Skip to content

chore(deps): bump js-yaml from 4.1.0 to 4.2.0 in /libs/data-mapper-v2#9331

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/libs/data-mapper-v2/js-yaml-4.2.0
Open

chore(deps): bump js-yaml from 4.1.0 to 4.2.0 in /libs/data-mapper-v2#9331
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/libs/data-mapper-v2/js-yaml-4.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps js-yaml from 4.1.0 to 4.2.0.

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

  • Added docs/safety.md with notes about processing untrusted YAML.
  • Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
  • Added a loader option limiting merge sequence length. Not a problem after merge fix, but an additional restriction for safety.
  • Added sourcemaps to dist/ builds.

Changed

  • Stop resolving numbers with underscores as numeric scalars, #627.
  • Switched dev toolchains to Vite / neostandard.
  • Updated demo.
  • Reorganized tests.
  • dist/ files are no longer kept in the repository.

Fixed

  • Fix parsing of properties on the first implicit block mapping key, #62.
  • Fix trailing whitespace handling when folding flow scalar lines, #307.
  • Reject top-level block scalars without content indentation, #280.
  • Ensure numbers survive round-trip, #737.
  • Fix test coverage for issue #221.
  • Fix flow scalar trailing whitespace folding, #307.
  • Fix digits in YAML named tag handles.

Security

  • Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

  • Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.0 to 4.2.0.
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.2.0)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.2.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 30, 2026
Copilot AI review requested due to automatic review settings June 30, 2026 14:05

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

@github-actions

github-actions Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

PR Title

  • Current: chore(deps): bump js-yaml from 4.1.0 to 4.2.0 in /libs/data-mapper-v2
  • Issue: None — the title is specific, descriptive, and clearly identifies the dependency and scope.
  • Recommendation: No change needed.

Commit Type

  • Properly selected as a dependency update / maintenance change (chore).
  • Only one commit type is implied by the title/body, which is appropriate.

⚠️ Risk Level

  • The PR body does not show a selected risk checkbox, but the dependency bump itself is low risk and the label set does not include a risk:low/risk:medium/risk:high label to validate against.
  • Recommendation: Add exactly one risk label in the form risk:low, risk:medium, or risk:high, and ensure the body selection matches it.

What & Why

  • Current: Dependabot-generated dependency bump description is present.
  • Issue: This section is brief, but acceptable for a dependency update.
  • Recommendation: If you want to make it stronger, add a short note like: Update js-yaml to pick up security fixes and parser improvements.

⚠️ Impact of Change

  • This is a small dependency-only change; the impact section is optional here, but if included it should explicitly mention scope.
  • Recommendation:
    • Users: No direct user-facing behavior changes expected; internal YAML parsing dependency updated.
    • Developers: Maintainers should be aware of the dependency version change in /libs/data-mapper-v2.
    • System: Low system impact; no architecture or API changes.

Test Plan

  • The PR is a dependency-only change and the diff contains no code/test files, so no tests are required for pass/fail here.
  • The lack of unit/E2E additions is acceptable for this type of change.

Contributors

  • No contributors listed, which is fine for an automated Dependabot PR.

Screenshots/Videos

  • Not applicable for this non-visual dependency update.

Summary Table

Section Status Recommendation
Title No change needed.
Commit Type chore is appropriate for a dependency bump.
Risk Level ⚠️ Add a risk:* label and ensure it matches the body selection.
What & Why Optional: mention security/parser improvements.
Impact of Change ⚠️ Clarify this is an internal dependency update only.
Test Plan No tests required for a dependency-only change.
Contributors Fine to leave blank for Dependabot.
Screenshots/Videos Not applicable.

Overall: this PR passes review. The advised risk level is low, which is consistent with the change.


Last updated: Tue, 30 Jun 2026 14:05:44 GMT

@github-actions

Copy link
Copy Markdown
Contributor

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

PR Title

  • Current: chore(deps): bump js-yaml from 4.1.0 to 4.2.0 in /libs/data-mapper-v2
  • Issue: No issue found — the title is clear, specific, and accurately describes the dependency update.
  • Recommendation: No change needed.

Commit Type

  • Properly selected (chore) for a dependency bump.
  • Note: Only one commit type is implied by the title/body, which is correct.

Risk Level

  • The PR body is missing a checked risk level, but this dependency bump should be treated as Low risk based on the diff.
  • Recommendation: Check exactly one risk level and ensure it matches the scope: Low - Minor changes, limited scope.

What & Why

  • Current: (Present in Dependabot-generated description; the dependency bump context is clear from the body.)
  • Issue: No material issue found.
  • Recommendation: Optional, but if you want to improve clarity, briefly mention why the version bump is needed (for example: security fix / maintenance update).

⚠️ Impact of Change

  • The impact section is not filled out, but for a small dependency update this is acceptable if kept brief.
  • Recommendation:
    • Users: No direct user-facing changes expected.
    • Developers: js-yaml is updated in libs/data-mapper-v2; no API changes are expected from this PR body.
    • System: Low-risk maintenance update; no performance or architecture impact expected.

Test Plan

  • No unit tests or E2E tests are present in the diff, and the PR body does not provide an adequate explanation for why automated tests are not applicable.
  • Recommendation: Mark one of the following based on reality:
    • Unit tests added/updated if tests were included elsewhere,
    • E2E tests added/updated if applicable,
    • or Manual testing completed with a short explanation such as: "Dependency-only update; no functional code changes, automated tests not required."

⚠️ Contributors

  • No contributors listed.
  • Recommendation: Optional; add contributors if anyone besides Dependabot contributed implementation or review context.

⚠️ Screenshots/Videos

  • Not applicable for this dependency-only change.
  • Recommendation: No screenshots needed.

Summary Table

Section Status Recommendation
Title No update needed
Commit Type Keep chore selected
Risk Level Select exactly one risk level; Low fits this change
What & Why Optional: mention the security/maintenance reason
Impact of Change ⚠️ Optional brief impact notes
Test Plan Add a test explanation or mark manual testing if applicable
Contributors ⚠️ Optional
Screenshots/Videos ⚠️ Not needed for this PR

This PR does not pass as submitted because the required Risk Level selection is missing and the Test Plan lacks an adequate explanation for the absence of automated tests. The advised risk level is low, which is aligned with the dependency-only diff and not higher than the likely intent of the change. Please update the PR body accordingly and resubmit.


Last updated: Tue, 30 Jun 2026 14:05:43 GMT

@github-actions

Copy link
Copy Markdown
Contributor

📊 Coverage check completed. See workflow run for details.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant