Skip to content

Bump yaml from 2.5.0 to 2.8.3#56231

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/yaml-2.8.3
Closed

Bump yaml from 2.5.0 to 2.8.3#56231
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/yaml-2.8.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 26, 2026
edited
Loading

Copy link
Copy Markdown

Bumps yaml from 2.5.0 to 2.8.3.

Release notes

Sourced from yaml's releases.

v2.8.3

  • Add trailingComma ToString option for multiline flow formatting (#670)
  • Catch stack overflow during node composition (1e84ebb)

v2.8.2

  • Serialize -0 as -0 (#638)
  • Do not double newlines for empty map values (#642)

v2.8.1

  • Preserve empty block literals (#634)

v2.8.0

  • Add node cache for faster alias resolution (#612)
  • Re-introduce compatibility with Node.js 14.6 (#614)
  • Add --merge option to CLI tool (#611)
  • Improve error for tag resolution error on null value (#616)
  • Allow empty string as plain scalar representation, for failsafe schema (#616)
  • docs: include cli example (#617)

v2.7.1

  • Do not allow seq with single-line collection value on same line with map key (#603)
  • Improve warning & avoid TypeError on bad YAML 1.1 nodes (#610)

v2.7.0

The library is now available on JSR as @​eemeli/yaml and on deno.land/x as yaml. In addition to Node.js and browsers, it should work in Deno, Bun, and Cloudflare Workers.

  • Use .ts extension in all relative imports (#591)
  • Ignore newline after block seq indicator as space before value (#590)
  • Require Node.js 14.18 or later (was 14.6) (#598)

v2.6.1

  • Do not strip :00 seconds from !!timestamp values (#578, with thanks to @​qraynaud)
  • Tighten regexp for JSON !!bool (#587, with thanks to @​vra5107)
  • Default to literal block scalar if folded would overflow (#585)

v2.6.0

  • Use a proper tag for !!merge << keys (#580)
  • Add stringKeys parse option (#581)
  • Stringify a Document as a Document (#576)
  • Add sponsorship by Manifest

v2.5.1

  • Include range in flow sequence pair maps (#573)
Commits
  • ce14587 2.8.3
  • 1e84ebb fix: Catch stack overflow during node composition
  • 6b24090 ci: Include Prettier check in lint action
  • 9424dee chore: Refresh lockfile
  • d1aca82 Add trailingComma ToString option for multiline flow formatting (#670)
  • 4321509 ci: Drop the branch filter from GitHub PR actions
  • 47207d0 chore: Update docs-slate
  • 5212fae chore: Update docs-slate
  • 086fa6b 2.8.2
  • 95f01e9 chore: Add funding to package.json
  • Additional commits viewable in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

@dependabot
Bump yaml from 2.5.0 to 2.8.3
bb23706 
Bumps [yaml](https://github.com/eemeli/yaml) from 2.5.0 to 2.8.3.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](eemeli/yaml@v2.5.0...v2.8.3)

---
updated-dependencies:
- dependency-name: yaml
  dependency-version: 2.8.3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file JavaScript labels Mar 26, 2026
@meta-cla meta-cla Bot added the CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. label Mar 26, 2026
@github-actions

github-actions Bot commented Mar 26, 2026

Copy link
Copy Markdown

Warning

Missing Test Plan

Please add a "## Test Plan" section to your PR description. A Test Plan lets us know how these changes were tested.

Caution

Missing Changelog

Please add a Changelog to your PR description. See Changelog format

@github-actions

github-actions Bot commented Apr 29, 2026

Copy link
Copy Markdown

Warning

JavaScript API change detected

This PR commits an update to ReactNativeApi.d.ts, indicating a change to React Native's public JavaScript API.

  • Please include a clear changelog message.
  • This change will be subject to additional review.

This change was flagged as: POTENTIALLY_BREAKING

@meta-codesync meta-codesync Bot mentioned this pull request Jun 4, 2026
Closed
cortinico added a commit to cortinico/react-native that referenced this pull request Jun 4, 2026
@cortinico @facebook-github-bot
Fix security vulnerabilities in transitive dependencies
d326414 
Summary:
Add yarn resolutions and update lockfiles to fix security vulnerabilities in five transitive dependencies:

- `xmldom/xmldom` 0.8.10 → 0.8.13 (CVE-2026-41672, XML injection)
- `fast-xml-parser` 4.5.4 → 4.5.6 (CVE-2026-33349, CVE-2026-33036, entity expansion bypass)
- `yaml` 2.5.0/2.8.1 → 2.9.0 (CVE-2026-33532, stack overflow via deep nesting)
- `fast-uri` 3.0.6 → 3.1.2 (CVE-2026-6322, host confusion; CVE-2026-6321, path traversal)
- `addressable` 2.8.5/2.8.7 → 2.9.0 (CVE-2026-35611, ReDoS)

All bumps are within semver range of their parent constraints and are patch or minor version updates.

