Skip to content

Commit 108c847

Browse files
linear-code[bot]brendan-kellam
linear-code[bot]
and
brendan-kellam
authored
chore: upgrade js-yaml to ^4.2.0 to address CVE-2026-53550 (#1335)
Refresh the lockfile so all transitive js-yaml instances resolve to 4.2.0, which fixes the quadratic-complexity DoS in merge key handling. Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1360/sourcebot-devsourcebot-cve-2026-53550-js-yaml-quadratic-complexity-dos#agent-session-b16750d8) Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com> Co-authored-by: Brendan Kellam <brendan@sourcebot.dev>
1 parent 2247c09 commit 108c847

2 files changed

Lines changed: 4 additions & 4 deletions

File tree

CHANGELOG.md

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -16,8 +16,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
1616
- Upgraded `form-data` to `^4.0.6`. [#1316](https://github.com/sourcebot-dev/sourcebot/pull/1316)
1717
- Upgraded `hono` to `^4.12.25`. [#1322](https://github.com/sourcebot-dev/sourcebot/pull/1322)
1818
- Upgraded `dompurify` to `^3.4.11`. [#1332](https://github.com/sourcebot-dev/sourcebot/pull/1332)
19-
- Upgraded `nodemailer` to `^8.0.9`. [#1331](https://github.com/sourcebot-dev/sourcebot/pull/1331)
2019
- Upgraded `nodemailer` to `^8.0.11`. [#1328](https://github.com/sourcebot-dev/sourcebot/pull/1328)
20+
- Upgraded `js-yaml` to `^4.2.0`. [#1335](https://github.com/sourcebot-dev/sourcebot/pull/1335)
2121
- Upgraded `protobufjs` to `^7.6.4`. [#1336](https://github.com/sourcebot-dev/sourcebot/pull/1336)
2222
- Upgraded `tar` to `^7.5.16`. [#1338](https://github.com/sourcebot-dev/sourcebot/pull/1338)
2323
- Upgraded `esbuild` to `^0.28.1`. [#1342](https://github.com/sourcebot-dev/sourcebot/pull/1342)

yarn.lock

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -16135,13 +16135,13 @@ __metadata:
1613516135
linkType: hard
1613616136

1613716137
"js-yaml@npm:^4.1.1":
16138-
version: 4.1.1
16139-
resolution: "js-yaml@npm:4.1.1"
16138+
version: 4.2.0
16139+
resolution: "js-yaml@npm:4.2.0"
1614016140
dependencies:
1614116141
argparse: "npm:^2.0.1"
1614216142
bin:
1614316143
js-yaml: bin/js-yaml.js
16144-
checksum: 10c0/561c7d7088c40a9bb53cc75becbfb1df6ae49b34b5e6e5a81744b14ae8667ec564ad2527709d1a6e7d5e5fa6d483aa0f373a50ad98d42fde368ec4a190d4fae7
16144+
checksum: 10c0/1916456c118746603b067d74bbcbb0445d9a1d5e474ad4ae775e7b20525bed902e01d9d97dd0c81fcd8d4f596162309d0eb057f4aa38f3e9647f14075e9dea45
1614516145
languageName: node
1614616146
linkType: hard
1614716147

0 commit comments

Comments
 (0)