Skip to content

fix(deps): update js-yaml to 3.14.2 (CVE fix) #424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Mossaka merged 2 commits into from
Jan 26, 2026
Merged

fix(deps): update js-yaml to 3.14.2 (CVE fix) #424

Mossaka merged 2 commits into from
Jan 26, 2026

Conversation

Copy link
Contributor

Copilot AI commented Jan 26, 2026
edited
Loading

Updates js-yaml from 3.14.1 to 3.14.2 to fix GHSA-mh29-5h37-fv8m (MODERATE, CVSS 5.3) - prototype pollution in merge (<< operator).

Dependency path:

ts-jest → @jest/transform → babel-plugin-istanbul → @istanbuljs/load-nyc-config → js-yaml@3.14.1

Transitive dev dependency used by Jest for code coverage. Changes limited to package-lock.json (version, resolved URL, integrity hash).

Original prompt

This section details on the original issue you should resolve

<issue_title>[Security] js-yaml security update ready for merge</issue_title>
<issue_description>## Security Update Summary

A MODERATE severity security vulnerability has been identified and fixed in js-yaml:

  • Package: js-yaml
  • Current Version: 3.14.1
  • Fixed Version: 3.14.2
  • Severity: MODERATE (CVSS 5.3)
  • CVE: GHSA-mh29-5h37-fv8m
  • Issue: Prototype pollution in merge (<< operator)

Verification Status

All checks passed:

  • Build successful (npm run build)
  • All 643 tests passing
  • Linting passed (existing warnings only)
  • No runtime dependencies affected
  • npm audit now shows 0 vulnerabilities

Changes Made

The fix has been committed to branch deps/security-update-20260125:

  • Commit: 5d50bfe
  • Files changed: 1 (package-lock.json)
  • Lines changed: 3 (version, URL, integrity hash)

Impact Analysis

This is a transitive dev dependency used by Jest for code coverage:

ts-jest → @jest/transform → babel-plugin-istanbul → @istanbuljs/load-nyc-config → js-yaml@3.14.1

While it only affects development/testing, fixing it improves the security posture of the codebase.

Action Required

Option 1: Create PR manually

git fetch origin deps/security-update-20260125
git checkout deps/security-update-20260125
gh pr create --base main --title "fix(deps): update js-yaml to 3.14.2 (CVE fix)" --body "Fixes GHSA-mh29-5h37-fv8m"

Option 2: Apply patch directly

npm audit fix --force
npm test  # Verify
git commit -am "fix(deps): update js-yaml to 3.14.2 (CVE fix)"

Additional Context

  • Release Date: js-yaml 3.14.2 was released November 14, 2025 (2 months old)
  • Advisory: GHSA-mh29-5h37-fv8m
  • Detailed Report: See workflow run 21333415629

Note: The dependency security monitor workflow attempted to create a PR automatically but lacks push permissions. This issue was created instead to track the manual merge.

AI generated by Dependency Security Monitor

  • expires on Jan 26, 2026, 7:37 PM UTC

Comments on the Issue (you are @copilot in this section)

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

@Mossaka
fix(deps): update js-yaml to 3.14.2 (CVE fix)
f2949ad 
Co-authored-by: Mossaka <5447827+Mossaka@users.noreply.github.com>
Copilot AI changed the title [WIP] Update js-yaml to version 3.14.2 for security fix fix(deps): update js-yaml to 3.14.2 (CVE fix) Jan 26, 2026
Copilot AI requested a review from Mossaka January 26, 2026 20:58
@Mossaka Mossaka marked this pull request as ready for review January 26, 2026 21:15
@github-actions
Copy link

github-actions bot commented Jan 26, 2026
edited
Loading

📰 VERDICT: Smoke Copilot has concluded. All systems operational. This is a developing story. 🎤

@github-actions
Copy link

github-actions bot commented Jan 26, 2026
edited
Loading

🎬 THE ENDSmoke Claude MISSION: ACCOMPLISHED! The hero saves the day! ✨

@github-actions
Copy link

github-actions bot commented Jan 26, 2026

✅ Coverage Check Passed

Overall Coverage

Metric Base PR Delta
Lines 77.98% 77.98% ➡️ +0.00%
Statements 78.05% 78.05% ➡️ +0.00%
Functions 77.77% 77.77% ➡️ +0.00%
Branches 71.70% 71.70% ➡️ +0.00%

Coverage comparison generated by scripts/ci/compare-coverage.ts

@github-actions
Copy link

github-actions bot commented Jan 26, 2026

Smoke Test Results ✅

Last 2 Merged PRs:

Test Results:

  • ✅ GitHub MCP (PR search)
  • ✅ Playwright (GitHub title verified)
  • ✅ File creation
  • ✅ Bash tool

Status: PASS

@Copilot @Mossaka

AI generated by Smoke Copilot

@github-actions
Copy link

github-actions bot commented Jan 26, 2026

Smoke Test Results

Last 2 Merged PRs:

✅ GitHub MCP
✅ Playwright (page title: "GitHub · Change is constant...")
✅ File Writing
✅ Bash Tool

Status: PASS

AI generated by Smoke Claude

@Mossaka Mossaka merged commit 6b1b30f into main Jan 26, 2026
37 checks passed
@Mossaka Mossaka deleted the copilot/update-js-yaml-version branch January 26, 2026 23:06
This was referenced Jan 26, 2026
Merged
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Mossaka Mossaka Awaiting requested review from Mossaka

Assignees

@Mossaka Mossaka

Copilot code review Copilot

Labels

smoke-claude smoke-copilot

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Security] js-yaml security update ready for merge

2 participants

@Mossaka