Skip to content

NO-TICKET: chore(update): js-yaml vulnerability fix #83

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
mbudinsky merged 2 commits into from
Dec 5, 2025
Merged

NO-TICKET: chore(update): js-yaml vulnerability fix #83

mbudinsky merged 2 commits into from
Dec 5, 2025

Conversation

@aditi-s3
Copy link

@aditi-s3 aditi-s3 commented Dec 5, 2025

Title: Address vulnerability issue with js-yaml

Description

Instead of updating to 3.14.2, updated to latest stable version 4.1.1

Checklist

  • My code follows the project's coding standards.
  • I have run linters/formatters and fixed any issues.
  • There are no merge conflicts.
  • I have performed a self-review of my code.
  • All new and existing tests pass locally.
  • I have added license headers to all files.
  • (If applicable) I have added unit tests for my changes.
  • (If applicable) I have updated the sample app for integration testing.
  • (If applicable) I have updated any relevant documentation.

Generative AI usage

  • GAI was not used (or, no additional notation is required)
  • Coder created a draft manually that was non-substantively modified by GAI (e.g., refactoring was performed by GAI on manually written code)
  • GAI was used to create a draft that was subsequently customized or modified
  • Code was generated entirely by GAI

@aditi-s3 aditi-s3 requested a review from a team as a code owner December 5, 2025 22:27
@aditi-s3 aditi-s3 requested review from Copilot and removed request for a team December 5, 2025 22:28
chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Dec 5, 2025
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

Copilot AI reviewed Dec 5, 2025
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses a security vulnerability in js-yaml by upgrading all instances from vulnerable versions (3.14.1 and 4.1.0) to the stable version 4.1.1. The update uses Yarn's resolutions field to force consistent versioning across all transitive dependencies in the monorepo workspace.

Key Changes

  • Added resolutions field in root package.json to pin js-yaml to version 4.1.1
  • Updated yarn.lock to reflect the dependency resolution, removing vulnerable js-yaml versions and their outdated dependencies (argparse ^1.0.7, sprintf-js)
  • Consolidated all js-yaml references to use a single pinned version with the updated dependency tree (argparse ^2.0.1)

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File Description
package.json Added resolutions field to force js-yaml version 4.1.1 across all workspace packages
yarn.lock Updated dependency tree removing vulnerable js-yaml versions (3.14.1, 4.1.0) and legacy dependencies, consolidating to pinned version 4.1.1 with updated argparse dependency

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@aditi-s3 aditi-s3 changed the title Chore/update js yaml vuln fix NO-TICKET: chore(update): js-yaml vulnerability fix Dec 5, 2025
@aditi-s3 aditi-s3 requested a review from mbudinsky December 5, 2025 23:13
@mbudinsky mbudinsky merged commit 25eb921 into feature/next-gen Dec 5, 2025
14 of 16 checks passed
@github-actions github-actions bot locked and limited conversation to collaborators Dec 5, 2025
@mbudinsky mbudinsky deleted the chore/update-js-yaml-vuln-fix branch December 5, 2025 23:19
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

Copilot code review Copilot Copilot left review comments

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

@mbudinsky mbudinsky mbudinsky approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@aditi-s3 @mbudinsky