Skip to content

Major package upgrade js-yaml#23

Open
melroy89 wants to merge 1 commit intoistanbuljs:masterfrom
melroy89:upgrade_js-yaml
Open

Major package upgrade js-yaml#23
melroy89 wants to merge 1 commit intoistanbuljs:masterfrom
melroy89:upgrade_js-yaml

Conversation

@melroy89
Copy link

@melroy89 melroy89 commented Nov 14, 2025
edited
Loading

Lets start with the obvious upgrade, the js-yaml security vulnerability (production dependency).

I tried running the test.. Gave error (I think I blame xo from the pretest step?):

npm test        

> @istanbuljs/load-nyc-config@1.1.0 pretest
> xo

TypeError: util.isDate is not a function
Occurred while linting /home/melroy/Documents/projects/load-nyc-config/index.js:3
...

But also tap won't run anymore...

./node_modules/tap/bin/run.js 
TypeError: Cannot read properties of undefined (reading 'getFileName')
    at module.exports (/home/melroy/Documents/projects/load-nyc-config/node_modules/tap/node_modules/caller-path/index.js:4:40)

Also you can use fs.readFileSync today, instead of wrapping it in promisify 😨 .

Fixes: #22

@eemeli eemeli mentioned this pull request Nov 15, 2025
Open
@melroy89
Copy link
Author

melroy89 commented Nov 17, 2025

I'm also fine if this other PR gets merged instead: #24 which fixes more issues present in this repo that I did mention above as well.

@GaneshBalajii
Copy link

GaneshBalajii commented Dec 11, 2025

I looking for this PR to merge, as there is security vulnerability raised in prod envs

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

js-yaml dependency below 4.1.1 has prototype pollution in merge

2 participants

@melroy89 @GaneshBalajii