- Fixes react#56364
- Fixes react#56365
- Fixes react#56570
- Fixes react#56393
- Fixes react#56231
- Fixes react#56741

Changelog:
[General][Security] - Fix security vulnerabilities in `xmldom/xmldom`, `fast-xml-parser`, `yaml`, `fast-uri`, and `addressable` transitive dependencies

Differential Revision: D107405946
cortinico added a commit to cortinico/react-native that referenced this pull request Jun 4, 2026
@cortinico @meta-codesync
Fix security vulnerabilities in transitive dependencies (react#57066)
e850124 
Summary:
Pull Request resolved: react#57066

Add yarn resolutions and update lockfiles to fix security vulnerabilities in five transitive dependencies:

- `xmldom/xmldom` 0.8.10 → 0.8.13 (CVE-2026-41672, XML injection)
- `fast-xml-parser` 4.5.4 → 4.5.6 (CVE-2026-33349, CVE-2026-33036, entity expansion bypass)
- `yaml` 2.5.0/2.8.1 → 2.9.0 (CVE-2026-33532, stack overflow via deep nesting)
- `fast-uri` 3.0.6 → 3.1.2 (CVE-2026-6322, host confusion; CVE-2026-6321, path traversal)
- `addressable` 2.8.5/2.8.7 → 2.9.0 (CVE-2026-35611, ReDoS)

All bumps are within semver range of their parent constraints and are patch or minor version updates.

- Fixes react#56364
- Fixes react#56365
- Fixes react#56570
- Fixes react#56393
- Fixes react#56231
- Fixes react#56741

Changelog:
[General][Security] - Fix security vulnerabilities in `xmldom/xmldom`, `fast-xml-parser`, `yaml`, `fast-uri`, and `addressable` transitive dependencies

Differential Revision: D107405946
cortinico added a commit to cortinico/react-native that referenced this pull request Jun 4, 2026
@cortinico @meta-codesync
Fix security vulnerabilities in transitive dependencies (react#57066)
6f74489 
Summary:
Pull Request resolved: react#57066

Add yarn resolutions and update lockfiles to fix security vulnerabilities in five transitive dependencies:

- `xmldom/xmldom` 0.8.10 → 0.8.13 (CVE-2026-41672, XML injection)
- `fast-xml-parser` 4.5.4 → 4.5.6 (CVE-2026-33349, CVE-2026-33036, entity expansion bypass)
- `yaml` 2.5.0/2.8.1 → 2.9.0 (CVE-2026-33532, stack overflow via deep nesting)
- `fast-uri` 3.0.6 → 3.1.2 (CVE-2026-6322, host confusion; CVE-2026-6321, path traversal)
- `addressable` 2.8.5/2.8.7 → 2.9.0 (CVE-2026-35611, ReDoS)

All bumps are within semver range of their parent constraints and are patch or minor version updates.

- Fixes react#56364
- Fixes react#56365
- Fixes react#56570
- Fixes react#56393
- Fixes react#56231
- Fixes react#56741

Changelog:
[General][Security] - Fix security vulnerabilities in `xmldom/xmldom`, `fast-xml-parser`, `yaml`, `fast-uri`, and `addressable` transitive dependencies

Differential Revision: D107405946
@meta-codesync meta-codesync Bot closed this in 284035b Jun 4, 2026
@dependabot @github

dependabot Bot commented on behalf of github Jun 4, 2026

Copy link
Copy Markdown
Author

OK, I won't notify you again about this release, but will get in touch when a new version is available. If you'd rather skip all updates until the next major or minor version, let me know by commenting @dependabot ignore this major version or @dependabot ignore this minor version.

If you change your mind, just re-open this PR and I'll resolve any conflicts on it.

@dependabot dependabot Bot deleted the dependabot/npm_and_yarn/yaml-2.8.3 branch June 4, 2026 15:47
@facebook-github-tools facebook-github-tools Bot added the Merged This PR has been merged. label Jun 4, 2026
@meta-codesync

meta-codesync Bot commented Jun 4, 2026

Copy link
Copy Markdown

This pull request has been merged in 284035b.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

CLA Signed This label is managed by the Facebook bot. Authors need to sign the CLA before a PR can be reviewed. dependencies Pull requests that update a dependency file JavaScript Merged This PR has been merged.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants