Skip to content

Update js-yaml to 4.1.1 (security fix)#164

Draft
brynary wants to merge 1 commit intomainfrom
security/update-js-yaml
Draft

Update js-yaml to 4.1.1 (security fix)#164
brynary wants to merge 1 commit intomainfrom
security/update-js-yaml

Conversation

@brynary
Copy link
Copy Markdown
Member

@brynary brynary commented Nov 29, 2025

Summary

Updates js-yaml from 4.1.0 to 4.1.1 to patch a security vulnerability.

Security Details

  • CVE: CVE-2025-64718
  • GHSA: GHSA-mh29-5h37-fv8m
  • Severity: Moderate (CVSS 5.3)
  • Vulnerability: Prototype pollution via the YAML merge operator
  • Dependency Path: eslint -> @eslint/eslintrc -> js-yaml

Changes

  • Updated js-yaml version in .qlty/configs/package-lock.json

Test Plan

  • Verify CI passes
  • Confirm no breaking changes to linting configuration

🤖 Generated with Claude Code

@brynary @claude
Update js-yaml to 4.1.1 (security fix)
c0f93ac 
Patches CVE-2025-64718 (GHSA-mh29-5h37-fv8m), a prototype pollution
vulnerability via the YAML merge operator.

- Severity: Moderate (CVSS 5.3)
- js-yaml is a transitive dependency of @eslint/eslintrc used by eslint

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings November 29, 2025 03:27
@qltysh
Copy link
Copy Markdown
Contributor

qltysh Bot commented Nov 29, 2025
edited
Loading

Diff Coverage: Not applicable. There was no coverage data reported for the files in this diff.

Total Coverage: This PR will not change total coverage.

🛟 Help

  • Diff Coverage: Coverage for added or modified lines of code (excludes deleted files). Learn more.

  • Total Coverage: Coverage for the whole repository, calculated as the sum of all File Coverage. Learn more.

  • File Coverage: Covered Lines divided by Covered Lines plus Missed Lines. (Excludes non-executable lines including blank lines and comments.)

    • Indirect Changes: Changes to File Coverage for files that were not modified in this PR. Learn more.

Copilot AI reviewed Nov 29, 2025
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

Files not reviewed (1)
  • .qlty/configs/package-lock.json: Language not supported

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@brynary