chore(deps): update devdependency js-yaml to v4.1.1 [security]#351
Open
renovate[bot] wants to merge 1 commit into
Open
chore(deps): update devdependency js-yaml to v4.1.1 [security]#351renovate[bot] wants to merge 1 commit into
renovate[bot] wants to merge 1 commit into
Conversation
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
November 18, 2025 23:43
827659c to
2586704
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
December 3, 2025 16:14
2586704 to
16867e0
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
December 31, 2025 18:02
16867e0 to
0e3f57f
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
January 8, 2026 20:44
0e3f57f to
189d645
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
2 times, most recently
from
January 23, 2026 20:54
2b6792d to
1e7ea42
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
February 2, 2026 16:05
1e7ea42 to
0100ccb
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
2 times, most recently
from
February 17, 2026 18:41
3d5f6e6 to
cafbb44
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
March 5, 2026 17:02
cafbb44 to
203c858
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
March 13, 2026 13:14
203c858 to
6d414f1
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
3 times, most recently
from
April 1, 2026 22:09
4cf3d35 to
bdf7f51
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
April 8, 2026 16:14
bdf7f51 to
ae61ccc
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
3 times, most recently
from
April 29, 2026 18:00
5561ee0 to
b81b09a
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
May 12, 2026 13:52
b81b09a to
e91c870
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
2 times, most recently
from
May 19, 2026 23:06
55a1bed to
d482210
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
2 times, most recently
from
June 2, 2026 00:31
3a4ec06 to
06dc43c
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
June 11, 2026 22:02
06dc43c to
7d9a747
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
July 12, 2026 14:51
7d9a747 to
9147ef7
Compare
renovate
Bot
force-pushed
the
renovate/npm-js-yaml-vulnerability
branch
from
July 16, 2026 18:54
9147ef7 to
7a8d4cb
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
4.1.0→4.1.1js-yaml has prototype pollution in merge (<<)
CVE-2025-64718 / GHSA-mh29-5h37-fv8m
More information
Details
Impact
In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (
__proto__). All users who parse untrusted yaml documents may be impacted.Patches
Problem is patched in js-yaml 4.1.1 and 3.14.2.
Workarounds
You can protect against this kind of attack on the server by using
node --disable-proto=deleteordeno(in Deno, pollution protection is on by default).References
https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html
Severity
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:NReferences
This data is provided by the GitHub Advisory Database (CC-BY 4.0).
Release Notes
nodeca/js-yaml (js-yaml)
v4.1.1Compare Source
Security
Configuration
📅 Schedule: (UTC)
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.