chore(deps): update tutorial validation dependencies#100
Conversation
There was a problem hiding this comment.
Code Review
This pull request updates several dependencies in package.json and package-lock.json, including cheerio, js-yaml, and marked. The reviewer identified a potential issue with upgrading js-yaml to v5.x, as it introduces a breaking change where yaml.load() throws an exception on empty or whitespace-only sources, which could crash the validation script. Reverting js-yaml to ^4.1.0 or adding a guard is recommended.
Important
The consumer version of Gemini Code Assist on GitHub is being sunset. Starting June 18, 2026, new organization installations will be blocked, and all code review activity will officially cease on July 17, 2026.
For more details on the timeline and next steps, please review the Help Documentation.
| "fs": "^0.0.1-security", | ||
| "js-yaml": "^4.1.0", | ||
| "marked": "^17.0.1", | ||
| "js-yaml": "^5.2.1", |
There was a problem hiding this comment.
Upgrading js-yaml to v5.x introduces a breaking change where yaml.load() throws a YAMLException when parsing empty or whitespace-only sources (whereas v4.x safely returned undefined or null).
In utils/extract_frontmatter_from_tutorial.js, the extractFrontmatterFromContent function passes the extracted frontmatter match directly to yaml.load(match[1]). If a markdown file contains empty frontmatter (e.g., --- followed immediately by ---), match[1] will be an empty string "". Under js-yaml v5.x, this will throw an exception and crash the validation script (test-markdown-frontmatter.js).
To prevent this, either revert to js-yaml ^4.1.0 or update utils/extract_frontmatter_from_tutorial.js to guard against empty/whitespace-only frontmatter before calling yaml.load().
| "js-yaml": "^5.2.1", | |
| "js-yaml": "^4.1.0", |
Summary
Updates direct npm dependencies used by the tutorial validation tooling:
cheeriofrom^1.1.2to^1.2.0js-yamlfrom^4.1.0to^5.2.1markedfrom^17.0.1to^18.0.5package-lock.jsonwith npm using the existing package managerLinked Hermes Kanban task:
t_fa1387daUpdated dependencies
cheerio^1.1.2^1.2.0js-yaml^4.1.0^5.2.1marked^17.0.1^18.0.5Skipped / constraint-limited dependencies
chalk4.1.25.6.2chalk@5is ESM-only (type: module) while the validation scripts currently use CommonJSrequire('chalk').fs0.0.1-security0.0.1-securitypath0.12.70.12.7Validation
Commands run locally on Node
v22.23.1and npm10.9.8:Outcomes:
npm installcompleted; 38 packages audited; 0 vulnerabilities reported by npm audit.npm cicompleted successfully.npm run test:frontmattercompleted withTest Completed: SUCCESS.npm testecho "Error: no test specified" && exit 1; repository CI usesnpm run test:frontmatterdirectly.Risk notes
cheerioandmarkedboth require modern Node versions; the repository workflow already runs Node 22.markedis a major-version update. The existingrequire('marked')usage was validated bynpm run test:frontmatterafter the update.chalk@5was intentionally not updated because it would require an ESM migration in the current CommonJS test script.Rollback
Revert this PR to restore the previous
package.jsonandpackage-lock.jsondependency versions.