Skip to content

📦 Bump js-yaml from 4.1.1 to 4.3.0 in /.ado/scripts#340

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/dot-ado/scripts/js-yaml-4.3.0
Open

📦 Bump js-yaml from 4.1.1 to 4.3.0 in /.ado/scripts#340
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/dot-ado/scripts/js-yaml-4.3.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 28, 2026

Copy link
Copy Markdown

Bumps js-yaml from 4.1.1 to 4.3.0.

Changelog

Sourced from js-yaml's changelog.

4.3.0 - 2026-06-27

Added

  • [backport] Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.

Fixed

  • Restore umd builds back to es5.

Removed

  • [backport] maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

[4.2.0] - 2026-06-01

Added

  • Added docs/safety.md with notes about processing untrusted YAML.
  • Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
  • Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
  • Added sourcemaps to dist/ builds.

Changed

  • Stop resolving numbers with underscores as numeric scalars, #627.
  • Switched dev toolchains to Vite / neostandard.
  • Updated demo.
  • Reorganized tests.
  • dist/ files are no longer kept in the repository.

Fixed

  • Fix parsing of properties on the first implicit block mapping key, #62.
  • Fix trailing whitespace handling when folding flow scalar lines, #307.
  • Reject top-level block scalars without content indentation, #280.
  • Ensure numbers survive round-trip, #737.
  • Fix test coverage for issue #221.
  • Fix flow scalar trailing whitespace folding, #307.
  • Fix digits in YAML named tag handles.

Security

  • Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

  • Backported v4.1.1 fix to v3
Commits
  • 33d05b5 4.3.0 released
  • 663bfab Drop demo publish, to not override new v5 one.
  • 1cb8c7b Add v4-legacy tag for publish
  • 02f27af Restore umd builds back to es5
  • 8be84ed Fix es5 compatibility
  • 59423c6 Replace maxMergeSeqLength option with maxTotalMergeKeys (more robust). Ba...
  • 6842ef6 doc polish
  • 590dbab 4.2.0 released
  • f944dc5 Add package.json funding field
  • f692719 Changelog update
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.
###### Microsoft Reviewers: [Open in CodeFlow](https://microsoft.github.io/open-pr/?codeflow=https://github.com//pull/340)
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.1 to 4.3.0.
- [Changelog](https://github.com/nodeca/js-yaml/blob/4.3.0/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.1...4.3.0)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.3.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 28, 2026
@dependabot dependabot Bot requested a review from a team as a code owner June 28, 2026 18:21
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jun 28, 2026
@github-actions

