Skip to content

Bump js-yaml #928

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
dependabot wants to merge 1 commit into from
Closed

Bump js-yaml #928

dependabot wants to merge 1 commit into from

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 17, 2025
edited
Loading

Bumps and js-yaml. These dependencies needed to be updated together.
Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.
Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump js-yaml
d2314a8 
Bumps  and [js-yaml](https://github.com/nodeca/js-yaml). These dependencies needed to be updated together.

Updates `js-yaml` from 4.1.0 to 4.1.1
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

Updates `js-yaml` from 3.14.1 to 3.14.2
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.0...4.1.1)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.1.1
  dependency-type: indirect
- dependency-name: js-yaml
  dependency-version: 3.14.2
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies javascript Pull requests that update Javascript code labels Nov 17, 2025
@dependabot dependabot bot added dependencies javascript Pull requests that update Javascript code labels Nov 17, 2025
@cx-ben-alvo
Copy link
Collaborator

cx-ben-alvo commented Nov 17, 2025

Logo
Checkmarx One – Scan Summary & Details6b980825-6187-4ffb-8de8-8da48dec82ed

New Issues (35)

Checkmarx found the following issues in this Pull Request

Severity Issue Source File / Package Checkmarx Insight
CRITICAL Cx6057d4e5-4760 Npm-coa-3.1.3
detailsDescription: This package was manually inspected by a security researcher and flagged as malicious ### About Classifying malicious packages is an internal proc...

ID: 0v6oLex64UbHxwXbxBSzguiOFY%2BlIAE%2BTpFWLAC%2F0kY%3D
Vulnerable Package
CRITICAL Cx657a3ff1-7b92 Npm-coa-3.1.3
detailsDescription: This package downloads a harmful file. File hash: ```7f986cd3c946f274cdec73f80b84855a77bc2a3c765d68897fbc42835629a5d5``` ### About Using a dynamic...

ID: wMaZ%2BIcBkzafqL158jDs2nXN90jaka1Ici0MSw6celM%3D
Vulnerable Package
CRITICAL Cxa079aba6-fc3c Npm-coa-3.1.3
detailsDescription: This package exfiltrates stored credentials and sensitive information ### About Data exfiltration may be done in numerous ways such as through HTT...

ID: t%2BEW5mZGwoFjYlRIAmjfkF8oKsYqs%2BYA%2FODR9yAoHUk%3D
Vulnerable Package
CRITICAL Cxb34b508c-969f Npm-coa-3.1.3
detailsDescription: This package exfiltrates computer and operating system information ### About Data exfiltration may be done in numerous ways such as through HTTP r...

ID: %2BUJ%2FfX5Zm%2B7fTwtRrQAuZ%2BnY8RgR85IZzxwoVhmYBTs%3D
Vulnerable Package
CRITICAL Cxb5dfb167-23a8 Npm-coa-3.1.3
detailsDescription: The npm package coa had versions published with malicious code. Users of affected versions (2.0.3 and above) should downgrade to 2.0.2 as soon as p...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: fCP71vnzzVVyF0UbhblJLUOAYguB%2FV8D68pHrIZ%2FYW0%3D
Vulnerable Package
CRITICAL Cxbd621f75-d5df Npm-coa-3.1.3
detailsDescription: This package downloads a harmful file. File hash: ```ea131cc5ccf6aa6544d6cb29cdb78130feed061d2097c6903215be1499464c2e``` ### About Using a dynamic...

ID: yUhI36IberMi84EaTtFZAVGI4e6DTdeImfhsFtY3Cy4%3D
Vulnerable Package
CRITICAL Cxc2338b3a-b052 Npm-coa-3.1.3
detailsDescription: This package downloads a harmful file. File hash: ```2a3acdcd76575762b18c18c644a745125f55ce121f742d2aad962521bc7f25fd``` ### About Using a dynamic...

ID: VV179YGmz1OezS%2FeE3TAAIuIf0cNdxG9oSremKiaGVU%3D
Vulnerable Package
CRITICAL Cxc56b90ed-4804 Npm-coa-3.1.3
detailsDescription: This package executes a crypto mining software ### About Using a dynamic analysis environment (also known as a Sandbox) we can monitor filesystem ...

ID: q8oPHzGuyyjaD7%2FHzSJwefzs9xR5wbtysdymShlaWPE%3D
Vulnerable Package
HIGH CVE-2024-12905 Npm-tar-fs-1.16.3
detailsRecommended version: 1.16.6
Description: An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: gPg3TLpRKrDrIV2s9oqPj%2FJVEqfdxHLGTKrB89UgNco%3D
Vulnerable Package
HIGH CVE-2024-12905 Npm-tar-fs-2.1.1
detailsRecommended version: 2.1.4
Description: An Improper Link Resolution Before File Access ("Link Following") and Improper Limitation of a Pathname to a Restricted Directory ("Path Traversal"...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: IQimktxlP0ofekmSOO%2Fh6mJOn2QpqBMJhAC3tkaL7No%3D
Vulnerable Package
HIGH CVE-2024-21538 Npm-cross-spawn-6.0.5
detailsRecommended version: 6.0.6
Description: Versions of the package cross-spawn prior to 6.0.6 and 7.x prior to 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS), due to im...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: tsEAxHnMBt1srKQWGibI1v9RwfBn%2BMxz%2Baw11CUt8QA%3D
Vulnerable Package
HIGH CVE-2024-21538 Npm-cross-spawn-7.0.3
detailsRecommended version: 7.0.5
Description: Versions of the package cross-spawn prior to 6.0.6 and 7.x prior to 7.0.5 are vulnerable to Regular Expression Denial of Service (ReDoS), due to im...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: YdTVdn1tOepOEYXee9FmwqYxJyO1AB2O0dELEwjEFU0%3D
Vulnerable Package
HIGH CVE-2025-48387 Npm-tar-fs-1.16.3
detailsRecommended version: 1.16.6
Description: The package tar-fs provides filesystem bindings for tar-stream. In versions prior to 1.16.5, 2.0.x prior to 2.1.3, and 3.0.x prior to 3.0.9, there ...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: TujjzsZ9p%2BOKLI9tw2u5JTGMgQc1rAL4XtKwjM8HVKs%3D
Vulnerable Package
HIGH CVE-2025-48387 Npm-tar-fs-2.1.1
detailsRecommended version: 2.1.4
Description: The package tar-fs provides filesystem bindings for tar-stream. In versions prior to 1.16.5, 2.0.x prior to 2.1.3, and 3.0.x prior to 3.0.9, there ...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: ZhCWjB9AlT3iUNo9SRQpxhlQnCMAu8%2Fn1AYZ1TVHGu8%3D
Vulnerable Package
HIGH CVE-2025-59343 Npm-tar-fs-2.1.1
detailsRecommended version: 2.1.4
Description: tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.4, and 1.16.6 are vulnerable to symlink validation bypass if the d...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: 3mlXMD7cX7wvmzSh2Llvee4Q9Bfp%2BzDjaBTXtwGdGYA%3D
Vulnerable Package
HIGH CVE-2025-59343 Npm-tar-fs-1.16.3
detailsRecommended version: 1.16.6
Description: tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.1.1, 2.1.4, and 1.16.6 are vulnerable to symlink validation bypass if the d...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: %2Bjbuc%2BS0dFkO%2F0h125RhcPQUnZZZFVElDk9Iu6wXHMo%3D
Vulnerable Package
HIGH Cx687dda59-2e3a Npm-unzip-stream-0.3.1
detailsRecommended version: 0.3.2
Description: The unzip-stream allows Arbitrary File Write via artifact extraction. When using the "Extract()" method of unzip-stream, malicious zip files were a...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: yIU3gJKIRpJPZ0E%2FSeNKMqeA722HNoVQdqDTYzS7jNs%3D
Vulnerable Package
HIGH Cxc7705965-e0f0 Npm-@babel/core-7.15.0
detailsRecommended version: 7.18.6
Description: The @babel/core package versions prior to 7.18.6 were discovered to contain a memory leak vulnerability.
Attack Vector: NETWORK
Attack Complexity: LOW

ID: PA2xv%2BtAPVmFgo6ghyn0vjER6J4z5IEAVzJoFGB5GRI%3D
Vulnerable Package
HIGH Cxdca8e59f-8bfe Npm-inflight-1.0.6
detailsDescription: In NPM `inflight` there is a Memory Leak because some resources are not freed correctly after being used. It appears to affect all versions, as the...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: 20E%2FuFurmymB4coVdRE0Yq%2FMsa4l3sNwYDQqi6vNoqs%3D
Vulnerable Package
MEDIUM ALB Listening on HTTP /positive1.tf: 9
detailsAWS Application Load Balancer (alb) should not listen on HTTP
ID: yZXbrnwNo%2FZnfgvlzkJfobryAGE%3D
MEDIUM CVE-2023-0842 Npm-xml2js-0.4.23
detailsRecommended version: 0.5.0
Description: The xml2js in versions prior to 0.5.0 allows an external attacker to edit or add new properties to an object. This is possible because the applicat...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: Vy1hvb6YZP66bOiAy%2FnpHnEecB94kucbb9%2BDg1PUPJw%3D
Vulnerable Package
MEDIUM CVE-2024-11831 Npm-serialize-javascript-6.0.0
detailsRecommended version: 6.0.2
Description: A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain i...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: cbCn2q63LChBBD7ON9U81I05kzsv3JlO1HVJV0PZfwQ%3D
Vulnerable Package
MEDIUM CVE-2024-4067 Npm-micromatch-4.0.5
detailsRecommended version: 4.0.8
Description: The NPM package "micromatch" prior to 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in "micromatch....
Attack Vector: NETWORK
Attack Complexity: LOW

ID: SPtLgfgLM8mI8XucByL4VU%2FOu7G6evdxFr9gjKpJObM%3D
Vulnerable Package
MEDIUM CVE-2024-43788 Npm-webpack-5.90.1
detailsRecommended version: 5.94.0
Description: Webpack is a module bundler. Its main purpose is to bundle JavaScript files for usage in a browser, yet it is also capable of transforming, bundlin...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: NxrwEQOYcxEzPz3QZjCq1fYr%2BV51I6hS%2B3py3RnXMn4%3D
Vulnerable Package
MEDIUM CVE-2024-55565 Npm-nanoid-3.3.3
detailsRecommended version: 3.3.8
Description: The package nanoid versions through 3.3.7 and 4.0.0 through 5.0.8 mishandle non-integer values.
Attack Vector: NETWORK
Attack Complexity: LOW

ID: L8wgWNvYZ5wDoZgP0niRccYMHhSvbTK7ep%2FnUMMbk7A%3D
Vulnerable Package
MEDIUM CVE-2025-54798 Npm-tmp-0.0.30
detailsRecommended version: 0.2.4
Description: tmp is a temporary file and directory creator for node.js. In versions prior to 0.2.4, tmp is vulnerable to an arbitrary temporary file "/" directo...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: 0wI2yPQm3D2zLgX09EHkzqV04IKRc0bB7Hjpu9kVUuc%3D
Vulnerable Package
MEDIUM CVE-2025-54798 Npm-tmp-0.2.1
detailsRecommended version: 0.2.4
Description: tmp is a temporary file and directory creator for node.js. In versions prior to 0.2.4, tmp is vulnerable to an arbitrary temporary file "/" directo...
Attack Vector: NETWORK
Attack Complexity: LOW

ID: fxOskprBcHHFuP8wLR7HAk1VaLIlP%2BHrQnM0%2Bq8wfFE%3D
Vulnerable Package
MEDIUM ELBv2 LB Access Log Disabled /positive1.tf: 15
detailsELBv2 LBs should have access log enabled to capture detailed information about requests sent to your load balancer.
ID: T6F6kPHYKPFyDpB87WgOa6ulhic%3D
LOW APT-GET Missing Flags To Avoid Manual Input /Dockerfile: 5
detailsCheck if apt-get calls use flags to avoid user manual input.
ID: PP9WHiBQsCBajZJkTBnbeQ%2FWmoo%3D
LOW CVE-2025-5889 Npm-brace-expansion-1.1.11
detailsRecommended version: 1.1.12
Description: A vulnerability was found in juliangruber brace-expansion. It has been rated as problematic. Affected by this issue is the function "expand" of the...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: D5lyPAeX4iPHWuKa3v7IrCOi6sRhBTCMjqY1fgsQKEE%3D
Vulnerable Package
LOW CVE-2025-5889 Npm-brace-expansion-2.0.1
detailsRecommended version: 2.0.2
Description: A vulnerability was found in juliangruber brace-expansion. It has been rated as problematic. Affected by this issue is the function "expand" of the...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: JpvUiTpeawTsr%2FKVyIP6434oj9hnluDJJ0oMQ0AA5MM%3D
Vulnerable Package
LOW Cx8bc4df28-fcf5 Npm-debug-4.3.4
detailsRecommended version: 4.4.0
Description: In NPM "debug" versions prior to 4.4.0, the "enable" function accepts a regular expression from user input without escaping it. Arbitrary regular e...
Attack Vector: NETWORK
Attack Complexity: HIGH

ID: %2B8DoDhY3iNcrwira633ZEOcTgvry59r9u98yo5mjpMA%3D
Vulnerable Package
LOW Healthcheck Instruction Missing /Dockerfile: 1
detailsEnsure that HEALTHCHECK is being used. The HEALTHCHECK instruction tells Docker how to test a container to check that it is still working
ID: GFv7YpwPyFMEfyTpNssycczyYxE%3D
LOW IAM Access Analyzer Not Enabled /positive1.tf: 15
detailsIAM Access Analyzer should be enabled and configured to continuously monitor resource permissions
ID: 1MGxcg6vKIu%2FLuepwD32VKiKgnI%3D
LOW Shield Advanced Not In Use /positive1.tf: 15
detailsAWS Shield Advanced should be used for Amazon Route 53 hosted zone, AWS Global Accelerator accelerator, Elastic IP Address, Elastic Load Balancing,...
ID: uksw0A3tt%2BuOK%2Bie011Hp%2FcD5Dk%3D

Use @Checkmarx to reach out to us for assistance.

Just send a PR comment with @Checkmarx followed by a natural language request.

Examples: @Checkmarx how are you able to help me? @Checkmarx rescan this PR

@cx-rahul-pidde cx-rahul-pidde self-assigned this Nov 20, 2025
@dependabot @github
Copy link
Contributor Author

dependabot bot commented on behalf of github Nov 21, 2025

Superseded by #930.

@dependabot dependabot bot closed this Nov 21, 2025
auto-merge was automatically disabled November 21, 2025 03:02

Pull request was closed

@dependabot dependabot bot deleted the dependabot/npm_and_yarn/multi-75e6bc5210 branch November 21, 2025 03:02
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cx-pedro-lopes cx-pedro-lopes cx-pedro-lopes approved these changes

@cx-anurag-dalke cx-anurag-dalke Awaiting requested review from cx-anurag-dalke cx-anurag-dalke is a code owner

Assignees

@cx-rahul-pidde cx-rahul-pidde

Labels

dependencies javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@cx-ben-alvo @cx-pedro-lopes @cx-rahul-pidde