only Dependabot bump: yarn.lock resolves transitive js-yaml from 4.1.1 to 4.3.0 (no manifest edits). Worth merging for upstream YAML-parser hardening—merge-key DoS limits (maxTotalMergeKeys), depth guards, and parsing fixes in the 4.2.x–4.3.0 line—without touching application source in this repo.
Upstream: unknown (author to confirm)
CI
Checks are still pending; branch protection will gate merge.
Regression risk
Patch/minor semver within js-yaml v4 for a dev-toolchain transitive; behavioral changes are limited to stricter YAML parsing and safety defaults, so regression risk is low for @lifeomic/typescript-config.
Residual risks / follow-ups
None — because the sole change is a lockfile refresh for a transitive dev dependency, securitySensitivePaths is empty, and no functional code or deploy config is touched.
Note: Review generated using Cursor model
composer-2.5.
This review was generated by review-bot.
Bumps js-yaml from 4.1.1 to 4.3.0.
Changelog
Sourced from js-yaml's changelog.
Commits
33d05b54.3.0 released663bfabDrop demo publish, to not override new v5 one.1cb8c7bAdd v4-legacy tag for publish02f27afRestore umd builds back to es58be84edFix es5 compatibility59423c6ReplacemaxMergeSeqLengthoption withmaxTotalMergeKeys(more robust). Ba...6842ef6doc polish590dbab4.2.0 releasedf944dc5Add package.json funding fieldf692719Changelog updateDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.