fix(core): preserve comments in catalog YAML updates

[polygraph-snapshot-app]

Current Behavior

When nx migrate (or nx release version) bumps a package that's referenced via catalog: in pnpm-workspace.yaml or .yarnrc.yml, all comments, YAML anchors, and formatting in the file are wiped out. The catalog manager update path used @zkochan/js-yaml's load/dump, which parses YAML to plain JS objects and serializes back without preserving any non-data tokens.

Expected Behavior

User-authored comments, anchors, and formatting survive a catalog version bump. Only the targeted version entry changes; everything else in the file is byte-stable.

Implementation Details

updateCatalogVersions in both the nx and @nx/devkit catalog managers (pnpm + yarn variants) now uses the yaml package's Document API, which is designed for comment-preserving round-trips. The walk is alias-aware so configs using YAML anchors keep working, and null placeholders (catalog: with no value, optionally carrying comments) are seeded inline so empty skeletons can still be populated without dropping their comments.

yaml is added as a direct dependency of @nx/devkit (it was already a runtime dep of nx).

---

View session information ↗

[nx-cloud]

View your CI Pipeline Execution ↗ for commit 3c9d3a3

Command	Status	Duration	Result
nx affected --targets=lint,test,build,e2e,e2e-c...	✅ Succeeded	16m 39s	View ↗
nx run-many -t check-imports check-lock-files c...	✅ Succeeded	3s	View ↗
nx-cloud record -- pnpm nx-cloud conformance:check	✅ Succeeded	9s	View ↗
nx build workspace-plugin	✅ Succeeded	<1s	View ↗
nx-cloud record -- nx sync:check	✅ Succeeded	20s	View ↗
nx-cloud record -- nx format:check	✅ Succeeded	7s	View ↗

---

☁️ Nx Cloud last updated this comment at 2026-05-20 07:16:38 UTC

[netlify]

✅ Deploy Preview for nx-dev ready!

Name	Link
🔨 Latest commit	b51fc5b
🔍 Latest deploy log	https://app.netlify.com/projects/nx-dev/deploys/6a0d5abd2e930d00089a45ac
😎 Deploy Preview	https://deploy-preview-35733--nx-dev.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for nx-docs ready!

Name	Link
🔨 Latest commit	b51fc5b
🔍 Latest deploy log	https://app.netlify.com/projects/nx-docs/deploys/6a0d5abda551d400073bafa4
😎 Deploy Preview	https://deploy-preview-35733--nx-docs.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[nx-cloud]

Nx Cloud has identified a flaky task in your failed CI:

🔂 Since the failure was identified as flaky, we triggered a CI rerun by adding an empty commit to this branch.

View detailed reasoning in Nx Cloud ↗

_{🎓 Learn more about Self-Healing CI on nx.dev}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​picocolors@​1.1.1
	npm/​tinyglobby@​0.2.15
	npm/​source-map-js@​1.2.1
	npm/​npm-run-path@​4.0.1
	npm/​clsx@​2.1.1
	npm/​deepmerge@​4.3.1
	npm/​import-fresh@​3.3.1
	npm/​js-tokens@​4.0.0
	npm/​ignore@​7.0.5
	npm/​string-width@​4.2.3
	npm/​cliui@​8.0.1
	npm/​classnames@​2.5.1
	npm/​convert-source-map@​2.0.0
	npm/​chalk@​4.1.2
	npm/​yargs@​17.7.2
	npm/​yargs-parser@​21.1.1
	npm/​tslib@​2.8.1
	npm/​globals@​17.5.0
	npm/​tsconfig-paths@​4.2.0
	npm/​eslint-config-prettier@​10.1.8
	npm/​semver@​7.7.4
	npm/​tar-stream@​2.2.0
	npm/​minimatch@​10.2.5
	npm/​picomatch@​4.0.4
	npm/​eslint-plugin-react-hooks@​7.1.1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/entities@4.5.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@4.5.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm entities is 91.0% likely obfuscated Confidence: 0.91 Location: Package overview From: pnpm-lock.yaml → npm/entities@6.0.1 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/entities@6.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report