chore(deps): bump js-yaml from 4.1.1 to 4.2.0

[dependabot]

Bumps js-yaml from 4.1.1 to 4.2.0.

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

• Added docs/safety.md with notes about processing untrusted YAML.
• Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
• Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
• Added sourcemaps to dist/ builds.

Changed

• Stop resolving numbers with underscores as numeric scalars, #627.
• Switched dev toolchains to Vite / neostandard.
• Updated demo.
• Reorganized tests.
• dist/ files are no longer kept in the repository.

Fixed

• Fix parsing of properties on the first implicit block mapping key, #62.
• Fix trailing whitespace handling when folding flow scalar lines, #307.
• Reject top-level block scalars without content indentation, #280.
• Ensure numbers survive round-trip, #737.
• Fix test coverage for issue #221.
• Fix flow scalar trailing whitespace folding, #307.
• Fix digits in YAML named tag handles.

Security

• Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

Commits

• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Summary by CodeRabbit

• Chores
  • Updated project dependencies to their latest compatible minor versions across the web and transpiler packages. These routine maintenance updates maintain complete backward compatibility while incorporating the latest improvements from external dependency providers. Updates strengthen the overall codebase and ensure sustained application stability and resilience.

[coderabbitai]

📝 Walkthrough

Walkthrough

This PR updates the js-yaml dependency from ^4.1.0 to ^4.2.0 across two package.json files: apps/web/package.json and packages/transpiler/package.json. No code logic changes; only dependency versions are modified.

Changes

Dependency Updates

Layer / File(s)	Summary
js-yaml version bump apps/web/package.json, packages/transpiler/package.json	js-yaml dependency is updated from ^4.1.0 to ^4.2.0 in both the web and transpiler packages.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Poem

🐰 A nibble here, a bump just there,
From four-one-oh to four-two, fair.
Two packages dance in harmony,
js-yaml flows so free! 📦✨

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: bumping js-yaml dependency from 4.1.1 to 4.2.0 across multiple packages, which is the sole purpose of this PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch dependabot/npm_and_yarn/js-yaml-4.2.0

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

packages/transpiler/package.json (1)

28-28: ⚡ Quick win

Add targeted regression tests for js-yaml 4.2.0 parsing behavior.

Since transpile depends on jsYaml.load(...), add tests for frontmatter cases affected by 4.2.0 (e.g., numeric scalars with underscores and merge-heavy YAML) to lock expected behavior before release.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@packages/transpiler/package.json` at line 28, Add regression tests covering
js-yaml 4.2.0 parsing edge cases used by our transpiler: create tests that call
the transpile entrypoint (or the function that parses frontmatter) and assert
the behavior of jsYaml.load(...) for numeric scalars with underscores and
merge-heavy YAML documents; include inputs with underscore-containing numbers
(e.g. "1_000") and YAML merge keys and assert the resulting JS values match our
expected semantics, so future upgrades surface regressions. Target the test
files under the transpiler package tests and reference the transpile function
(or the specific frontmatter parsing function that invokes jsYaml.load) and the
jsYaml.load call in your assertions. Ensure tests are deterministic and document
expected behavior in the test names.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@apps/web/package.json`:
- Line 24: The web app's package.json requests js-yaml ^4.2.0 but the app's
pnpm-lock.yaml still pins js-yaml@4.1.1; regenerate or remove the app-specific
lockfile so the lock matches the declared dependency. Update the web app's
pnpm-lock.yaml by running a fresh install (pnpm install) from the app workspace
or delete the app-level pnpm-lock.yaml to rely on the root pnpm-lock.yaml, then
commit the regenerated lockfile so js-yaml resolves to 4.2.0 in standalone
installs; ensure the package.json dependency entry ("js-yaml": "^4.2.0") and the
app lockfile are consistent.

---

Nitpick comments:
In `@packages/transpiler/package.json`:
- Line 28: Add regression tests covering js-yaml 4.2.0 parsing edge cases used
by our transpiler: create tests that call the transpile entrypoint (or the
function that parses frontmatter) and assert the behavior of jsYaml.load(...)
for numeric scalars with underscores and merge-heavy YAML documents; include
inputs with underscore-containing numbers (e.g. "1_000") and YAML merge keys and
assert the resulting JS values match our expected semantics, so future upgrades
surface regressions. Target the test files under the transpiler package tests
and reference the transpile function (or the specific frontmatter parsing
function that invokes jsYaml.load) and the jsYaml.load call in your assertions.
Ensure tests are deterministic and document expected behavior in the test names.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro Plus

Run ID: d465effa-fba0-4863-a580-31976d38a50a

📥 Commits

Reviewing files that changed from the base of the PR and between 1fee58b and 4596faf.

