Skip to content

fix(deps): [release-2.8] bump yaml to ^2.8.3 (SNYK-JS-YAML-15765520)#2416

Merged
malinskibeniamin merged 1 commit intorelease-2.8from
chore/fix-yaml-snyk-release-2.8
Apr 22, 2026
Merged

fix(deps): [release-2.8] bump yaml to ^2.8.3 (SNYK-JS-YAML-15765520)#2416
malinskibeniamin merged 1 commit intorelease-2.8from
chore/fix-yaml-snyk-release-2.8

Conversation

@malinskibeniamin
Copy link
Copy Markdown
Contributor

@malinskibeniamin malinskibeniamin commented Apr 22, 2026

Summary

Follow-up to PRs #2413 and #2414. Fixes SNYK-JS-YAML-15765520 (yaml Uncontrolled Recursion, medium) on release-2.8.

Why direct-bump, not .snyk dismissal: unlike the undici / remix-run / hono / lodash findings already dismissed on this branch, yaml is reachablefrontend/src has 5+ direct import ... from 'yaml' statements (rp-connect pipeline parsing, MCP server config, yaml label sync). The vulnerable parser is exercised, so the advisory is actionable.

Before → After

Version Paths before Paths after
`yaml@2.7.0` (direct) 1 0
`yaml@2.6.1` (via vitest chain) 1 0
`yaml@1.10.2` (via `@emotion/css > babel-plugin-macros > cosmiconfig`) 3 0
`yaml@2.8.3` (fix) all 5 paths

Changes

  • `frontend/package.json`: direct dep `yaml: ^2.7.0 → ^2.8.3`
  • `frontend/package.json`: override + resolutions `yaml: ^2.8.3` to force the transitive 2.6.1 and 1.10.2 chains to the fixed version
  • `frontend/bun.lock` + `frontend/yarn.lock`: regenerated via `bun install && bun install --yarn`

Verification

  • `snyk test --org=console-8j9 --severity-threshold=low` — 0 yaml findings post-fix (was 5)
  • `bun run type:check` — clean
  • `bun run build` — clean

Master

Master already resolves yaml to 2.8.3 (override present + lockfile aggregates all semver ranges to that version), so no master PR is required.

cc @redpanda-data/ux-console

@malinskibeniamin @claude
fix(deps): [release-2.8] bump yaml to ^2.8.3 (SNYK-JS-YAML-15765520)
3353f32 
yaml is reachable in frontend/src (rp-connect pipeline parsing, MCP
config, yaml-label-sync — 5+ direct imports), so this is a direct-dep
fix rather than a .snyk dismissal.

Before:
  - yaml@2.7.0 (direct — vulnerable)
  - yaml@2.6.1 (via vitest/ast-v8-to-istanbul chain — vulnerable)
  - yaml@1.10.2 ×3 (via @emotion/css > babel-plugin-macros > cosmiconfig
    — vulnerable even though dev/build-only)

After: all 5 resolve to yaml@2.8.3 via the single overrides/resolutions
entry. Snyk scan confirms 0 yaml findings post-fix.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@malinskibeniamin malinskibeniamin added security Pull requests that address a security vulnerability dependencies labels Apr 22, 2026
@malinskibeniamin malinskibeniamin self-assigned this Apr 22, 2026
@malinskibeniamin malinskibeniamin merged commit 51c28c2 into release-2.8 Apr 22, 2026
9 checks passed
@malinskibeniamin malinskibeniamin deleted the chore/fix-yaml-snyk-release-2.8 branch April 22, 2026 16:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@malinskibeniamin malinskibeniamin

Labels

dependencies security Pull requests that address a security vulnerability

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@malinskibeniamin