jest icon indicating copy to clipboard operation
jest copied to clipboard
verified publisher icon jestjs

[Bug]: js-yaml medium vulnerability CVE-2025-64718

Open leonidgainar opened this issue 1 month ago • 2 comments

Version

30.2.0

Steps to reproduce

  1. Install a jest package
  2. Run pnpm why js-yaml
  3. You will see a dependency to js-yaml 3.14.2

Fixed version [email protected]

Expected behavior

Update js-yaml to 4.1.1 version everywhere where needed.

Actual behavior

https://github.com/advisories/GHSA-mh29-5h37-fv8m

Additional context

No response

Environment

System:
    OS: macOS 26.1
    CPU: (14) arm64 Apple M4 Pro
    Memory: 3.92 GB / 48.00 GB
    Shell: 5.9 - /bin/zsh
  Binaries:
    Node: 22.13.1 - /usr/local/bin/node
    npm: 10.9.2 - /usr/local/bin/npm
    pnpm: 10.14.0 - /usr/local/bin/pnpm
  npmPackages:
    jest: ^30.2.0 => 30.2.0

leonidgainar avatar Nov 18 '25 09:11 leonidgainar

This should be fixed in next major/minor version that cherry-picks/lands this commit.

js-yaml folks were generous to backport to v3.x so no breaking changes :D

hainenber avatar Nov 20 '25 14:11 hainenber

You can resolve this by updating the dependency e.g. npm update js-yaml - Jest does not need to do anything for this, and in fact the referenced commit just updates the dependency in Jest's lockfile, so having a new version released won't change anything.

You need to explicitly have your package manager update the dependency within your project

G-Rath avatar Nov 28 '25 19:11 G-Rath