Copy link
Copy Markdown

Benchmark Results

Total benchmarks: 204

Inputs: baseline/baseline.json, bench_result.json

v8 (6176ms, 6195ms) +0.3%
v8 hermes (CI) hermes (CI)
v8-crypto 622.6ms 604.6ms
v8-deltablue 739.4ms 733.4ms
v8-raytrace 127.8ms 123.2ms
v8-regexp 593ms 649ms
v8-richards 937ms 860.8ms
v8-splay 225.2ms 234ms
v8-crypto (static) 452ms 440.8ms
v8-deltablue (static) 661.6ms 651.4ms
v8-raytrace (static) 91.8ms 95.2ms
v8-regexp (static) 749.2ms 804.8ms
v8-richards (static) 781.4ms 784.6ms
v8-splay (static) 195ms 213.6ms
test-suites (317886ms, 310115ms) -2.4%
test-suites hermes (CI) hermes (CI)
box2d 2949.8ms 2600.6ms
earley-boyer 2564.8ms 2432.2ms
navier-stokes 5743.8ms 4395.2ms
pdfjs 1038.2ms 952.6ms
gbemu 2296ms 2208ms
code-load 4472.8ms 4676.2ms
typescript 3381.8ms 3303ms
simpleSum 8855.4ms 5690ms
propAccess 2691.2ms 2216.6ms
allocObj 252ms 197.2ms
allocObjLit 6371.8ms 6201ms
allocNewObj 20053ms 19766ms
allocArray 249ms 199ms
allocNewArray 34956.8ms 34548.2ms
arrayRead 115.6ms 95.6ms
arrayReadByIndex 550ms 607ms
largeArrayRead 827.2ms 589ms
arrayWrite 261.8ms 252.2ms
largeArrayWrite 2218ms 2066ms
interp-dispatch 2880ms 1967.8ms
wb-perf 8327ms 9958.6ms
arrayReverse 40.6ms 36.6ms
arrayMap 1472.6ms 1484.2ms
arrayIndexOf 143.2ms 135ms
arrayLastIndexOf 148.6ms 145.6ms
arrayEvery 2308.8ms 2230.8ms
arraySome 2174.4ms 2230.6ms
arrayFill 2401.2ms 2414.6ms
arrayFilter 1866.4ms 1913.4ms
arrayFind 3207ms 3325.2ms
arrayFindIndex 3322ms 3320.2ms
arrayPop 1031.4ms 1010.4ms
arrayReduce 1994.2ms 2064.6ms
arrayReduceRight 2075.8ms 2060.6ms
arrayShift 2065.8ms 2033.2ms
arrayUnshift 2109.4ms 2085.4ms
arrayIncludes 1216.6ms 1162.8ms
arrayFrom 1102.8ms 1141.4ms
arrayCopyWithin 1487ms 1493ms
stringFromCharCode 92.6ms 89.6ms
arraySlice 786.2ms 788.2ms
arraySplice 26.8ms 26.8ms
arrayOf 1048.8ms 1050ms
stringCharAt 1346.6ms 1284ms
stringMatch 3192.4ms 2852.8ms
stringSearch 3508.2ms 2843.6ms
stringStartsWith 701ms 598.8ms
stringEndsWith 650.4ms 537.4ms
stringIncludes 1520.6ms 1697.6ms
stringIndexOf 1555.6ms 1950ms
stringLastIndexOf 1821.4ms 1934.4ms
stringSplit 822ms 804ms
stringSlice 490ms 484ms
stringPadStart 2910.8ms 2914.6ms
stringPadEnd 2910ms 2913.2ms
regExpMatch 1506.2ms 1546.2ms
regExpSearch 1227ms 1248ms
regExpToString 1204ms 1068.4ms
stringReplace 1394.8ms 1545.2ms
regExpReplace 3309.2ms 884ms
regExpFlags 956.8ms 935ms
regExpSplit 1307.8ms 1259.4ms
numberArrayReadWrite 2477.8ms 2437.2ms
protoCache 3594.6ms 2340ms
box2d (static) 1792.6ms 1825.4ms
earley-boyer (static) 1875.6ms 1934.6ms
navier-stokes (static) 3410.2ms 3442.6ms
pdfjs (static) 812.8ms 818.4ms
gbemu (static) 1797ms 1749.6ms
code-load (static) 4199.2ms 4365.6ms
typescript (static) 2685.6ms 2785.8ms
simpleSum (static) 936.2ms 938.6ms
propAccess (static) 2298ms 2306.8ms
allocObj (static) 0.2ms 0ms
allocObjLit (static) 4154.4ms 4199ms
allocNewObj (static) 15749.2ms 15947ms
allocArray (static) 0.6ms 0.8ms
allocNewArray (static) 28494.2ms 29526.6ms
arrayRead (static) 74.2ms 71ms
arrayReadByIndex (static) 453.2ms 448.8ms
largeArrayRead (static) 552.2ms 553ms
arrayWrite (static) 178.4ms 177ms
largeArrayWrite (static) 1568.6ms 1621.6ms
interp-dispatch (static) 1918.8ms 1914ms
wb-perf (static) 8991.2ms 9000.8ms
arrayReverse (static) 37ms 36.6ms
arrayMap (static) 1064.8ms 986.8ms
arrayIndexOf (static) 128.2ms 128.8ms
arrayLastIndexOf (static) 138.8ms 139.2ms
arrayEvery (static) 1397.6ms 1413.2ms
arraySome (static) 1406.6ms 1406.4ms
arrayFill (static) 1969.2ms 2003ms
arrayFilter (static) 1061ms 1058.8ms
arrayFind (static) 2242.2ms 2256ms
arrayFindIndex (static) 2235.8ms 2244.6ms
arrayPop (static) 878ms 890.2ms
arrayReduce (static) 1311.8ms 1307ms
arrayReduceRight (static) 1322.6ms 1323.8ms
arrayShift (static) 1512ms 1509.4ms
arrayUnshift (static) 1568.2ms 1582.2ms
arrayIncludes (static) 963.4ms 936.4ms
arrayFrom (static) 1030.6ms 1013.8ms
arrayCopyWithin (static) 1109.6ms 1123ms
stringFromCharCode (static) 77ms 76ms
arraySlice (static) 571.6ms 578.4ms
arraySplice (static) 26ms 27.2ms
arrayOf (static) 868.8ms 866.2ms
stringCharAt (static) 1100.6ms 1090ms
stringMatch (static) 2227.6ms 2295.2ms
stringSearch (static) 2219.2ms 2289.8ms
stringStartsWith (static) 494.2ms 494.8ms
stringEndsWith (static) 457.8ms 452.8ms
stringIncludes (static) 1437.4ms 1932.6ms
stringIndexOf (static) 1440.8ms 1926.8ms
stringLastIndexOf (static) 1956.6ms 1914.8ms
stringSplit (static) 651.2ms 720.2ms
stringSlice (static) 445.6ms 432.6ms
stringPadStart (static) 2294.4ms 2419.6ms
stringPadEnd (static) 2499.2ms 2417.4ms
regExpMatch (static) 1483.2ms 1591.2ms
regExpSearch (static) 1296.2ms 1236.8ms
regExpToString (static) 1326.6ms 1051.6ms
stringReplace (static) 1455.6ms 1543.8ms
regExpReplace (static) 851.8ms 854.6ms
regExpFlags (static) 870.6ms 828.2ms
regExpSplit (static) 1200ms 1129.8ms
numberArrayReadWrite (static) 2132.8ms 2097.4ms
protoCache (static) 3595.8ms 3618.6ms
micros (60876ms, 61487ms) +1.0%
micros hermes (CI) hermes (CI)
getNodeById.js 5273ms 4710ms
setInsert.js 2864.8ms 3154.4ms
stringify-number.js 1823.4ms 1812.4ms
typed-array-sort.js 22381ms 22711.6ms
getNodeById.js (static) 3941ms 3955.2ms
setInsert.js (static) 2517.6ms 2837.2ms
stringify-number.js (static) 1663.6ms 1536.6ms
typed-array-sort.js (static) 20411.4ms 20770ms
jit-benches (8563ms, 6374ms) -25.6%
jit-benches hermes (CI) hermes (CI)
idisp.js 2810.2ms 2011.8ms
idispn.js 3395.8ms 2066.8ms
idisp.js (static) 1906ms 1908.2ms
idispn.js (static) 450.8ms 387.2ms
many-subclasses (73437ms, 76791ms) +4.6%
many-subclasses hermes (CI) hermes (CI)
many.js 19104.8ms 18609.8ms
many-sh-1.js 7322.8ms 8101.6ms
many-sh-2.js 7329ms 8091ms
many-sh-3.js 7083.6ms 7980.2ms
many-sh-4.js 7235ms 8617.8ms
many.js (static) 15996ms 15929.8ms
many-sh-1.js (static) 2285.2ms 2264.6ms
many-sh-2.js (static) 2387ms 2501.2ms
many-sh-3.js (static) 2347.2ms 2347.4ms
many-sh-4.js (static) 2346ms 2347.4ms
map-objects (3627ms, 3629ms) +0.0%
map-objects hermes (CI) hermes (CI)
map-objects-untyped.js 1023.6ms 1009.2ms
map-objects-typed.js 957.6ms 951ms
map-objects-untyped.js (static) 917.2ms 927.2ms
map-objects-typed.js (static) 728.8ms 741.4ms
map-strings (4335ms, 4314ms) -0.5%
map-strings hermes (CI) hermes (CI)
map-strings-untyped.js 1196.8ms 1176.2ms
map-strings-typed.js 1139.2ms 1097.6ms
map-strings-untyped.js (static) 1092.2ms 1117.8ms
map-strings-typed.js (static) 906.8ms 922.4ms
nbody (3448ms, 2859ms) -17.1%
nbody hermes (CI) hermes (CI)
original/nbody.js 839.6ms 639.8ms
fully-typed/nbody.js 710ms 536.8ms
fully-typed/nbody.ts 865.2ms 638.6ms
original/nbody.js (static) 449.2ms 452.8ms
fully-typed/nbody.js (static) 135ms 132.8ms
fully-typed/nbody.ts (static) 449.2ms 457.8ms
string-switch (6503ms, 6022ms) -7.4%
string-switch (string-switch/plain) hermes (CI) hermes (CI)
bench.js 1316ms 1294.6ms
bench.js (static) 5187ms 4727.2ms
raytracer (5608ms, 5479ms) -2.3%
raytracer (raytracer/original) hermes (CI) hermes (CI)
bench-raytracer.js 1550.4ms 1466.6ms
raytracer.ts 1667.6ms 1551ms
bench-raytracer.js (static) 1198.4ms 1219.2ms
raytracer.ts (static) 1191.8ms 1241.8ms
MiniReact (30332ms, 29402ms) -3.1%
MiniReact hermes (CI) hermes (CI)
no-objects/out/simple-stripped.js 2239.2ms 2153.2ms
no-objects/out/simple-lowered.js 2270.8ms 2209.4ms
no-objects/out/music-stripped.js 42.6ms 44ms
no-objects/out/music-lowered.js 47.2ms 50ms
no-deps/stripped/MiniReact.js 5004ms 4630.2ms
no-deps/MiniReact.js 5256.2ms 4577.4ms
no-objects/out/simple.js 2260.4ms 2196.6ms
no-objects/out/music.js 45.6ms 47.2ms
no-objects/out/simple-stripped.js (static) 1725.2ms 1772.2ms
no-objects/out/simple-lowered.js (static) 1725.4ms 1773.4ms
no-objects/out/music-stripped.js (static) 18.8ms 20.6ms
no-objects/out/music-lowered.js (static) 19.4ms 20.4ms
no-deps/stripped/MiniReact.js (static) 4024.8ms 4109ms
no-deps/MiniReact.js (static) 3938.2ms 4042.6ms
no-objects/out/simple.js (static) 1695.2ms 1735.4ms
no-objects/out/music.js (static) 19ms 20.8ms
widgets (12934ms, 12605ms) -2.5%
widgets hermes (CI) hermes (CI)
simple-classes/widgets.js 1758.2ms 1620.8ms
original/es5/widgets.js 2798.8ms 2723ms
single-file/es5/widgets.js 2775.2ms 2713.6ms
simple-classes/widgets.js (static) 1012ms 1008.6ms
original/es5/widgets.js (static) 2283.2ms 2267.6ms
single-file/es5/widgets.js (static) 2306.2ms 2271.8ms
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file

0 participants