Skip to content

build(deps-dev): patch js-yaml and @babel/core advisories#188

Closed
adrianschmidt wants to merge 1 commit into
jgroth:mainfrom
Lundalogik:fix/dependabot-js-yaml-babel-upstream
Closed

build(deps-dev): patch js-yaml and @babel/core advisories#188
adrianschmidt wants to merge 1 commit into
jgroth:mainfrom
Lundalogik:fix/dependabot-js-yaml-babel-upstream

Conversation

@adrianschmidt

Copy link
Copy Markdown
Collaborator

What

Patches two security advisories in dev-only transitive dependencies via scoped overrides in package.json:

Advisory Severity Resolution
@babel/core — arbitrary file read via sourceMappingURL low Fully fixed7.29.7
js-yaml — quadratic-complexity DoS in merge-key handling (GHSA-h67p-54hq-rp68) moderate js-yaml@4 copies (eslint, @eslint/eslintrc, puppeteer) → 4.3.0

Why overrides instead of npm audit fix

npm audit fix pulled in dozens of unrelated cross-platform sass-embedded/rollup optional binaries and bumped unrelated packages. The scoped overrides keep the change limited to the affected packages and pin the safe versions so a future install can't regress them.

Known residual: js-yaml@3.14.2

One js-yaml@3.14.2 copy remains and cannot be fixed here. It is required as ^3 by @istanbuljs/load-nyc-config (jest coverage tooling); the fix only exists in js-yaml@4.2.0, a breaking major bump. npm's only offered remedy is downgrading jest to 25.0.0 (major, breaking).

Practical risk is negligible: that copy only parses the local .nycrc config during coverage runs, which is not attacker-controlled.

Note: this branch is maintained on the Lundalogik/kompendium fork. A separate ws advisory also exists on main here but is intentionally left out to keep this PR atomic to the js-yaml / @babel/core fixes.

Scope

Dev dependencies only — no change to shipped runtime code.

🤖 Generated with Claude Code

Add scoped overrides to resolve two security advisories in dev-only
transitive dependencies:

- @babel/core -> ^7.29.6 (arbitrary file read via sourceMappingURL,
  low): fully resolved.
- js-yaml@^4 -> ^4.2.0 (quadratic-complexity DoS in merge-key handling,
  GHSA-h67p-54hq-rp68, moderate): resolves the eslint, @eslint/eslintrc
  and puppeteer copies.

The remaining js-yaml@3.14.2 is required as ^3 by
@istanbuljs/load-nyc-config (jest coverage tooling). It cannot move to
4.x without a major jest downgrade, and only parses the local .nycrc
config (not attacker-controlled), so that copy is left in place.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@coderabbitai

coderabbitai Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 76f82fe2-91c2-4726-9b43-3078441ec690

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@adrianschmidt adrianschmidt deleted the fix/dependabot-js-yaml-babel-upstream branch June 29, 2026 15:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant