chore: upgrade js-yaml to ^4.2.0 to address CVE-2026-53550

linear-code[bot] · linear-code[bot] · commit 2da06b445715 · 2026-06-17T23:08:54.000Z
Refresh the lockfile so all transitive js-yaml instances resolve to 4.2.0, which fixes the quadratic-complexity DoS in merge key handling. Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1360/sourcebot-devsourcebot-cve-2026-53550-js-yaml-quadratic-complexity-dos#agent-session-b16750d8) Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -18,6 +18,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Upgraded `dompurify` to `^3.4.11`. [#1332](https://github.com/sourcebot-dev/sourcebot/pull/1332)
 - Upgraded `nodemailer` to `^8.0.9`. [#1331](https://github.com/sourcebot-dev/sourcebot/pull/1331)
 - Upgraded `nodemailer` to `^8.0.11`. [#1328](https://github.com/sourcebot-dev/sourcebot/pull/1328)
+- Upgraded `js-yaml` to `^4.2.0`. [#1335](https://github.com/sourcebot-dev/sourcebot/pull/1335)
 
 ## [5.0.3] - 2026-06-17
 
diff --git a/yarn.lock b/yarn.lock
@@ -16247,13 +16247,13 @@ __metadata:
   linkType: hard
 
 "js-yaml@npm:^4.1.1":
-  version: 4.1.1
-  resolution: "js-yaml@npm:4.1.1"
+  version: 4.2.0
+  resolution: "js-yaml@npm:4.2.0"
   dependencies:
     argparse: "npm:^2.0.1"
   bin:
     js-yaml: bin/js-yaml.js
-  checksum: 10c0/561c7d7088c40a9bb53cc75becbfb1df6ae49b34b5e6e5a81744b14ae8667ec564ad2527709d1a6e7d5e5fa6d483aa0f373a50ad98d42fde368ec4a190d4fae7
+  checksum: 10c0/1916456c118746603b067d74bbcbb0445d9a1d5e474ad4ae775e7b20525bed902e01d9d97dd0c81fcd8d4f596162309d0eb057f4aa38f3e9647f14075e9dea45
   languageName: node
   linkType: hard
 
