Skip to content

build(deps): bump js-yaml, @oclif/core and @oclif/test#1356

Closed
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-9937cb1b82
Closed

build(deps): bump js-yaml, @oclif/core and @oclif/test#1356
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-9937cb1b82

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor

Bumps js-yaml to 4.2.0 and updates ancestor dependencies js-yaml, @oclif/core and @oclif/test. These dependencies need to be updated together.

Updates js-yaml from 4.1.1 to 4.2.0

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

  • Added docs/safety.md with notes about processing untrusted YAML.
  • Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
  • Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
  • Added sourcemaps to dist/ builds.

Changed

  • Stop resolving numbers with underscores as numeric scalars, #627.
  • Switched dev toolchains to Vite / neostandard.
  • Updated demo.
  • Reorganized tests.
  • dist/ files are no longer kept in the repository.

Fixed

  • Fix parsing of properties on the first implicit block mapping key, #62.
  • Fix trailing whitespace handling when folding flow scalar lines, #307.
  • Reject top-level block scalars without content indentation, #280.
  • Ensure numbers survive round-trip, #737.
  • Fix test coverage for issue #221.
  • Fix flow scalar trailing whitespace folding, #307.
  • Fix digits in YAML named tag handles.

Security

  • Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

  • Backported v4.1.1 fix to v3
Commits

Updates @oclif/core from 3.19.1 to 4.11.6

Release notes

Sourced from @​oclif/core's releases.

4.11.6

Bug Fixes

4.11.5

Bug Fixes

4.11.4

Bug Fixes

  • deps: bump semver from 7.8.0 to 7.8.1 (65e054c)

4.11.3

Bug Fixes

  • updating tinyglobby dependency [skip-validate-pr] (1dc29ff)

4.11.2

Bug Fixes

  • deps: bump semver from 7.7.4 to 7.8.0 (1471fe3)

4.11.1

Bug Fixes

  • deps: bump ip-address from 10.1.0 to 10.2.0 (e36a6d8)

4.11.0

Bug Fixes

Features

4.10.6

... (truncated)

Changelog

Sourced from @​oclif/core's changelog.

4.11.6 (2026-06-15)

Bug Fixes

4.11.5 (2026-06-15)

Bug Fixes

4.11.4 (2026-05-23)

Bug Fixes

  • deps: bump semver from 7.8.0 to 7.8.1 (65e054c)

4.11.3 (2026-05-15)

Bug Fixes

  • updating tinyglobby dependency [skip-validate-pr] (1dc29ff)

4.11.2 (2026-05-09)

Bug Fixes

  • deps: bump semver from 7.7.4 to 7.8.0 (1471fe3)

4.11.1 (2026-05-07)

... (truncated)

Commits
Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates @oclif/test from 3.1.14 to 4.1.19

Release notes

Sourced from @​oclif/test's releases.

4.1.19

Bug Fixes

  • deps: bump esbuild from 0.28.0 to 0.28.1 (429ee9b)

4.1.18

Bug Fixes

  • deps: bump lodash from 4.17.23 to 4.18.1 (5d3a6f6)

4.1.17

Bug Fixes

  • deps: bump flatted from 3.3.2 to 3.4.2 (842792a)

4.1.16

Bug Fixes

  • deps: bump lodash from 4.17.21 to 4.17.23 (dab8924)

4.1.15

Bug Fixes

  • deps: bump js-yaml from 4.1.0 to 4.1.1 (f6eb102)

4.1.14

Bug Fixes

  • deps: bump debug from 4.4.1 to 4.4.3 (5d1ed0d)

4.1.13

Bug Fixes

  • deps: bump debug from 4.4.0 to 4.4.1 (fe3a4ca)

4.1.12

Bug Fixes

  • deps: bump ansis from 3.16.0 to 3.17.0 (3350a10)

4.1.11

Bug Fixes

  • deps: bump ansis from 3.14.0 to 3.16.0 (879720b)

4.1.10

Bug Fixes

  • deps: bump ansis from 3.10.0 to 3.14.0 (3187314)

... (truncated)

Changelog

Sourced from @​oclif/test's changelog.

