From bb8b7987b0f1353defd2b63f327807ff1f5101c8 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 24 Jun 2026 06:22:25 +0000 Subject: [PATCH 1/2] Initial plan From 6d9e558fca73ac5039d034ce18aa5b35d3b89df4 Mon Sep 17 00:00:00 2001 From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com> Date: Wed, 24 Jun 2026 06:48:43 +0000 Subject: [PATCH 2/2] fix: replace transitive js-yaml 3.14.2 with compat shim backed by patched 4.2.0 (CVE-2026-53550) --- CHANGELOG.md | 4 ++ package-lock.json | 77 ++++++------------------------------ package.json | 5 ++- patches/js-yaml/index.cjs | 17 ++++++++ patches/js-yaml/package.json | 13 ++++++ 5 files changed, 51 insertions(+), 65 deletions(-) create mode 100644 patches/js-yaml/index.cjs create mode 100644 patches/js-yaml/package.json diff --git a/CHANGELOG.md b/CHANGELOG.md index 7afff02..12984da 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,9 @@ # Changelog +## 0.11.2 + +- Fix CVE-2026-53550 / GHSA-h67p-54hq-rp68: replace transitive `js-yaml@3.14.2` instances (from `@azure/openapi-markdown` and `front-matter`) with a compatibility shim backed by the patched `js-yaml@4.2.0` + ## 0.11.1 - Bump minimum Node.js version from 20 to 22 diff --git a/package-lock.json b/package-lock.json index 8d47cde..4fd4dd3 100644 --- a/package-lock.json +++ b/package-lock.json @@ -20,7 +20,7 @@ "@ts-common/string-map": "^1.1.1", "commonmark": "0.31.2", "glob": "^13.0.0", - "js-yaml": "^4.1.0", + "js-yaml": "file:./patches/js-yaml", "jsonpath-plus": "^10.0.0", "node-object-hash": "^3.1.1", "yargs": "^15.4.1" @@ -76,15 +76,6 @@ "@ts-common/iterator": "^0.3.0" } }, - "node_modules/@azure/openapi-markdown/node_modules/argparse": { - "version": "1.0.10", - "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz", - "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==", - "license": "MIT", - "dependencies": { - "sprintf-js": "~1.0.2" - } - }, "node_modules/@azure/openapi-markdown/node_modules/commonmark": { "version": "0.28.1", "resolved": "https://registry.npmjs.org/commonmark/-/commonmark-0.28.1.tgz", @@ -109,19 +100,6 @@ "integrity": "sha512-f2LZMYl1Fzu7YSBKg+RoROelpOaNrcGmE9AZubeDfrCEia483oW4MI4VyFd5VNHIgQ/7qm1I0wUHK1eJnn2y2w==", "license": "BSD-2-Clause" }, - "node_modules/@azure/openapi-markdown/node_modules/js-yaml": { - "version": "3.14.2", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz", - "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==", - "license": "MIT", - "dependencies": { - "argparse": "^1.0.7", - "esprima": "^4.0.0" - }, - "bin": { - "js-yaml": "bin/js-yaml.js" - } - }, "node_modules/@azure/openapi-markdown/node_modules/tslib": { "version": "1.14.1", "resolved": "https://registry.npmjs.org/tslib/-/tslib-1.14.1.tgz", @@ -1961,19 +1939,6 @@ "url": "https://opencollective.com/eslint" } }, - "node_modules/esprima": { - "version": "4.0.1", - "resolved": "https://registry.npmjs.org/esprima/-/esprima-4.0.1.tgz", - "integrity": "sha512-eGuFFw7Upda+g4p+QHvnW0RyTX/SVeJBDM/gCtMARO0cLuT2HcEKnTPvhjV6aGeqrCB/sbNop0Kszm0jsaWU4A==", - "license": "BSD-2-Clause", - "bin": { - "esparse": "bin/esparse.js", - "esvalidate": "bin/esvalidate.js" - }, - "engines": { - "node": ">=4" - } - }, "node_modules/esquery": { "version": "1.7.0", "resolved": "https://registry.npmjs.org/esquery/-/esquery-1.7.0.tgz", @@ -2155,28 +2120,6 @@ "js-yaml": "^3.13.1" } }, - "node_modules/front-matter/node_modules/argparse": { - "version": "1.0.10", - "resolved": "https://registry.npmjs.org/argparse/-/argparse-1.0.10.tgz", - "integrity": "sha512-o5Roy6tNG4SL/FOkCAN6RzjiakZS25RLYFrcMttJqbdd8BWrnA+fGz57iN5Pb06pvBGvl5gQ0B48dJlslXvoTg==", - "license": "MIT", - "dependencies": { - "sprintf-js": "~1.0.2" - } - }, - "node_modules/front-matter/node_modules/js-yaml": { - "version": "3.14.2", - "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz", - "integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==", - "license": "MIT", - "dependencies": { - "argparse": "^1.0.7", - "esprima": "^4.0.0" - }, - "bin": { - "js-yaml": "bin/js-yaml.js" - } - }, "node_modules/fsevents": { "version": "2.3.3", "resolved": "https://registry.npmjs.org/fsevents/-/fsevents-2.3.3.tgz", @@ -2464,6 +2407,11 @@ "license": "MIT" }, "node_modules/js-yaml": { + "resolved": "patches/js-yaml", + "link": true + }, + "node_modules/js-yaml-v4": { + "name": "js-yaml", "version": "4.2.0", "resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-4.2.0.tgz", "integrity": "sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==", @@ -3344,12 +3292,6 @@ "node": ">=0.10.0" } }, - "node_modules/sprintf-js": { - "version": "1.0.3", - "resolved": "https://registry.npmjs.org/sprintf-js/-/sprintf-js-1.0.3.tgz", - "integrity": "sha512-D9cPgkvLlV3t3IzL0D0YLvGA9Ahk4PcvVwUbN0dSGr1aP0Nrt4AEnTUbuGvquEC0mA64Gqt1fzirlRs5ibXx8g==", - "license": "BSD-3-Clause" - }, "node_modules/stackback": { "version": "0.0.2", "resolved": "https://registry.npmjs.org/stackback/-/stackback-0.0.2.tgz", @@ -3896,6 +3838,13 @@ "funding": { "url": "https://github.com/sponsors/sindresorhus" } + }, + "patches/js-yaml": { + "version": "4.2.0", + "license": "MIT", + "dependencies": { + "js-yaml-v4": "npm:js-yaml@4.2.0" + } } } } diff --git a/package.json b/package.json index ee48026..bd70183 100644 --- a/package.json +++ b/package.json @@ -52,7 +52,7 @@ "@ts-common/string-map": "^1.1.1", "commonmark": "0.31.2", "glob": "^13.0.0", - "js-yaml": "^4.1.0", + "js-yaml": "file:./patches/js-yaml", "jsonpath-plus": "^10.0.0", "node-object-hash": "^3.1.1", "yargs": "^15.4.1" @@ -73,5 +73,8 @@ }, "engines": { "node": ">=22.0.0" + }, + "overrides": { + "js-yaml": "file:./patches/js-yaml" } } diff --git a/patches/js-yaml/index.cjs b/patches/js-yaml/index.cjs new file mode 100644 index 0000000..63fb6e0 --- /dev/null +++ b/patches/js-yaml/index.cjs @@ -0,0 +1,17 @@ +// Copyright (c) Microsoft Corporation. All rights reserved. +// Licensed under the MIT License. See LICENSE in the project root for license information. + +// Compatibility shim for js-yaml v3 API consumers (e.g. @azure/openapi-markdown, front-matter). +// These packages depend on `js-yaml ^3.x` and use the v3-only `safeLoad`/`safeDump` API names, +// which were removed in js-yaml v4. This shim delegates to js-yaml@4.2.0 (which fixes +// CVE-2026-53550 / GHSA-h67p-54hq-rp68) and re-adds the deprecated aliases so existing +// callers continue to work without modification. +'use strict' +const yaml = require('js-yaml-v4') + +module.exports = Object.assign({}, yaml, { + // v3 backward-compat aliases (safeLoad == load, safeDump == dump, etc. in v3) + safeLoad: yaml.load, + safeLoadAll: yaml.loadAll, + safeDump: yaml.dump, +}) diff --git a/patches/js-yaml/package.json b/patches/js-yaml/package.json new file mode 100644 index 0000000..b6c71a9 --- /dev/null +++ b/patches/js-yaml/package.json @@ -0,0 +1,13 @@ +{ + "name": "js-yaml", + "version": "4.2.0", + "description": "Compatibility shim: wraps js-yaml@4.2.0 with v3 API aliases (safeLoad/safeDump) to fix CVE-2026-53550 / GHSA-h67p-54hq-rp68 in transitive dependencies that require js-yaml@3.x", + "main": "./index.cjs", + "exports": { + ".": "./index.cjs" + }, + "license": "MIT", + "dependencies": { + "js-yaml-v4": "npm:js-yaml@4.2.0" + } +}