security(skeleton): add js-yaml 4.1.1 override for standalone installs

lcharette · Copilot · lcharette · commit 592b29153e6b · 2026-05-27T22:57:50.000-04:00
Add npm `overrides` to packages/skeleton/package.json so that users who install skeleton as a standalone project (outside the monorepo) also get js-yaml@4.1.1 instead of the vulnerable 4.1.0 pinned by @modyfi/vite-plugin-yaml (GHSA-mh29-5h37-fv8m). Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,11 @@ and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.
 > [!TIP]
 > This file contains the changelog of the Skeleton itself. You should replace it with your own Changelog!
 
+## [Unreleased]
+
+### Security
+- Force `js-yaml` to `4.1.1` via npm `overrides` to fix prototype pollution vulnerability in merge (`<<`) operator ([GHSA-mh29-5h37-fv8m](https://github.com/advisories/GHSA-mh29-5h37-fv8m)) introduced transitively via `@modyfi/vite-plugin-yaml`.
+
 ## [6.0.0-rc.3] - 2026-05-16
 
 ### Fixed
diff --git a/package.json b/package.json
@@ -63,5 +63,10 @@
         "lint": "eslint app/assets/ --fix",
         "format": "prettier --write app/assets/",
         "format-dry-run": "prettier --check app/assets/"
+    },
+    "overrides": {
+        "@modyfi/vite-plugin-yaml": {
+            "js-yaml": "4.1.1"
+        }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -63,5 +63,10 @@`
`63`	`63`	`"lint": "eslint app/assets/ --fix",`
`64`	`64`	`"format": "prettier --write app/assets/",`
`65`	`65`	`"format-dry-run": "prettier --check app/assets/"`
	`66`	`+ },`
	`67`	`+ "overrides": {`
	`68`	`+ "@modyfi/vite-plugin-yaml": {`
	`69`	`+ "js-yaml": "4.1.1"`
	`70`	`+ }`
`66`	`71`	`}`
`67`	`72`	`}`