[Bug]: js-yaml medium vulnerability CVE-2025-64718

[leonidgainar]

Version

30.2.0

Steps to reproduce

1. Install a jest package
2. Run pnpm why js-yaml
3. You will see a dependency to js-yaml 3.14.2

Fixed version js-yaml@4.1.1

Expected behavior

Update js-yaml to 4.1.1 version everywhere where needed.

Actual behavior

GHSA-mh29-5h37-fv8m

Additional context

No response

Environment

System:
    OS: macOS 26.1
    CPU: (14) arm64 Apple M4 Pro
    Memory: 3.92 GB / 48.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 22.13.1 - /usr/local/bin/node
    npm: 10.9.2 - /usr/local/bin/npm
    pnpm: 10.14.0 - /usr/local/bin/pnpm
  npmPackages:
    jest: ^30.2.0 => 30.2.0

[hainenber]

This should be fixed in next major/minor version that cherry-picks/lands this commit.

js-yaml folks were generous to backport to v3.x so no breaking changes :D

[G-Rath]

You can resolve this by updating the dependency e.g. npm update js-yaml - Jest does not need to do anything for this, and in fact the referenced commit just updates the dependency in Jest's lockfile, so having a new version released won't change anything.

You need to explicitly have your package manager update the dependency within your project