fix: patch js-yaml DoS (GHSA-h67p-54hq-rp68)#300
Open
sriramveeraghanta wants to merge 1 commit into
Open
Conversation
Force js-yaml to 3.15.0 (the official 3.x patch for the quadratic-complexity DoS in merge-key alias handling) via a pnpm override. It reaches us through gray-matter@4.0.3 -> vitepress-plugin-llms; gray-matter requires js-yaml ^3.13.1, so 3.15.0 stays in range and is API-compatible. Also drop the auditConfig.ignoreGhsas suppression for this advisory, which was based on the now-outdated assumption that the 3.x line could not be patched.
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: ⛔ Files ignored due to path filters (1)
📒 Files selected for processing (1)
📝 WalkthroughWalkthroughThe workspace configuration pins ChangesDependency audit configuration
Estimated code review effort: 2 (Simple) | ~5 minutes 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves the single open Dependabot alert — #32, GHSA-h67p-54hq-rp68 (medium): quadratic-complexity DoS in
js-yamlvia repeated aliases in merge-key handling.js-yaml@3.14.2reaches us transitively:Changes
pnpm-workspace.yaml— add overridejs-yaml: 3.15.0(the official 3.x patch, npm'sv3-legacydist-tag and the advisory's first-patched version for the< 3.15.0range).gray-matterrequiresjs-yaml ^3.13.1, so3.15.0stays in range and is API-compatible (safeLoad/safeDumpintact — it's a security backport, deps unchanged).pnpm-workspace.yaml— remove theauditConfig.ignoreGhsassuppression for this advisory. Its comment claimed the 3.x line "cannot be patched" and the fix only landed in>= 4.2.0; that was outdated —3.15.0patches the 3.x line, so the alert is now genuinely fixed rather than muted.pnpm-lock.yaml— regenerated (js-yaml 3.14.2 → 3.15.0, no other changes).Verification
pnpm audit→ No known vulnerabilities foundpnpm build→ build complete (exercises js-yaml via build-time frontmatter parsing)pnpm check:format→ All matched files use Prettier code styleSummary by CodeRabbit
js-yamlto version 3.15.0 to address a known security advisory.