Skip to content

fix: patch js-yaml DoS (GHSA-h67p-54hq-rp68)#300

Open
sriramveeraghanta wants to merge 1 commit into
masterfrom
fix/js-yaml-dos-GHSA-h67p-54hq-rp68
Open

fix: patch js-yaml DoS (GHSA-h67p-54hq-rp68)#300
sriramveeraghanta wants to merge 1 commit into
masterfrom
fix/js-yaml-dos-GHSA-h67p-54hq-rp68

Conversation

@sriramveeraghanta

@sriramveeraghanta sriramveeraghanta commented Jul 15, 2026

Copy link
Copy Markdown
Member

Summary

Resolves the single open Dependabot alert — #32, GHSA-h67p-54hq-rp68 (medium): quadratic-complexity DoS in js-yaml via repeated aliases in merge-key handling.

js-yaml@3.14.2 reaches us transitively:

vitepress-plugin-llms → gray-matter@4.0.3 → js-yaml@3.14.2

Changes

  • pnpm-workspace.yaml — add override js-yaml: 3.15.0 (the official 3.x patch, npm's v3-legacy dist-tag and the advisory's first-patched version for the < 3.15.0 range). gray-matter requires js-yaml ^3.13.1, so 3.15.0 stays in range and is API-compatible (safeLoad/safeDump intact — it's a security backport, deps unchanged).
  • pnpm-workspace.yaml — remove the auditConfig.ignoreGhsas suppression for this advisory. Its comment claimed the 3.x line "cannot be patched" and the fix only landed in >= 4.2.0; that was outdated — 3.15.0 patches the 3.x line, so the alert is now genuinely fixed rather than muted.
  • pnpm-lock.yaml — regenerated (js-yaml 3.14.2 → 3.15.0, no other changes).

Verification

  • pnpm auditNo known vulnerabilities found
  • pnpm buildbuild complete (exercises js-yaml via build-time frontmatter parsing)
  • pnpm check:formatAll matched files use Prettier code style

Summary by CodeRabbit

  • Chores
    • Pinned js-yaml to version 3.15.0 to address a known security advisory.
    • Removed the corresponding audit exclusion so the vulnerability is no longer ignored.

Force js-yaml to 3.15.0 (the official 3.x patch for the quadratic-complexity
DoS in merge-key alias handling) via a pnpm override. It reaches us through
gray-matter@4.0.3 -> vitepress-plugin-llms; gray-matter requires js-yaml
^3.13.1, so 3.15.0 stays in range and is API-compatible.

Also drop the auditConfig.ignoreGhsas suppression for this advisory, which was
based on the now-outdated assumption that the 3.x line could not be patched.
@vercel

vercel Bot commented Jul 15, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
developer-docs Ready Ready Preview, Comment Jul 15, 2026 8:13pm

Request Review

@coderabbitai

coderabbitai Bot commented Jul 15, 2026

Copy link
Copy Markdown

Review Change Stack

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4f9970e8-30c5-409a-affc-92576bccdba3

📥 Commits

Reviewing files that changed from the base of the PR and between 3d38671 and 1622ffe.

⛔ Files ignored due to path filters (1)
  • pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml
📒 Files selected for processing (1)
  • pnpm-workspace.yaml

📝 Walkthrough

Walkthrough

The workspace configuration pins js-yaml to version 3.15.0, removes the corresponding audit advisory ignore rule, and retains the vitepress peer dependency restriction.

Changes

Dependency audit configuration

Layer / File(s) Summary
Workspace security configuration
pnpm-workspace.yaml
Adds the js-yaml override, removes the matching GHSA-h67p-54hq-rp68 audit ignore entry, and retains the vitepress peer dependency restriction.

Estimated code review effort: 2 (Simple) | ~5 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the main change: patching js-yaml to fix the GHSA-h67p-54hq-rp68 DoS vulnerability.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/js-yaml-dos-GHSA-h67p-54hq-rp68

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant