Skip to content

update js-yaml to 4.1.x #56

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pmuellr wants to merge 2 commits into
base: master
Choose a base branch
from
Open

update js-yaml to 4.1.x #56

pmuellr wants to merge 2 commits into from

Conversation

@pmuellr
Copy link
Member

@pmuellr pmuellr commented Dec 2, 2025

resolves #54

This allows js-yaml 4.1.1 to be used, to avoid CVE-2025-64718.

@pmuellr pmuellr mentioned this pull request Dec 2, 2025
Closed
alumni
alumni reviewed Dec 3, 2025
View reviewed changes
package.json
Comment on lines +20 to 22
"js-yaml": "4.1.x",
"ports": "1.1.x",
"underscore": "1.12.x"
Copy link

@alumni alumni Dec 3, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Would be great to have more flexibility:

Suggested change
"js-yaml": "4.1.x",
"ports": "1.1.x",
"underscore": "1.12.x"
"js-yaml": "^4.1.1",
"ports": "^1.1.0",
"underscore": "^1.13.7"

ports hasn't been updated in 12 years, underscore@1.12.1 is 5 years old

At least for underscore something can be done, 1.13.7 is 16 months old, in 2 months it will also start triggering security warnings, but at least it will be easier to justify them.

@rafael-nogueras
Copy link

rafael-nogueras commented Dec 4, 2025

Can this please be merged ASAP? We need this fix to address that CVE. Thanks!

@pmuellr
Copy link
Member Author

pmuellr commented Dec 4, 2025

I'll eventually get to this, but it's on my back burner - I have no skin in this game.

We'll have to find a new maintainer if there end up being frequent dependency updates ... because I have no time to deal with this.

Presumably anyone willing to help maintain this would need to become a member of this org.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@alumni alumni alumni left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

CVE 2025-64718 Update js-yaml to 4.1.1

4 participants

@pmuellr @rafael-nogueras @alumni