Upgrade js-yaml to version 3.14.2, 4.1.1 or later

Open xingfudeshi opened this issue 2 weeks ago • 0 comments

Check Ahead

[x] I have searched the issues of this repository and believe that this is not a duplicate.
[x] I am willing to try to implement this feature myself.

Why you need it?

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (proto). All users who parse untrusted yaml documents may be impacted.

How it could be?

No response

Other related information

No response

Dec 11 '25 01:12 xingfudeshi