Skip to content

build(deps-dev): bump js-yaml from 4.1.1 to 4.3.0#889

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/js-yaml-4.3.0
Open

build(deps-dev): bump js-yaml from 4.1.1 to 4.3.0#889
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/js-yaml-4.3.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps js-yaml from 4.1.1 to 4.3.0.

Changelog

Sourced from js-yaml's changelog.

4.3.0, 3.15.0 - 2026-06-27

Security

  • Backported maxTotalMergeKeys option.

[5.2.0] - 2026-06-26

Added

  • Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.
  • Added maxAliases (-1) loader option to limit the number of YAML aliases per document.

Removed

  • maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

Fixed

  • Round-trip of integers with exponential form (>= 1e21)

[5.1.0] - 2026-06-23

Added

  • Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

  • [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.

[5.0.0] - 2026-06-20

Added

  • Added named exports for schemas, tags, parser events and AST utilities.
  • Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
  • Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
  • Added dump() transform option for changing the generated AST before rendering.
  • Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and tagBeforeAnchor.
  • Added formal data layers (events and AST) for modular data pipelines.
    • Added low-level parser (to events), presenter and visitor APIs.
  • Added the YAML Test Suite to the test set.

Changed

  • See the migration guide for upgrade notes.
  • Rewritten in TypeScript and reorganized the public API around flat named exports.

... (truncated)

Commits
  • 33d05b5 4.3.0 released
  • 663bfab Drop demo publish, to not override new v5 one.
  • 1cb8c7b Add v4-legacy tag for publish
  • 02f27af Restore umd builds back to es5
  • 8be84ed Fix es5 compatibility
  • 59423c6 Replace maxMergeSeqLength option with maxTotalMergeKeys (more robust). Ba...
  • 6842ef6 doc polish
  • 590dbab 4.2.0 released
  • f944dc5 Add package.json funding field
  • f692719 Changelog update
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.1 to 4.3.0.
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.1...4.3.0)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.3.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 30, 2026

@davidicus davidicus left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@dependabot squash and merge

@netlify

netlify Bot commented Jun 30, 2026

Copy link
Copy Markdown

Deploy Preview for phillips-seldon ready!

Name Link
🔨 Latest commit 3db6606
🔍 Latest deploy log https://app.netlify.com/projects/phillips-seldon/deploys/6a440254beccdd0009f360b1
😎 Deploy Preview https://deploy-preview-889--phillips-seldon.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@chromatic-com

chromatic-com Bot commented Jun 30, 2026

Copy link
Copy Markdown

Important

Testing in progress…

🟢 UI Tests: 464 tests unchanged
UI Review: Comparing 232 stories…
Storybook icon Storybook Publish: 232 stories published

@chromatic-com

chromatic-com Bot commented Jun 30, 2026

Copy link
Copy Markdown

Tip

All tests passed and all changes approved!

🟢 UI Tests: 464 tests unchanged
🟢 UI Review: 232 stories published -- no changes
Storybook icon Storybook Publish: 232 stories published

@github-actions

Copy link
Copy Markdown

Copy link
Copy Markdown
Contributor

Dependency Upgrade Risk Assessment: js-yaml 4.1.1 → 4.3.0

Risk Rating: 🟢 LOW


What is js-yaml?

js-yaml is a JavaScript YAML parser and serializer. It converts YAML text into JavaScript objects (and vice versa), and is widely used in the Node.js ecosystem as a dependency of build tools, linters, and config parsers — including tools like ESLint, Storybook, and semantic-release.

How it's used in this codebase

js-yaml is not a direct dependency of the seldon package — it does not appear in package.json. It is a transitive dev dependency, pulled in by one or more build/toolchain packages (likely ESLint, Storybook, markdownlint-cli, or semantic-release, all of which parse YAML internally). It is not shipped in the production component library bundle and has no impact on consumers of @phillips/seldon.

What changed between 4.1.1 and 4.3.0

4.2.0:

  • Added maxDepth loader option (default: 100) to prevent stack overflows on deeply nested YAML — additive, backward-compatible
  • Behavior change: Numbers written with underscores (e.g. 1_000) no longer resolve as numeric scalars — this is a parsing behavior change, though it only affects YAML files that use underscore-separated numbers, which is uncommon in typical tooling configs
  • Security fix: addressed quadratic complexity in YAML merge (<<) operations
  • Various parser correctness improvements (block mapping keys, flow scalar whitespace, number round-trips)

4.3.0:

  • Backported maxTotalMergeKeys option from v5 — limits total keys processed by YAML merge across a single load() call; purely additive

Why LOW risk

  1. Dev-only, transitive dependency. It is never included in the published component library. Any regression would be limited to breaking the local build toolchain, not production consumers.
  2. Same major version (v4). No API-level breaking changes were introduced between 4.1.1 and 4.3.0.
  3. Dependabot compatibility score. GitHub's Dependabot compatibility score for this specific bump is shown in the PR body, reflecting a high confidence in compatibility.
  4. Nature of changes. The changes are primarily security hardening and parser correctness fixes, with one minor parsing behavior change (underscore numbers in YAML scalars) that is unlikely to affect any config files used in this repo.
  5. Limited blast radius. Even if a regression occurs, it would surface immediately during npm run build, npm run lint, or npm run test — not silently.

Regression Tests

Before merging, please confirm the following:

  • Run the full buildnpm run build completes without errors and the dist/ output is generated correctly
  • Run the linternpm run lint passes (ESLint + Stylelint + markdownlint) with no new warnings or errors
  • Run the test suitenpm run test:all passes (unit and Storybook tests)
  • Run Storybook buildnpm run build:storybook completes without errors (Storybook uses its own YAML processing internally)
  • Run the type checktsc --noEmit passes with no new TypeScript errors
  • Verify CI passes — all PR checks (lint, typecheck, unit tests, Chromatic) are green after this bump

These cover every pipeline that could be broken by a YAML-parsing regression in a dev dependency.


Generated by Claude Code

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file dependency-upgrade-risk:low javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants