Skip to content
Draft
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
# Changelog

## 0.11.2

- Fix CVE-2026-53550 / GHSA-h67p-54hq-rp68: replace transitive `js-yaml@3.14.2` instances (from `@azure/openapi-markdown` and `front-matter`) with a compatibility shim backed by the patched `js-yaml@4.2.0`

## 0.11.1

- Bump minimum Node.js version from 20 to 22
Expand Down
77 changes: 13 additions & 64 deletions package-lock.json

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

5 changes: 4 additions & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,7 @@
"@ts-common/string-map": "^1.1.1",
"commonmark": "0.31.2",
"glob": "^13.0.0",
"js-yaml": "^4.1.0",
"js-yaml": "file:./patches/js-yaml",
"jsonpath-plus": "^10.0.0",
"node-object-hash": "^3.1.1",
"yargs": "^15.4.1"
Expand All @@ -73,5 +73,8 @@
},
"engines": {
"node": ">=22.0.0"
},
"overrides": {
"js-yaml": "file:./patches/js-yaml"
}
}
17 changes: 17 additions & 0 deletions patches/js-yaml/index.cjs
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License. See LICENSE in the project root for license information.

// Compatibility shim for js-yaml v3 API consumers (e.g. @azure/openapi-markdown, front-matter).
// These packages depend on `js-yaml ^3.x` and use the v3-only `safeLoad`/`safeDump` API names,
// which were removed in js-yaml v4. This shim delegates to js-yaml@4.2.0 (which fixes
// CVE-2026-53550 / GHSA-h67p-54hq-rp68) and re-adds the deprecated aliases so existing
// callers continue to work without modification.
'use strict'
const yaml = require('js-yaml-v4')

module.exports = Object.assign({}, yaml, {
// v3 backward-compat aliases (safeLoad == load, safeDump == dump, etc. in v3)
safeLoad: yaml.load,
safeLoadAll: yaml.loadAll,
safeDump: yaml.dump,
})
13 changes: 13 additions & 0 deletions patches/js-yaml/package.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
{
"name": "js-yaml",
"version": "4.2.0",
"description": "Compatibility shim: wraps js-yaml@4.2.0 with v3 API aliases (safeLoad/safeDump) to fix CVE-2026-53550 / GHSA-h67p-54hq-rp68 in transitive dependencies that require js-yaml@3.x",
"main": "./index.cjs",
"exports": {
".": "./index.cjs"
},
"license": "MIT",
"dependencies": {
"js-yaml-v4": "npm:js-yaml@4.2.0"
}
}