diff --git a/apps/api-documenter/package.json b/apps/api-documenter/package.json index c2ae7d155ab..ee40a6e291f 100644 --- a/apps/api-documenter/package.json +++ b/apps/api-documenter/package.json @@ -49,7 +49,7 @@ "@rushstack/node-core-library": "workspace:*", "@rushstack/terminal": "workspace:*", "@rushstack/ts-command-line": "workspace:*", - "js-yaml": "~4.1.0", + "js-yaml": "~4.2.0", "resolve": "~1.22.1" }, "devDependencies": { diff --git a/apps/lockfile-explorer/package.json b/apps/lockfile-explorer/package.json index 711f225fbb6..a55ec96cdbc 100644 --- a/apps/lockfile-explorer/package.json +++ b/apps/lockfile-explorer/package.json @@ -68,7 +68,7 @@ "@rushstack/ts-command-line": "workspace:*", "cors": "~2.8.5", "express": "4.21.1", - "js-yaml": "~4.1.0", + "js-yaml": "~4.2.0", "semver": "~7.7.4" }, "exports": { diff --git a/common/changes/@microsoft/rush/update-js-yaml-security_2026-06-24-18-22.json b/common/changes/@microsoft/rush/update-js-yaml-security_2026-06-24-18-22.json new file mode 100644 index 00000000000..d8b7421fa51 --- /dev/null +++ b/common/changes/@microsoft/rush/update-js-yaml-security_2026-06-24-18-22.json @@ -0,0 +1,11 @@ +{ + "changes": [ + { + "comment": "Update js-yaml dependency to ~4.2.0 to address security advisory GHSA-h67p-54hq-rp68 (poor performance characteristics with certain input)", + "type": "none", + "packageName": "@microsoft/rush" + } + ], + "packageName": "@microsoft/rush", + "email": "copilot@microsoft.com" +} diff --git a/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml b/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml index 5da00173aac..9952a7e3f70 100644 --- a/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml +++ b/common/config/subspaces/build-tests-subspace/pnpm-lock.yaml @@ -911,7 +911,7 @@ packages: '@rushstack/heft-api-extractor-plugin@file:../../../heft-plugins/heft-api-extractor-plugin': resolution: {directory: ../../../heft-plugins/heft-api-extractor-plugin, type: directory} peerDependencies: - '@rushstack/heft': 1.2.18 + '@rushstack/heft': 1.2.19 '@rushstack/heft-config-file@file:../../../libraries/heft-config-file': resolution: {directory: ../../../libraries/heft-config-file, type: directory} @@ -920,7 +920,7 @@ packages: '@rushstack/heft-jest-plugin@file:../../../heft-plugins/heft-jest-plugin': resolution: {directory: ../../../heft-plugins/heft-jest-plugin, type: directory} peerDependencies: - '@rushstack/heft': ^1.2.18 + '@rushstack/heft': ^1.2.19 '@types/jest': ^30.0.0 jest-environment-jsdom: ^30.3.0 jest-environment-node: ^30.3.0 @@ -935,17 +935,17 @@ packages: '@rushstack/heft-lint-plugin@file:../../../heft-plugins/heft-lint-plugin': resolution: {directory: ../../../heft-plugins/heft-lint-plugin, type: directory} peerDependencies: - '@rushstack/heft': 1.2.18 + '@rushstack/heft': 1.2.19 '@rushstack/heft-node-rig@file:../../../rigs/heft-node-rig': resolution: {directory: ../../../rigs/heft-node-rig, type: directory} peerDependencies: - '@rushstack/heft': ^1.2.18 + '@rushstack/heft': ^1.2.19 '@rushstack/heft-typescript-plugin@file:../../../heft-plugins/heft-typescript-plugin': resolution: {directory: ../../../heft-plugins/heft-typescript-plugin, type: directory} peerDependencies: - '@rushstack/heft': 1.2.18 + '@rushstack/heft': 1.2.19 '@rushstack/heft@file:../../../apps/heft': resolution: {directory: ../../../apps/heft, type: directory} @@ -2593,6 +2593,10 @@ packages: resolution: {integrity: sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==} hasBin: true + js-yaml@4.2.0: + resolution: {integrity: sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==} + hasBin: true + jsdoc-type-pratt-parser@4.1.0: resolution: {integrity: sha512-Hicd6JK5Njt2QB6XYFS7ok9e37O8AYk3jTcppG4YVQnYjOemymvTcmc7OWsmq/Qqj5TdRFO5/x/tIPmBeRtGHg==} engines: {node: '>=12.0.0'} @@ -4329,7 +4333,7 @@ snapshots: git-repo-info: 2.1.1 https-proxy-agent: 5.0.1 ignore: 5.1.9 - js-yaml: 4.1.1 + js-yaml: 4.2.0 npm-package-arg: 6.1.1 object-hash: 3.0.0 pnpm-sync-lib: 0.3.3 @@ -7080,6 +7084,10 @@ snapshots: dependencies: argparse: 2.0.1 + js-yaml@4.2.0: + dependencies: + argparse: 2.0.1 + jsdoc-type-pratt-parser@4.1.0: {} jsep@1.4.0: {} @@ -7605,7 +7613,7 @@ snapshots: read-yaml-file@2.1.0: dependencies: - js-yaml: 4.1.1 + js-yaml: 4.2.0 strip-bom: 4.0.0 readable-stream@2.3.8: @@ -8318,7 +8326,7 @@ snapshots: write-yaml-file@4.2.0: dependencies: - js-yaml: 4.1.1 + js-yaml: 4.2.0 write-file-atomic: 3.0.3 xml@1.0.1: {} diff --git a/common/config/subspaces/build-tests-subspace/repo-state.json b/common/config/subspaces/build-tests-subspace/repo-state.json index 93ccb468b44..223d1640010 100644 --- a/common/config/subspaces/build-tests-subspace/repo-state.json +++ b/common/config/subspaces/build-tests-subspace/repo-state.json @@ -1,6 +1,6 @@ // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush. { - "pnpmShrinkwrapHash": "68f19a15bc2ad51338ac42af387887d9e67a2e54", + "pnpmShrinkwrapHash": "11f7d19cb240fcab860492fd9f076698c8e58cf7", "preferredVersionsHash": "550b4cee0bef4e97db6c6aad726df5149d20e7d9", - "packageJsonInjectedDependenciesHash": "53d4f8e2a003af60173d4a21283b23fc14eac530" + "packageJsonInjectedDependenciesHash": "0b6a3303d9383c239c25ae457d2beaddbf8e51c4" } diff --git a/common/config/subspaces/default/pnpm-lock.yaml b/common/config/subspaces/default/pnpm-lock.yaml index c7f7ad87712..cfe20eb76cf 100644 --- a/common/config/subspaces/default/pnpm-lock.yaml +++ b/common/config/subspaces/default/pnpm-lock.yaml @@ -38,8 +38,8 @@ importers: specifier: workspace:* version: link:../../libraries/ts-command-line js-yaml: - specifier: ~4.1.0 - version: 4.1.1 + specifier: ~4.2.0 + version: 4.2.0 resolve: specifier: ~1.22.1 version: 1.22.11 @@ -222,8 +222,8 @@ importers: specifier: 4.21.1 version: 4.21.1 js-yaml: - specifier: ~4.1.0 - version: 4.1.1 + specifier: ~4.2.0 + version: 4.2.0 semver: specifier: ~7.7.4 version: 7.7.4 @@ -4113,8 +4113,8 @@ importers: specifier: ~5.1.6 version: 5.1.9 js-yaml: - specifier: ~4.1.0 - version: 4.1.1 + specifier: ~4.2.0 + version: 4.2.0 npm-package-arg: specifier: ~6.1.0 version: 6.1.1 @@ -4508,8 +4508,8 @@ importers: specifier: workspace:* version: link:../../libraries/node-core-library js-yaml: - specifier: ~4.1.0 - version: 4.1.1 + specifier: ~4.2.0 + version: 4.2.0 devDependencies: '@rushstack/heft': specifier: workspace:* @@ -14906,8 +14906,8 @@ packages: resolution: {integrity: sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==} hasBin: true - js-yaml@4.1.1: - resolution: {integrity: sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==} + js-yaml@4.2.0: + resolution: {integrity: sha512-ePWsvanv0DWuDRsW8dnt+R4jQ31SCRCQ7hhNcPXZPsoBZiemuZNYGf7adZdqX2D86j6rvKp3RpCxVTSb8WQlOw==} hasBin: true jscodeshift@0.13.1: @@ -19077,7 +19077,7 @@ snapshots: dependencies: '@jsdevtools/ono': 7.1.3 '@types/json-schema': 7.0.15 - js-yaml: 4.1.1 + js-yaml: 4.2.0 '@asamuzakjp/css-color@3.2.0': dependencies: @@ -21279,7 +21279,7 @@ snapshots: globals: 13.24.0 ignore: 5.3.2 import-fresh: 3.3.1 - js-yaml: 4.1.1 + js-yaml: 4.2.0 minimatch: 3.1.5 strip-json-comments: 3.1.1 transitivePeerDependencies: @@ -21293,7 +21293,7 @@ snapshots: globals: 13.24.0 ignore: 5.3.2 import-fresh: 3.3.1 - js-yaml: 4.1.1 + js-yaml: 4.2.0 minimatch: 3.1.5 strip-json-comments: 3.1.1 transitivePeerDependencies: @@ -21307,7 +21307,7 @@ snapshots: globals: 14.0.0 ignore: 5.3.2 import-fresh: 3.3.1 - js-yaml: 4.1.1 + js-yaml: 4.2.0 minimatch: 3.1.5 strip-json-comments: 3.1.1 transitivePeerDependencies: @@ -24936,7 +24936,7 @@ snapshots: express: 4.21.1 fs-extra: 9.1.0 immer: 9.0.21 - js-yaml: 4.1.1 + js-yaml: 4.2.0 kysely: 0.21.6 kysely-codegen: 0.6.2(kysely@0.21.6) kysely-data-api: 0.1.4(aws-sdk@2.1693.0)(kysely@0.21.6) @@ -30776,7 +30776,7 @@ snapshots: imurmurhash: 0.1.4 is-glob: 4.0.3 js-sdsl: 4.4.2 - js-yaml: 4.1.1 + js-yaml: 4.2.0 json-stable-stringify-without-jsonify: 1.0.1 levn: 0.4.1 lodash.merge: 4.6.2 @@ -30821,7 +30821,7 @@ snapshots: imurmurhash: 0.1.4 is-glob: 4.0.3 is-path-inside: 3.0.3 - js-yaml: 4.1.1 + js-yaml: 4.2.0 json-stable-stringify-without-jsonify: 1.0.1 levn: 0.4.1 lodash.merge: 4.6.2 @@ -30859,7 +30859,7 @@ snapshots: import-fresh: 3.3.1 imurmurhash: 0.1.4 is-glob: 4.0.3 - js-yaml: 4.1.1 + js-yaml: 4.2.0 json-stable-stringify-without-jsonify: 1.0.1 levn: 0.4.1 lodash.merge: 4.6.2 @@ -33487,7 +33487,7 @@ snapshots: argparse: 1.0.10 esprima: 4.0.1 - js-yaml@4.1.1: + js-yaml@4.2.0: dependencies: argparse: 2.0.1 @@ -33588,7 +33588,7 @@ snapshots: '@types/json-schema': 7.0.15 '@types/lodash': 4.17.23 is-glob: 4.0.3 - js-yaml: 4.1.1 + js-yaml: 4.2.0 lodash: 4.18.1 minimist: 1.2.8 prettier: 3.8.1 @@ -34233,7 +34233,7 @@ snapshots: find-up: 5.0.0 glob: 8.1.0 he: 1.2.0 - js-yaml: 4.1.1 + js-yaml: 4.2.0 log-symbols: 4.1.0 minimatch: 5.1.9 ms: 2.1.3 @@ -35698,7 +35698,7 @@ snapshots: read-yaml-file@2.1.0: dependencies: - js-yaml: 4.1.1 + js-yaml: 4.2.0 strip-bom: 4.0.0 read@1.0.7: @@ -38288,7 +38288,7 @@ snapshots: write-yaml-file@4.2.0: dependencies: - js-yaml: 4.1.1 + js-yaml: 4.2.0 write-file-atomic: 3.0.3 write@1.0.3: diff --git a/common/config/subspaces/default/repo-state.json b/common/config/subspaces/default/repo-state.json index 4479a8d416e..d249037a300 100644 --- a/common/config/subspaces/default/repo-state.json +++ b/common/config/subspaces/default/repo-state.json @@ -1,5 +1,5 @@ // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush. { - "pnpmShrinkwrapHash": "265008d6cb4e700aad22dea81810ed1f363cbf31", + "pnpmShrinkwrapHash": "fcf566944b7e4dceb172fd33074f21920a90a732", "preferredVersionsHash": "029c99bd6e65c5e1f25e2848340509811ff9753c" } diff --git a/libraries/rush-lib/package.json b/libraries/rush-lib/package.json index a5a9d1dcfda..f99de335469 100644 --- a/libraries/rush-lib/package.json +++ b/libraries/rush-lib/package.json @@ -68,7 +68,7 @@ "@inquirer/input": "~5.0.11", "@inquirer/search": "~4.1.7", "@inquirer/select": "~5.1.3", - "js-yaml": "~4.1.0", + "js-yaml": "~4.2.0", "npm-package-arg": "~6.1.0", "object-hash": "3.0.0", "pnpm-sync-lib": "0.3.3", diff --git a/repo-scripts/doc-plugin-rush-stack/package.json b/repo-scripts/doc-plugin-rush-stack/package.json index f398bfe0ed7..e0eb62877ff 100644 --- a/repo-scripts/doc-plugin-rush-stack/package.json +++ b/repo-scripts/doc-plugin-rush-stack/package.json @@ -36,7 +36,7 @@ "@microsoft/api-extractor-model": "workspace:*", "@microsoft/tsdoc": "~0.16.0", "@rushstack/node-core-library": "workspace:*", - "js-yaml": "~4.1.0" + "js-yaml": "~4.2.0" }, "devDependencies": { "@rushstack/heft": "workspace:*",