Skip to content

fix(package.json): pin js-yaml >=3.15.0 to resolve moderate vuln (#92)#93

Merged
luojiyin1987 merged 1 commit into
masterfrom
chore/fix-js-yaml-vuln
Jul 10, 2026
Merged

fix(package.json): pin js-yaml >=3.15.0 to resolve moderate vuln (#92)#93
luojiyin1987 merged 1 commit into
masterfrom
chore/fix-js-yaml-vuln

Conversation

@luojiyin1987

Copy link
Copy Markdown
Contributor

关联

Closes #92

问题

`npm audit` 在 devDependencies 传递链 `@istanbuljs/load-nyc-config -> js-yaml@<3.15.0` 检出 1 个 moderate 漏洞(GHSA-h67p-54hq-rp68,merge key 二次复杂度 DoS)。该依赖位于测试/覆盖率工具链,不进入生产 CLI。

修复

在 `package.json` 增加 npm `overrides` 将 `js-yaml` 固定到 `^3.15.0`:

  • `npm audit fix` 已把磁盘上的解析版本从 `3.14.2` 升到 `3.15.0`;
  • 选 `overrides` 而非仅依赖 lockfile:本仓库 `package-lock.json` 被 gitignore,lockfile 改动无法入库,override 写入受版本管理的 `package.json`,对全新 `npm install` 也持久生效;
  • 未使用 `npm audit fix --force`,避免无审查的破坏性主版本升级。

验证

  • `npm audit` → `found 0 vulnerabilities`
  • `npm test` → 11 suites / 106 tests 全过
  • `npm run lint` → 通过

提交拆分(单关注点)

@luojiyin1987 luojiyin1987 force-pushed the chore/fix-js-yaml-vuln branch from ab7a647 to 22c5059 Compare July 10, 2026 10:47
@luojiyin1987 luojiyin1987 merged commit 71d1707 into master Jul 10, 2026
5 checks passed
@luojiyin1987 luojiyin1987 deleted the chore/fix-js-yaml-vuln branch July 10, 2026 10:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

[chore] 升级传递依赖 js-yaml 至 >=3.15.0 消除 moderate 漏洞

1 participant