⛔ Files ignored due to path filters (1)

• pnpm-lock.yaml is excluded by !**/pnpm-lock.yaml

📒 Files selected for processing (2)

• apps/web/package.json
• packages/transpiler/package.json

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify resolved js-yaml versions across lockfiles/manifests
rg -n --glob '**/package.json' '"js-yaml"\s*:\s*"\^?4\.[0-9]+\.[0-9]+"' -C1
rg -n --glob '**/pnpm-lock.yaml' '^\s*js-yaml@' -A3 -B1

Repository: OpenDevFlow/md-latex

Length of output: 1340

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

# Inspect pnpm workspace config and common pnpm config for lockfile handling
ls -la
fd -t f "pnpm-workspace.yaml" -a . || true
rg -n --hidden --no-ignore-vcs "lockfile-dir" . || true
rg -n --hidden --no-ignore-vcs "pnpm-lock\.yaml" . || true

# Check root package manager scripts that might run pnpm from repo root vs from apps/web
fd -t f "package.json" . | head -n 50
rg -n '"(pnpm|corepack|npm)\s+(i|install|ci)"' package.json apps/web/package.json pnpm-workspace.yaml 2>/dev/null || true

# Inspect apps/web package.json for any install hints
if [ -f apps/web/package.json ]; then
  cat -n apps/web/package.json | sed -n '1,120p'
fi

# Inspect apps/web lockfile version/resolution context quickly
if [ -f apps/web/pnpm-lock.yaml ]; then
  rg -n "js-yaml@4\.1\.1:" apps/web/pnpm-lock.yaml -n -C2 || true
fi

Repository: OpenDevFlow/md-latex

Length of output: 3415

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== pnpm-workspace.yaml ==="
cat pnpm-workspace.yaml

echo "=== .npmrc files (lockfile-dir / settings) ==="
fd -t f -a .npmrc -H . || true
fd -t f -a "*.npmrc" . || true
rg -n --hidden --no-ignore-vcs "lockfile-dir" .npmrc . || true
rg -n --hidden --no-ignore-vcs "(store-dir|lockfile-dir|package-manager|pnpm-lock)" .npmrc package.json . || true

echo "=== Look for pnpm install/ci commands referencing apps/web lockfile ==="
rg -n --hidden --no-ignore-vcs "pnpm\s+(i|install|ci)\b|--lockfile-dir|pnpm-lock\.yaml" .github apps package.json pnpm-workspace.yaml turbo.json README.md || true

echo "=== Check if apps/web has its own scripts invoking pnpm from inside apps/web ==="
cat -n apps/web/package.json | sed -n '1,120p'

Repository: OpenDevFlow/md-latex

Length of output: 2786

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "=== .github/workflows/test.yml ==="
cat .github/workflows/test.yml | sed -n '1,120p'

echo "=== .github/workflows/deploy.yml ==="
cat .github/workflows/deploy.yml | sed -n '1,120p'

echo "=== .github/workflows/code-quality.yml ==="
cat .github/workflows/code-quality.yml | sed -n '1,120p'

echo "=== apps/web/README.md ==="
cat -n apps/web/README.md | sed -n '1,120p'

echo "=== README.md install instructions (root) ==="
cat -n README.md | sed -n '40,90p'

Repository: OpenDevFlow/md-latex

Length of output: 8748

---

Stale apps/web/pnpm-lock.yaml (CI likely unaffected due to root lockfile)

• apps/web/package.json requests js-yaml ^4.2.0, but apps/web/pnpm-lock.yaml still pins js-yaml@4.1.1.
• GitHub Actions runs pnpm install --frozen-lockfile from the repo root, where pnpm-lock.yaml already resolves js-yaml@4.2.0, so the bump should apply in CI.
• Regenerate apps/web/pnpm-lock.yaml (or remove it and rely on the root lockfile) to avoid standalone apps/web installs resolving js-yaml@4.1.1.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@apps/web/package.json` at line 24, The web app's package.json requests
js-yaml ^4.2.0 but the app's pnpm-lock.yaml still pins js-yaml@4.1.1; regenerate
or remove the app-specific lockfile so the lock matches the declared dependency.
Update the web app's pnpm-lock.yaml by running a fresh install (pnpm install)
from the app workspace or delete the app-level pnpm-lock.yaml to rely on the
root pnpm-lock.yaml, then commit the regenerated lockfile so js-yaml resolves to
4.2.0 in standalone installs; ensure the package.json dependency entry
("js-yaml": "^4.2.0") and the app lockfile are consistent.