Description
@nx/js pulls in yaml@1.10.2 as a transitive dependency through the chain:
@nx/js → babel-plugin-macros@3.1.0 → cosmiconfig@7.1.0 → yaml@1.10.2
yaml@1.10.2 has a known vulnerability (see GHSA-48c2-rrv3-qjmp — stack overflow via deeply nested YAML collections). The fix is available in yaml@1.10.3.
Steps to Reproduce
- Create a project using
@nx/js@22.6.1
- Run
npm audit
- Observe
yaml@1.10.2 flagged as vulnerable via the babel-plugin-macros → cosmiconfig chain
Expected Behavior
@nx/js should depend on (or pin) versions of transitive dependencies that do not have known vulnerabilities. Updating cosmiconfig or adding an override for yaml >=1.10.3 in @nx/js would resolve this.
Current Workaround
Consumers can override the resolution in their own package-lock.json to force yaml@1.10.3.
Environment
- Nx version: 22.6.1
- Node version: v22
- Package manager: npm
Description
@nx/jspulls inyaml@1.10.2as a transitive dependency through the chain:yaml@1.10.2has a known vulnerability (see GHSA-48c2-rrv3-qjmp — stack overflow via deeply nested YAML collections). The fix is available inyaml@1.10.3.Steps to Reproduce
@nx/js@22.6.1npm audityaml@1.10.2flagged as vulnerable via thebabel-plugin-macros → cosmiconfigchainExpected Behavior
@nx/jsshould depend on (or pin) versions of transitive dependencies that do not have known vulnerabilities. Updatingcosmiconfigor adding an override foryaml >=1.10.3in@nx/jswould resolve this.Current Workaround
Consumers can override the resolution in their own
package-lock.jsonto forceyaml@1.10.3.Environment