Skip to content

chore: bump js-yaml from 4.3.0 to 5.0.0#817

Merged
danieltruong merged 1 commit into
developfrom
dependabot/npm_and_yarn/js-yaml-4.2.0
Jul 2, 2026
Merged

chore: bump js-yaml from 4.3.0 to 5.0.0#817
danieltruong merged 1 commit into
developfrom
dependabot/npm_and_yarn/js-yaml-4.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 15, 2026

Copy link
Copy Markdown
Contributor

Bumps js-yaml from 4.3.0 to 5.0.0.

Changelog

Sourced from js-yaml's changelog.

4.3.0, 3.15.0 - 2026-06-27

Security

  • Backported maxTotalMergeKeys option.

[5.2.0] - 2026-06-26

Added

  • Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.
  • Added maxAliases (-1) loader option to limit the number of YAML aliases per document.

Removed

  • maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

Fixed

  • Round-trip of integers with exponential form (>= 1e21)

[5.1.0] - 2026-06-23

Added

  • Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

  • [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.

[5.0.0] - 2026-06-20

Added

  • Added named exports for schemas, tags, parser events and AST utilities.
  • Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
  • Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
  • Added dump() transform option for changing the generated AST before rendering.
  • Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and tagBeforeAnchor.
  • Added formal data layers (events and AST) for modular data pipelines.
    • Added low-level parser (to events), presenter and visitor APIs.
  • Added the YAML Test Suite to the test set.

Changed

  • See the migration guide for upgrade notes.
  • Rewritten in TypeScript and reorganized the public API around flat named exports.

... (truncated)

Commits
  • 75148bc 5.0.0 released
  • 704b25d Quote document markers followed by whitespace
  • 42dea28 Support complex !!pairs keys with realMapTag
  • 6cf374e Fix dumping strings that collide with YAML markers
  • 65b8d94 Clarify !!omap/!!pairs support
  • 33e3640 Move tagname helpers to common/ and remove unused exports
  • 4dd582b Cleanup export types
  • 39b3792 Add types export
  • 0cd01e9 docs: update for v5
  • c5a61a4 Fix presenter coverage
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 15, 2026
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 15, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/js-yaml-4.2.0 branch from 1b77637 to 63d31d4 Compare June 19, 2026 17:44
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/js-yaml-4.2.0 branch 7 times, most recently from cc0fc3b to 2d8c465 Compare July 2, 2026 17:07
danieltruong added a commit that referenced this pull request Jul 2, 2026
Bumps actions/checkout to v7.0.0, github/codeql-action to v4.36.3,
js-yaml to v4.3.0, and tar to v7.5.19 to address security vulnerabilities
and close Dependabot pull requests #817, #818, #819, #820, and #821.
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.3.0 to 5.0.0.
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.3.0...5.0.0)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.2.0
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot changed the title chore: bump js-yaml from 4.1.1 to 4.2.0 chore: bump js-yaml from 4.3.0 to 5.0.0 Jul 2, 2026
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/js-yaml-4.2.0 branch from 2d8c465 to 8e3471a Compare July 2, 2026 17:11
@danieltruong danieltruong merged commit 15570c2 into develop Jul 2, 2026
4 checks passed
@danieltruong danieltruong deleted the dependabot/npm_and_yarn/js-yaml-4.2.0 branch July 2, 2026 17:13
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant