chore(deps): update dependency js-yaml to v4.1.1 [security] - autoclosed by renovate[bot] · Pull Request #1769 · mx-space/kami

renovate · 2025-11-15T14:14:42Z

This PR contains the following updates:

Package	Change	Age	Confidence
js-yaml	`4.1.0` → `4.1.1`

GitHub Vulnerability Alerts

CVE-2025-64718

Impact

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

Release Notes

nodeca/js-yaml (js-yaml)

`v4.1.1`

Compare Source

Security

Fix prototype pollution issue in yaml merge (<<) operator.

Configuration

📅 Schedule: (UTC)

Branch creation
- ""
Automerge
- At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

safedep · 2025-11-15T14:14:46Z

SafeDep Report Summary

Package Details

Package	Malware	Vulnerability	Risky License	Report
`js-yaml @ 4.1.1` _{pnpm-lock.yaml}				🔗

View complete scan results →

_{This report is generated by SafeDep Github App}

github-actions · 2026-04-05T13:37:15Z

📦 Next.js Bundle Analysis for mx-kami

This analysis was generated by the Next.js Bundle Analysis action. 🤖

This PR introduced no changes to the JavaScript bundle! 🙌

renovate bot added the dependencies Pull requests that update a dependency file label Nov 15, 2025

renovate bot force-pushed the renovate/npm-js-yaml-vulnerability branch from e9f4fda to ea96c4b Compare November 18, 2025 11:37

renovate bot force-pushed the renovate/npm-js-yaml-vulnerability branch from ea96c4b to cccf59e Compare December 3, 2025 19:25

renovate bot force-pushed the renovate/npm-js-yaml-vulnerability branch from cccf59e to a9dba0c Compare December 31, 2025 14:27

renovate bot force-pushed the renovate/npm-js-yaml-vulnerability branch from a9dba0c to 64ac97f Compare January 8, 2026 18:13

renovate bot force-pushed the renovate/npm-js-yaml-vulnerability branch from 64ac97f to 2a7e9bf Compare January 19, 2026 18:58

renovate bot force-pushed the renovate/npm-js-yaml-vulnerability branch from 2a7e9bf to d76559d Compare February 2, 2026 17:50

renovate bot force-pushed the renovate/npm-js-yaml-vulnerability branch 2 times, most recently from fa40fdd to 0ac0e19 Compare February 17, 2026 18:58

renovate bot force-pushed the renovate/npm-js-yaml-vulnerability branch from 0ac0e19 to a699d28 Compare March 5, 2026 18:17

renovate bot force-pushed the renovate/npm-js-yaml-vulnerability branch 3 times, most recently from ae101b0 to db04d59 Compare March 15, 2026 11:34

renovate bot changed the title ~~chore(deps): update dependency js-yaml to v4.1.1 [security]~~ chore(deps): update dependency js-yaml to v4.1.1 [security] - autoclosed Mar 27, 2026

renovate bot closed this Mar 27, 2026

renovate bot deleted the renovate/npm-js-yaml-vulnerability branch March 27, 2026 01:16

renovate bot changed the title ~~chore(deps): update dependency js-yaml to v4.1.1 [security] - autoclosed~~ chore(deps): update dependency js-yaml to v4.1.1 [security] Mar 30, 2026

renovate bot reopened this Mar 30, 2026

renovate bot force-pushed the renovate/npm-js-yaml-vulnerability branch 4 times, most recently from 394e761 to c46f0a1 Compare April 5, 2026 13:35

renovate bot force-pushed the renovate/npm-js-yaml-vulnerability branch 2 times, most recently from 9f3d2e3 to 85d61d9 Compare April 12, 2026 12:46

chore(deps): update dependency js-yaml to v4.1.1 [security]

87a3552

renovate bot force-pushed the renovate/npm-js-yaml-vulnerability branch from 85d61d9 to 87a3552 Compare April 12, 2026 12:53

renovate bot changed the title ~~chore(deps): update dependency js-yaml to v4.1.1 [security]~~ chore(deps): update dependency js-yaml to v4.1.1 [security] - autoclosed Apr 12, 2026

renovate bot closed this Apr 12, 2026

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): update dependency js-yaml to v4.1.1 [security] - autoclosed#1769

chore(deps): update dependency js-yaml to v4.1.1 [security] - autoclosed#1769
renovate[bot] wants to merge 1 commit intomasterfrom
renovate/npm-js-yaml-vulnerability

renovate bot commented Nov 15, 2025 •

edited by ttimochan

Loading

Uh oh!

safedep bot commented Nov 15, 2025 •

edited

Loading

Uh oh!

github-actions bot commented Apr 5, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

Uh oh!

Conversation

renovate bot commented Nov 15, 2025 • edited by ttimochan Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

GitHub Vulnerability Alerts

CVE-2025-64718

Impact

Patches

Workarounds

References

Release Notes

v4.1.1

Security

Configuration

Uh oh!

safedep bot commented Nov 15, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

SafeDep Report Summary

Uh oh!

github-actions bot commented Apr 5, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

📦 Next.js Bundle Analysis for mx-kami

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

renovate bot commented Nov 15, 2025 •

edited by ttimochan

Loading

`v4.1.1`

safedep bot commented Nov 15, 2025 •

edited

Loading

github-actions bot commented Apr 5, 2026 •

edited

Loading