[reverted and added suppression] Bump js-yaml from 4.3.0 to 5.2.1#58
Conversation
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.3.0 to 5.2.1. - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](nodeca/js-yaml@4.3.0...5.2.1) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 5.2.1 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
|
@copilot Confirm compatibility with the proposed js-yaml update. Detail potential exposure and alternate mitigation if this is a security dependency that can't be updated. |
js-yaml v5 is not compatible with the current stack — reverted to v4.3.0. Why it breaks
js-yaml v5 is a major rewrite that removed the default export entirely (named exports only). The production build fails at the prerender phase with: Security exposureNo known vulnerabilities exist in js-yaml 4.3.0 — both Mitigationjs-yaml v4.x is safe to remain on. The path forward to v5 requires Astro and Starlight to update their own js-yaml imports to use named exports — that's an upstream change outside this project. Once |
js-yaml v5 removed its CommonJS default export. Astro and @astrojs/starlight still consume js-yaml as `import yaml from 'js-yaml'`, so bumping to v5 breaks the production build at prerender: "The requested module 'js-yaml' does not provide an export named 'default'" Add a targeted ignore rule so Dependabot stops proposing js-yaml major bumps on every schedule. Security-driven updates are unaffected and will still fire if a CVE lands against js-yaml 4.x. Remove this ignore once upstream Astro/Starlight switch to named imports from js-yaml.
|
I updated the dependabot config and rolled back the actual proposed update. See above from Copilot. |
Bumps js-yaml from 4.3.0 to 5.2.1.
Changelog
Sourced from js-yaml's changelog.
Commits
ac16b425.2.1 released4a864e5Deps bump39f3211!!omap: addMapsupport and remove quadratic complexityff17f1eChangelog update8ed15f1deps bump1a562dcFix changelog linkc28ed5e5.2.0 released125cd5aAddmaxAliasesoption3105455ReplacemaxMergeSeqLengthoption withmaxTotalMergeKeys(more robust)39d00d6numbers: Drop boxed numbers support, simplify .identify() checks, clarify rou...Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)