Hi maintainers 👋
Summary
A recently-flagged security advisory affects the js-yaml dependency used transitively within several @changesets/* packages. All js-yaml versions below 4.1.0 are affected:
Prototype pollution in merge
The dependency chain (via @changesets/cli@2.29.7) looks like this:
@changesets/cli@2.29.7
|-- @changesets/read@0.6.5
|-- @changesets/parse@0.4.1
|-- js-yaml@3.14.1
|-- @manypkg/get-packages@1.1.3
|-- read-yaml-file@1.1.0
|-- js-yaml@3.14.1 (deduped)
Attempted Mitigation
I've attempted to override js-yaml in our project to the patched version (4.1.1):
…but this results in runtime failures when executing changeset version:
Error Output
npx changeset version
🦋 error Error: could not parse changeset - invalid frontmatter: ---
🦋 error at Object.parseChangesetFile [as default] (.../node_modules/@changesets/parse/dist/changesets-parse.cjs.js:35:11)
🦋 error at .../node_modules/@changesets/read/dist/changesets-read.cjs.js:148:71
🦋 error at async Promise.all (index 0)
🦋 error at async Object.getChangesets [as default] (.../node_modules/@changesets/read/dist/changesets-read.cjs.js:152:48)
🦋 error at async version (.../node_modules/@changesets/cli/dist/changesets-cli.cjs.js:1155:34)
🦋 error at async run (.../node_modules/@changesets/cli/dist/changesets-cli.cjs.js:1339:11)
It appears that @changesets/parse depends on YAML parsing behaviour that changed in js-yaml@4.x, making the override incompatible.
Environment
@changesets/cli: 2.29.7- Node.js: 22.19.0
Request
Would it be possible to update the relevant @changesets/* packages to use js-yaml@^4.1.1, or otherwise confirm whether upgrading is feasible?
Given this is a security advisory (prototype pollution in merge), having a path to a secure version would be very helpful for downstream consumers.
Thanks for maintaining this project 😄
Hi maintainers 👋
Summary
A recently-flagged security advisory affects the
js-yamldependency used transitively within several@changesets/*packages. Alljs-yamlversions below4.1.0are affected:Prototype pollution in merge
The dependency chain (via
@changesets/cli@2.29.7) looks like this:Attempted Mitigation
I've attempted to override
js-yamlin our project to the patched version (4.1.1):…but this results in runtime failures when executing
changeset version:Error Output
It appears that
@changesets/parsedepends on YAML parsing behaviour that changed injs-yaml@4.x, making the override incompatible.Environment
@changesets/cli: 2.29.7Request
Would it be possible to update the relevant
@changesets/*packages to usejs-yaml@^4.1.1, or otherwise confirm whether upgrading is feasible?Given this is a security advisory (prototype pollution in merge), having a path to a secure version would be very helpful for downstream consumers.
Thanks for maintaining this project 😄