🚨 [security] Update js-yaml 3.14.1 → 4.1.1 (major)

[depfu]

---

🚨 Your current dependencies have known security vulnerabilities 🚨

This dependency update fixes known security vulnerabilities. Please see the details below and assess their impact carefully. We recommend to merge and deploy this as soon as possible!

---

Here is everything you need to know about this upgrade. Please take a good look at what changed and the test results before merging this pull request.

What changed?

✳️ js-yaml (3.14.1 → 4.1.1) · Repo · Changelog

Security Advisories 🚨

🚨 js-yaml has prototype pollution in merge (<<)

Impact

In js-yaml 4.1.0 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

Release Notes

4.1.1 (from changelog)

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

4.1.0 (from changelog)

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

4.0.0 (from changelog)

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.
• Added replacer option (similar to option in JSON.stringify), #339.
• Custom Tag can now handle all tags or multiple tags with the same prefix, #385.

Fixed

• Astral characters are no longer encoded by dump(), #587.
• "duplicate mapping key" exception now points at the correct column, #452.
• Extra commas in flow collections (e.g. [foo,,bar]) now throw an exception instead of producing null, #321.
• __proto__ key no longer overrides object prototype, #164.
• Removed bower.json.
• Tags are now url-decoded in load() and url-encoded in dump() (previously usage of custom non-ascii tags may have led to invalid YAML that can't be parsed).
• Anchors now work correctly with empty nodes, #301.
• Fix incorrect parsing of invalid block mapping syntax, #418.
• Throw an error if block sequence/mapping indent contains a tab, #80.

Does any of this look wrong? Please let us know.

Commits

See the full diff on Github. The new version differs by more commits than we can show here.

✳️ @​babel/plugin-transform-modules-commonjs (7.18.6 → 7.27.1) · Repo · Changelog

Release Notes

Too many releases to show here. View the full release notes.

Commits

See the full diff on Github. The new version differs by 63 commits:

• v7.27.1
• Bumped picocolors to 1.1.1 (#17279)
• Rebuild Makefile.mjs (#17275)
• Allow `using of` as lexical declaration within for (#17254)
• fix invalid gulp watch usage (#17273)
• Update actions/checkout action to v4 (#17269)
• [babel 8] Remove unnecessary CJS ESM wrapper (#17261)
• Remove unused `regenerator-runtime` dep in `@babel/runtime` (#17263)
• [babel 8] Drop CJS support from `@babel/parser` (#17265)
• Update Yarn to 4.9.1 (#17266)
• Update fixture (#17264)
• Update fixture
• fix: do expressions should allow early exit (#17137)
• Include Babel 8 in coverage report (#17260)
• Ignore browser-only files in coverage reports (#17262)
• Update test262 (#17259)
• Fix: propagate argument evaluation errors through async promise chain (#17251)
• Tune plugin compat data (#17256)
• chore: bump compat-data sources (#17253)
• [Babel 8] perf: Improve traverse performance (#16965)
• Update error stack test (#17252)
• Update test262 (#17248)
• [Babel 8]: Remove record and tuple syntax support (#17242)
• Update `jest-light-runner` to v0.7.0 (#17245)
• Fix build script on Windows (#17244)
• fix `apply()`/`call()` annotated as pure (#17231)
• Reduce `interopRequireWildcard` size (#16538)
• Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 3) (#17235)
• Create ChainExpression within TSInstantiationExpression (#17233)
• Stricter TSImportType options parsing (#17193)
• migrate babel-compat-data build script to mjs (#17236)
• Update test262 (#17234)
• Bump typescript-eslint to 8.29.1 (#17232)
• Disallow get/set in TSPropertySignature (#17230)
• Use `class` and add type definitions for `regenerator` (#17220)
• Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 2) (#17226)
• Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 1) (#17224)
• Update firefox bugfix compat data (#17228)
• Migrate `@babel/register` to cts (#16844)
• test: add basic typescript-eslint integration tests (#17219)
• Harden variable declarator validations (#17217)
• Reduce generated names size for the 10th-11th (#17221)
• fix: Objects and arrays with multiple references should not be evaluated (#17156)
• Reduce `regeneratorRuntime` size (#17213)
• build(deps): bump @babel/helpers from 7.24.4 to 7.27.0 (#17218)
• Enforce node protocol import (#17207)
• Use esm for makefile js (#17214)
• add require-esm babel-register test (#17206)
• Fix: support const type parameter in generator (#17216)
• Babel 8 cleanup (#17211)
• Run tests imported from regenerator (#17205)
• Use imported regenerator transform files (#17205)
• Re-convert regeneratorRuntime to helper format (#17205)
• Delete remaining original regenerator files (#17205)
• Move regenerator files to the relevant packages (#17205)
• Remove bundled regeneratorRuntime helper (#17205)
• Prepare LICENSE files for incorporating regenerator (#17205)
• Merge remote-tracking branch 'regenerator/main'
• Update test262 (#17208)
• Fix start of TSParameterProperty (#17080)
• [Babel 8] Bump nodejs requirements to `^20.19.0 || >= 22.12.0` (#17204)
• [babel 8] Deprecate uppercase builders (#17133)
• Add v7.27.0 to CHANGELOG.md [skip ci]

---

Depfu will automatically keep this PR conflict-free, as long as you don't add any commits to this branch yourself. You can also trigger a rebase manually by commenting with @depfu rebase.

All Depfu comment commands

@​depfu rebase

Rebases against your default branch and redoes this update

@​depfu recreate

Recreates this PR, overwriting any edits that you've made to it

@​depfu merge

Merges this PR once your tests are passing and conflicts are resolved

@​depfu cancel merge

Cancels automatic merging of this PR

@​depfu close

Closes this PR and deletes the branch

@​depfu reopen

Restores the branch and reopens this PR (if it's closed)

@​depfu pause

Ignores all future updates for this dependency and closes this PR

@​depfu pause [minor|major]

Ignores all future minor/major updates for this dependency and closes this PR

@​depfu resume

Future versions of this dependency will create PRs again (leaves this PR as is)