react-native-windows icon indicating copy to clipboard operation
react-native-windows copied to clipboard
verified publisher icon microsoft

[0.81][0.80][0.79]Component Governance critical alert Upgrade js-yaml from 4.1.0 to 4.1.1

Open HariniMalothu17 opened this issue 1 month ago • 0 comments

Impact In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (proto). All users who parse untrusted yaml documents may be impacted.

Patches Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default). Recommendation Upgrade js-yaml from 4.1.0 to 4.1.1 to fix the vulnerability.

HariniMalothu17 avatar Dec 08 '25 09:12 HariniMalothu17