Skip to content

Update js-yaml to v4 #1772

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Andarist merged 1 commit into from
Nov 19, 2025
Merged

Update js-yaml to v4 #1772

Andarist merged 1 commit into from
Nov 19, 2025
+53 −8

Conversation

@marcalexiei
Copy link
Contributor

@marcalexiei marcalexiei commented Nov 17, 2025

Closes #1762

Followup of #1764 (comment)

For now, I'd prefer to update the dependency instead to avoid some unexpected weird breaks.

@changeset-bot
Copy link

changeset-bot bot commented Nov 17, 2025

🦋 Changeset detected

Latest commit: 896cc50

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 5 packages
Name Type
@changesets/parse Patch
@changesets/cli Patch
@changesets/read Patch
@changesets/get-release-plan Patch
@changesets/release-utils Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@codecov
Copy link

codecov bot commented Nov 17, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 81.09%. Comparing base (60512b5) to head (896cc50).
⚠️ Report is 5 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1772      +/-   ##
==========================================
+ Coverage   81.05%   81.09%   +0.04%     
==========================================
  Files          54       54              
  Lines        2264     2264              
  Branches      684      684              
==========================================
+ Hits         1835     1836       +1     
+ Misses        424      423       -1     
  Partials        5        5

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@marcalexiei marcalexiei mentioned this pull request Nov 17, 2025
Closed
@tk-o tk-o mentioned this pull request Nov 18, 2025
Closed
tk-o added a commit to namehash/ensnode that referenced this pull request Nov 18, 2025
@tk-o
fix(ci): update dependency version overrides
e360404 
This is a temprorary fix, the permanent one will be to update  after [this PR](changesets/changesets#1772) is released.
@tk-o tk-o mentioned this pull request Nov 18, 2025
Merged
@afreire-laptop afreire-laptop mentioned this pull request Nov 18, 2025
Merged
12 tasks
@Andarist Andarist merged commit 4c5a207 into changesets:main Nov 19, 2025
6 checks passed
@github-actions github-actions bot mentioned this pull request Nov 19, 2025
Merged
@marcalexiei marcalexiei deleted the feat/update-js-yaml branch November 19, 2025 12:26
@tk-o tk-o mentioned this pull request Dec 2, 2025
Merged
@unional
Copy link

unional commented Dec 3, 2025
edited
Loading

@Andarist FYI this doesn't fully fix the issue.

Also need to update read-yaml-file to v2.

image

read-yaml-file@1.1.0 still depends on js-yaml@3

🦋  error Error: Function yaml.safeLoad is removed in js-yaml 4. Use yaml.load instead, which is now safe by default.
🦋  error     at Object.safeLoad (/.../node_modules/.pnpm/js-yaml@4.1.1/node_modules/js-yaml/index.js:10:11)
🦋  error     at parse (/.../node_modules/.pnpm/read-yaml-file@1.1.0/node_modules/read-yaml-file/index.js:8:28)
🦋  error     at /.../node_modules/.pnpm/read-yaml-file@1.1.0/node_modules/read-yaml-file/index.js:10:71

@marcalexiei
Copy link
Contributor Author

marcalexiei commented Dec 3, 2025

read-yaml-file is a dependency of @manypkg/get-packages.
I'll try to up date to v2.
v3 doesn't provide cjs files so this might be a problem since main branch is still relying on jest@29.

@unional
Copy link

unional commented Dec 3, 2025

To share, I confirm overriding read-yaml-file to v2 does fix the issue.

So if there is still problem due to @manypkg/get-packages after the additional fix, there is a workaround.

@marcalexiei
Copy link
Contributor Author

marcalexiei commented Dec 3, 2025

To be clear I was speaking about upgrading @manypkg/get-packages not read-yaml-file 😅

@bluwy
Copy link
Contributor

bluwy commented Dec 3, 2025

On mobile, but there's an issue/pr about upgrading the get-packages dependency that you should search for first. I think we cant upgrade it in this major due to its breaking change.

@marcalexiei marcalexiei mentioned this pull request Dec 3, 2025
Open
@marcalexiei
Copy link
Contributor Author

marcalexiei commented Dec 3, 2025

there's an issue/pr about upgrading the get-packages dependency that you should search for first

I tackled an hour and I was able to get CI green using @manypkg/get-packages@2.
I've opened #1795, if you have time you can take a look!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@bluwy bluwy bluwy approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Security Advisory: js-yaml Prototype Pollution (CVE) used via @changesets/* Dependencies

4 participants

@marcalexiei @unional @bluwy @Andarist