4.1.19 (2026-06-13)

Bug Fixes

  • deps: bump esbuild from 0.28.0 to 0.28.1 (429ee9b)

4.1.18 (2026-04-05)

Bug Fixes

  • deps: bump lodash from 4.17.23 to 4.18.1 (5d3a6f6)

4.1.17 (2026-03-21)

Bug Fixes

  • deps: bump flatted from 3.3.2 to 3.4.2 (842792a)

4.1.16 (2026-01-22)

Bug Fixes

  • deps: bump lodash from 4.17.21 to 4.17.23 (dab8924)

4.1.15 (2025-11-15)

Bug Fixes

  • deps: bump js-yaml from 4.1.0 to 4.1.1 (f6eb102)

4.1.14 (2025-09-14)

Bug Fixes

... (truncated)

Commits
  • 59daaf0 chore(release): 4.1.19 [skip ci]
  • e87e558 Merge pull request #896 from oclif/dependabot-npm_and_yarn-esbuild-0.28.1
  • 429ee9b fix(deps): bump esbuild from 0.28.0 to 0.28.1
  • 3056c26 Merge pull request #894 from oclif/dependabot-npm_and_yarn-tsx-4.22.4
  • a32decb Merge pull request #895 from oclif/dependabot-npm_and_yarn-eslint-config-ocli...
  • 98ee0d4 chore(dev-deps): bump eslint-config-oclif from 6.0.166 to 6.0.167
  • 9e47802 chore(dev-deps): bump tsx from 4.22.3 to 4.22.4
  • a0b1f9b Merge pull request #893 from oclif/dependabot-npm_and_yarn-eslint-config-ocli...
  • 14d6342 chore(dev-deps): bump eslint-config-oclif from 6.0.165 to 6.0.166
  • 290e22c Merge pull request #890 from oclif/dependabot-npm_and_yarn-tsx-4.22.3
  • Additional commits viewable in compare view
Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 15, 2026
@github-actions
github-actions Bot enabled auto-merge (squash) June 15, 2026 20:02
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-9937cb1b82 branch 2 times, most recently from 8633947 to 704d230 Compare June 15, 2026 20:12
Bumps [js-yaml](https://github.com/nodeca/js-yaml) to 4.2.0 and updates ancestor dependencies [js-yaml](https://github.com/nodeca/js-yaml), [@oclif/core](https://github.com/oclif/core) and [@oclif/test](https://github.com/oclif/test). These dependencies need to be updated together.


Updates `js-yaml` from 4.1.1 to 4.2.0
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](https://github.com/nodeca/js-yaml/commits)

Updates `@oclif/core` from 3.19.1 to 4.11.6
- [Release notes](https://github.com/oclif/core/releases)
- [Changelog](https://github.com/oclif/core/blob/main/CHANGELOG.md)
- [Commits](oclif/core@3.19.1...4.11.6)

Updates `@oclif/test` from 3.1.14 to 4.1.19
- [Release notes](https://github.com/oclif/test/releases)
- [Changelog](https://github.com/oclif/test/blob/main/CHANGELOG.md)
- [Commits](oclif/test@3.1.14...4.1.19)

---
updated-dependencies:
- dependency-name: "@oclif/core"
  dependency-version: 4.11.5
  dependency-type: direct:production
- dependency-name: "@oclif/test"
  dependency-version: 4.1.19
  dependency-type: direct:development
- dependency-name: js-yaml
  dependency-version: 4.2.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot
dependabot Bot force-pushed the dependabot/npm_and_yarn/multi-9937cb1b82 branch from 704d230 to 15cafeb Compare June 17, 2026 15:07
@dependabot @github

dependabot Bot commented on behalf of github Jul 8, 2026

Copy link
Copy Markdown
Contributor Author

Superseded by #1361.

@dependabot dependabot Bot closed this Jul 8, 2026
auto-merge was automatically disabled July 8, 2026 17:36

Pull request was closed

@dependabot
dependabot Bot deleted the dependabot/npm_and_yarn/multi-9937cb1b82 branch July 8, 2026 17:36
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants