Skip to content

chore: upgrade js-yaml to ^4.2.0 to address CVE-2026-53550#1335

Merged
brendan-kellam merged 2 commits into
mainfrom
linear/sou-1360-sourcebot-devsourcebot-cve-2026-53550-js-yaml-quadratic-fc63
Jun 17, 2026
Merged

chore: upgrade js-yaml to ^4.2.0 to address CVE-2026-53550#1335
brendan-kellam merged 2 commits into
mainfrom
linear/sou-1360-sourcebot-devsourcebot-cve-2026-53550-js-yaml-quadratic-fc63

Conversation

@linear-code

@linear-code linear-code Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Fixes SOU-1360

Refreshes the lockfile so all transitive js-yaml instances resolve to 4.2.0, addressing CVE-2026-53550 (quadratic-complexity DoS in merge key handling via repeated aliases).

js-yaml is only a transitive dependency (via json-schema-to-typescript, @apidevtools/json-schema-ref-parser, and @eslint/eslintrc), all requested through ^4.1.1 ranges that already admit 4.2.0. No package.json change or resolutions override is needed — yarn up -R js-yaml bumps the lock to the patched version. Verified with yarn why js-yaml that every instance now resolves to 4.2.0.

@linear-code
chore: upgrade js-yaml to ^4.2.0 to address CVE-2026-53550
2da06b4 
Refresh the lockfile so all transitive js-yaml instances resolve to
4.2.0, which fixes the quadratic-complexity DoS in merge key handling.

Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1360/sourcebot-devsourcebot-cve-2026-53550-js-yaml-quadratic-complexity-dos#agent-session-b16750d8)

Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
@github-actions

github-actions Bot commented Jun 17, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

License Audit

⚠️ Status: PASS

Metric Count
Total packages 2129
Resolved (non-standard) 20
Unresolved 0
Strong copyleft 0
Weak copyleft 39

Weak Copyleft Packages (informational)

Package Version License
@img/sharp-libvips-darwin-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-darwin-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm 1.0.5 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-ppc64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-riscv64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-s390x 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linux-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-arm64 1.2.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64 1.0.4 LGPL-3.0-or-later
@img/sharp-libvips-linuxmusl-x64 1.2.4 LGPL-3.0-or-later
@img/sharp-wasm32 0.33.5 Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-wasm32 0.34.5 Apache-2.0 AND LGPL-3.0-or-later AND MIT
@img/sharp-win32-arm64 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32 0.33.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-ia32 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64 0.33.5 Apache-2.0 AND LGPL-3.0-or-later
@img/sharp-win32-x64 0.34.5 Apache-2.0 AND LGPL-3.0-or-later
axe-core 4.10.3 MPL-2.0
dompurify 3.4.11 (MPL-2.0 OR Apache-2.0)
lightningcss 1.32.0 MPL-2.0
lightningcss-android-arm64 1.32.0 MPL-2.0
lightningcss-darwin-arm64 1.32.0 MPL-2.0
lightningcss-darwin-x64 1.32.0 MPL-2.0
lightningcss-freebsd-x64 1.32.0 MPL-2.0
lightningcss-linux-arm-gnueabihf 1.32.0 MPL-2.0
lightningcss-linux-arm64-gnu 1.32.0 MPL-2.0
lightningcss-linux-arm64-musl 1.32.0 MPL-2.0
lightningcss-linux-x64-gnu 1.32.0 MPL-2.0
lightningcss-linux-x64-musl 1.32.0 MPL-2.0
lightningcss-win32-arm64-msvc 1.32.0 MPL-2.0
lightningcss-win32-x64-msvc 1.32.0 MPL-2.0
Resolved Packages (20)
Package Version Original Resolved Source
@react-grab/cli 0.1.23 UNKNOWN MIT package LICENSE file (MIT License text)
@react-grab/cli 0.1.29 UNKNOWN MIT package LICENSE file (MIT License text)
@react-grab/mcp 0.1.29 UNKNOWN MIT package LICENSE file (MIT License text)
@sentry/cli 2.58.5 FSL-1.1-MIT FSL-1.1-MIT self-declared in package.json; LICENSE file (Functional Source License 1.1, MIT Future)
@sentry/cli-darwin 2.58.5 FSL-1.1-MIT FSL-1.1-MIT self-declared FSL-1.1-MIT (same release as @sentry/cli 2.58.5)
@sentry/cli-linux-arm 2.58.5 FSL-1.1-MIT FSL-1.1-MIT self-declared FSL-1.1-MIT (same release as @sentry/cli 2.58.5)
@sentry/cli-linux-arm64 2.58.5 FSL-1.1-MIT FSL-1.1-MIT self-declared FSL-1.1-MIT (same release as @sentry/cli 2.58.5)
@sentry/cli-linux-i686 2.58.5 FSL-1.1-MIT FSL-1.1-MIT self-declared FSL-1.1-MIT (same release as @sentry/cli 2.58.5)
@sentry/cli-linux-x64 2.58.5 FSL-1.1-MIT FSL-1.1-MIT self-declared in package.json; LICENSE file (Functional Source License 1.1, MIT Future)
@sentry/cli-win32-arm64 2.58.5 FSL-1.1-MIT FSL-1.1-MIT self-declared FSL-1.1-MIT (same release as @sentry/cli 2.58.5)
@sentry/cli-win32-i686 2.58.5 FSL-1.1-MIT FSL-1.1-MIT self-declared FSL-1.1-MIT (same release as @sentry/cli 2.58.5)
@sentry/cli-win32-x64 2.58.5 FSL-1.1-MIT FSL-1.1-MIT self-declared FSL-1.1-MIT (same release as @sentry/cli 2.58.5)
codemirror-lang-elixir 4.0.0 UNKNOWN Apache-2.0 package LICENSE file (Apache License 2.0 text)
element-source 0.0.3 UNKNOWN MIT package LICENSE file (MIT License text)
lezer-elixir 1.1.2 UNKNOWN Apache-2.0 package LICENSE file (Apache License 2.0 text)
map-stream 0.1.0 UNKNOWN MIT package LICENCE file (MIT License text)
memorystream 0.3.1 UNKNOWN MIT package LICENSE file (MIT) and package.json licenses[].type
pause-stream 0.0.11 ["MIT","Apache2"] (MIT OR Apache-2.0) extracted from object ["MIT","Apache2"]; confirmed by LICENSE file (Dual Licensed MIT and Apache 2)
posthog-js 1.369.0 SEE LICENSE IN LICENSE Apache-2.0 package LICENSE file (Apache License 2.0 text)
valid-url 1.0.9 UNKNOWN MIT package LICENSE file (MIT License text)

@brendan-kellam brendan-kellam marked this pull request as ready for review June 17, 2026 23:55
@brendan-kellam brendan-kellam merged commit 108c847 into main Jun 17, 2026
8 checks passed
@brendan-kellam brendan-kellam deleted the linear/sou-1360-sourcebot-devsourcebot-cve-2026-53550-js-yaml-quadratic-fc63 branch June 17, 2026 23:55
@github-actions github-actions Bot mentioned this pull request Jun 17, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@brendan-kellam