CVE-2026-49982 CVE-2026-53550 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases #1060
Open
vharseko wants to merge 2 commits into
Open
CVE-2026-49982 CVE-2026-53550 JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases #1060vharseko wants to merge 2 commits into
vharseko wants to merge 2 commits into
Conversation
js-yaml <= 4.1.1 is vulnerable to a quadratic-complexity DoS in merge key handling; the fix is only in 4.2.0. - openam-ui-ria: raise the direct devDependency from ^3.14.2 to ^4.2.0; the existing $js-yaml overrides pull mocha/eslint/grunt to 4.2.0 too. - openam-ui-api: add an overrides entry forcing the transitive js-yaml (via grunt) to ^4.2.0. Both are dev-only tools that parse YAML config only; this project has no YAML config (eslint uses .eslintrc.js, no .mocharc.yml, Gruntfiles never call readYAML), so the v4 removal of safeLoad/safeDump is not reached. Verified js-yaml resolves to a single 4.2.0 and both Gruntfiles load. Resolves Dependabot alerts 262 and 257.
vharseko
changed the title
Bumping js-yaml to 4.2.0 (CVE-2026-49982 / CVE-2026-53550) and forcing it across the dependency tree via overrides breaks the eslint task: grunt-eslint 19.0.0 pulls eslint 3.8.1, whose config loader reads the extensionless src/test/.eslintrc through its legacy YAML loader, which calls the yaml.safeLoad() API removed in js-yaml 4. The npm build:production task then fails with "Function yaml.safeLoad is removed in js-yaml 4". Rename src/test/.eslintrc to src/test/.eslintrc.json (the content is already valid JSON) so eslint parses it via JSON.parse instead of the YAML loader. This keeps the full js-yaml 4.2.0 remediation in place while restoring the build.
maximthomas
approved these changes
Jun 26, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes the js-yaml quadratic-complexity DoS (CVE-2026-49982 / CVE-2026-53550 /
GHSA-h67p-54hq-rp68), patched only in js-yaml 4.2.0 (advisory affects all
versions ≤ 4.1.1, including the 3.x line). Closes Dependabot alerts 262
(openam-ui-ria) and 257 (openam-ui-api).
Changes
js-yaml^3.14.2→^4.2.0; the existing$js-yamloverrides carrymocha/eslint/grunt to 4.2.0 as well.
overrides: { "js-yaml": "^4.2.0" }.src/test/.eslintrc→src/test/.eslintrc.json(build fix, see below).
Both lockfiles now resolve a single
js-yaml@4.2.0(no 3.x remaining).The 3.x → 4.x bump and the removed
safeLoadAPIjs-yaml 4 removed
safeLoad/safeDump. One dev-time code path actuallyreached
safeLoad:grunt-eslint@19.0.0pulls eslint 3.8.1, whoseconfig loader reads the extensionless
src/test/.eslintrcthrough itslegacy YAML loader (
yaml.safeLoad). Forcing js-yaml to 4.2.0 there madenpm run build:productionfail across every CI job:Fix: rename the config to
src/test/.eslintrc.json(content is already validJSON). eslint dispatches
.jsonconfigs toJSON.parseinstead of the YAMLloader, so the removed API is never called — while js-yaml stays fully
upgraded to 4.2.0 across the tree (no vulnerable 3.x left for scanners).
No other YAML code paths remain: the root eslint config is
.eslintrc.js,there is no
.mocharc.yml, and the Gruntfiles never callgrunt.file.readYAML.Verification
npm ls js-yaml→ single4.2.0, deduped, in both modules.yaml.safeLoad is removedfailure before the rename;after the rename
grunt eslintcompletes with exit 0 (only pre-existingno-var/prefer-arrow-callbackstyle warnings, which do not fail thebuild).
require('js-yaml'),mocha --version, andgrunt --helpall load under4.2.0 (exit 0).