Summary
The npm overrides entry for js-yaml is pinned to 4.1.1, which is affected by GHSA-h4hr-7fg3-h35w (Quadratic-complexity DoS via merge-key repeated aliases). The patched version is 4.2.0.
Proposed Changes
- Bump
overrides["js-yaml"] from 4.1.1 to 4.2.0 in package.json
- Update
package-lock.json accordingly
Validation
Summary
The npm
overridesentry forjs-yamlis pinned to4.1.1, which is affected by GHSA-h4hr-7fg3-h35w (Quadratic-complexity DoS via merge-key repeated aliases). The patched version is4.2.0.Proposed Changes
overrides["js-yaml"]from4.1.1to4.2.0inpackage.jsonpackage-lock.jsonaccordinglyValidation
node_modules/js-yamlresolves to4.2.0after install