Skip to content

SRE-802: Bump js-yaml to patched versions (security)#81

Draft
claude[bot] wants to merge 1 commit into
mainfrom
claude/security-weekly-scan-2026-07-13
Draft

SRE-802: Bump js-yaml to patched versions (security)#81
claude[bot] wants to merge 1 commit into
mainfrom
claude/security-weekly-scan-2026-07-13

Conversation

@claude

@claude claude Bot commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Requested by Tim Diekmann · Slack thread

Summary

Resolves GHSA-h67p-54hq-rp68 (MODERATE) in js-yaml by moving both locked versions in package-lock.json to patched releases:

  • js-yaml 3.14.2 → 3.15.0 (top-level, via renovate's ^3.10.0 range)
  • js-yaml 4.1.1 → 4.3.0 (nested under read-yaml-file and write-yaml-file, via their ^4.0.0 ranges; 4.3.0 is at or above the fixed 4.2.0 release)

How

Ran a resolution-respecting npm update js-yaml — no package.json changes and no overrides were needed, as all existing semver ranges already admit the fixed versions. The diff is lockfile-only.

Verification

npm ci --dry-run --ignore-scripts completes cleanly against the updated lockfile (590 packages resolved, no consistency errors).

Related


Generated by Claude Code

@claude claude Bot assigned TimDiekmann and CiaranMn and unassigned TimDiekmann Jul 13, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants