From d04772f8d49089dc87da5d79734d2f13b2556e2a Mon Sep 17 00:00:00 2001
From: Wojciech Stachowski <wojciech.stachowski@nexontis.com>
Date: Wed, 26 Nov 2025 11:42:20 +0100
Subject: [PATCH 1/2] Update js-yaml version due to CVE 2025-64718

---
 package.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/package.json b/package.json
index 86533cb..f3335d2 100644
--- a/package.json
+++ b/package.json
@@ -17,7 +17,7 @@
         "watch": "jbuild watch"
     },
     "dependencies": {
-        "js-yaml": "4.0.x",
+        "js-yaml": "4.1.x",
         "ports": "1.1.x",
         "underscore": "1.12.x"
     },

From c72d876f647ab5a57bd626b1525a394c56fb601a Mon Sep 17 00:00:00 2001
From: Wojciech Stachowski <wojciech.stachowski@nexontis.com>
Date: Wed, 26 Nov 2025 11:49:07 +0100
Subject: [PATCH 2/2] Bump readme for 1.2.5

---
 README.md | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/README.md b/README.md
index 0632376..fc53458 100644
--- a/README.md
+++ b/README.md
@@ -325,6 +325,12 @@ When you visit the site, you'll see the output of various cfenv calls.
 changes
 ================================================================================
 
+**1.2.5** - 2025/11/26
+
+- upgrade js-yaml to avoid vulnerability - [pr #55][]
+
+[pr #55]: https://github.com/cloudfoundry-community/node-cfenv/pull/55
+
 **1.2.4** - 2021/04/03
 
 - upgrade most dependencies, but not CoffeeScript, since the latest