Skip to content

fix: CVE-2025-64718 - update js-yaml to >=4.1.1 [cari] #39

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
s0nny78 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

fix: CVE-2025-64718 - update js-yaml to >=4.1.1 [cari] #39

s0nny78 wants to merge 1 commit into from

Conversation

@s0nny78
Copy link
Contributor

@s0nny78 s0nny78 commented Jan 14, 2026
edited by cursor bot
Loading

Updates js-yaml to >=4.1.1 to fix prototype pollution vulnerability (CVE-2025-64718).

Note

Addresses security by pinning js-yaml to ^4.1.1 via resolutions and updates related lockfile entries.

  • Add "resolutions": { "js-yaml": "^4.1.1" } in package.json (prototype pollution fix)
  • Update yarn.lock: js-yaml@4.1.1, argparse@2.x, remove esprima references, refresh checksums
  • Simplify package.json bin from object to string pointing to ./dist/index.js

Written by Cursor Bugbot for commit 7d464ba. Configure here.

@linear
Copy link

linear bot commented Jan 14, 2026

SQD-1034 CVE-2025-64718: js-yaml prototype pollution vulnerability

@changeset-bot
Copy link

changeset-bot bot commented Jan 14, 2026

⚠️ No Changeset found

Latest commit: 7d464ba

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@s0nny78 s0nny78 marked this pull request as ready for review January 15, 2026 12:21
cursor[bot]
cursor bot reviewed Jan 15, 2026
View reviewed changes
Copy link

@cursor cursor bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Comment @cursor review or bugbot run to trigger another review on this PR

package.json
"node": ">=14.0.0"
},
"resolutions": {
"js-yaml": "^4.1.1"
Copy link

@cursor cursor bot Jan 15, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

js-yaml 4.x resolution may break 3.x-dependent packages

Medium Severity

The resolutions field forces all js-yaml dependencies to use ^4.1.1, but packages @changesets/parse and read-yaml-file in the dependency tree require js-yaml 3.x and likely use APIs that were removed in 4.x (e.g., safeLoad() was renamed to load()). This could cause runtime errors when using @changesets/cli. The CVE is also fixed in js-yaml 3.14.2, which would be API-compatible with these packages.

Fix in Cursor Fix in Web

@s0nny78 s0nny78 requested a review from timgent January 15, 2026 12:52
@s0nny78
Copy link
Contributor Author

s0nny78 commented Jan 26, 2026

Hey @timgent - Could you please review this PR when you get a chance? Let me know if you have any questions. Thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cursor cursor[bot] cursor[bot] left review comments

@timgent timgent Awaiting requested review from timgent

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@s0nny78