Skip to content

[Snyk] Security upgrade yaml from 2.8.1 to 2.8.3#8541

Open
rubenfiszel wants to merge 1 commit intomainfrom
snyk-fix-f21b5a162d09ae2d08c400fd7b7bcac7
Open

[Snyk] Security upgrade yaml from 2.8.1 to 2.8.3#8541
rubenfiszel wants to merge 1 commit intomainfrom
snyk-fix-f21b5a162d09ae2d08c400fd7b7bcac7

Conversation

@rubenfiszel
Copy link
Copy Markdown
Contributor

@rubenfiszel rubenfiszel commented Mar 26, 2026

snyk-top-banner

Snyk has created this PR to fix 1 vulnerabilities in the npm dependencies of this project.

Snyk changed the following file(s):

  • frontend/package.json

Vulnerabilities that will be fixed with an upgrade:

Issue
medium severity Uncontrolled Recursion
SNYK-JS-YAML-15765520

Important

  • Check the changes in this PR to ensure they won't cause issues with your project.
  • Max score is 1000. Note that the real score may have changed since the PR was raised.
  • This PR was automatically created by Snyk using the credentials of a real user.

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Learn about vulnerability in an interactive lesson of Snyk Learn.

@cloudflare-workers-and-pages
Copy link
Copy Markdown

cloudflare-workers-and-pages bot commented Mar 26, 2026
edited
Loading

Deploying windmill with  Cloudflare Pages  Cloudflare Pages

Latest commit: 576e838
Status: ✅  Deploy successful!
Preview URL: https://9ad31c77.windmill.pages.dev
Branch Preview URL: https://snyk-fix-f21b5a162d09ae2d08c.windmill.pages.dev

View logs

@claude
Copy link
Copy Markdown
Contributor

claude bot commented Mar 26, 2026
edited
Loading

Claude finished @rubenfiszel's task in 23s —— View job

  • Review PR changes
  • Check security vulnerability details
  • Provide feedback

Review

LGTM — This is a straightforward Snyk security patch bumping yaml from ^2.8.0 to ^2.8.3 in frontend/package.json to fix SNYK-JS-YAML-15765520 (Uncontrolled Recursion).

Details:

  • The version range change is minimal and stays within the same major version (2.x), so no breaking changes are expected.
  • The ^ semver range means npm/pnpm would already resolve to 2.8.3+ on a fresh install, but pinning the lower bound to ^2.8.3 ensures that lockfile regenerations or CI environments never resolve to a vulnerable 2.8.0–2.8.2.
  • The yaml package is used for YAML parsing in the frontend — the uncontrolled recursion vulnerability could be triggered by deeply nested YAML input, which is relevant since Windmill processes user-provided YAML content.

No issues found. Safe to merge.

Testing

No functional changes — this is a dependency version bump only. To verify: confirm the frontend builds and loads correctly, and that any feature involving YAML parsing (e.g., editing workflow YAML definitions) still works as expected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@hugocasa hugocasa Awaiting requested review from hugocasa hugocasa is a code owner

@alpetric alpetric Awaiting requested review from alpetric alpetric is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rubenfiszel @snyk-bot