Skip to content

chore(deps): bump js-yaml from 4.2.0 to 5.2.0#12026

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/js-yaml-5.2.0
Open

chore(deps): bump js-yaml from 4.2.0 to 5.2.0#12026
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/js-yaml-5.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 6, 2026

Copy link
Copy Markdown
Contributor

Bumps js-yaml from 4.2.0 to 5.2.0.

Changelog

Sourced from js-yaml's changelog.

[5.2.0] - 2026-06-26

Added

  • Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.
  • Added maxAliases (-1) loader option to limit the number of YAML aliases per document.

Removed

  • maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

Fixed

  • Round-trip of integers with exponential form (>= 1e21)

[5.1.0] - 2026-06-23

Added

  • Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

  • [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.

[5.0.0] - 2026-06-20

Added

  • Added named exports for schemas, tags, parser events and AST utilities.
  • Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
  • Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
  • Added dump() transform option for changing the generated AST before rendering.
  • Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and tagBeforeAnchor.
  • Added formal data layers (events and AST) for modular data pipelines.
    • Added low-level parser (to events), presenter and visitor APIs.
  • Added the YAML Test Suite to the test set.

Changed

  • See the migration guide for upgrade notes.
  • Rewritten in TypeScript and reorganized the public API around flat named exports.
  • Reduced the set of exported schemas:
    • YAML 1.2 schemas: CORE_SCHEMA (loader default), JSON_SCHEMA, FAILSAFE_SCHEMA.
    • YAML11_SCHEMA, a combination of all YAML 1.1 tags (YAML 1.1 does not specify a schema, only "types").

... (truncated)

Commits
  • c28ed5e 5.2.0 released
  • 125cd5a Add maxAliases option
  • 3105455 Replace maxMergeSeqLengthoption with maxTotalMergeKeys (more robust)
  • 39d00d6 numbers: Drop boxed numbers support, simplify .identify() checks, clarify rou...
  • eb5cb5b fix: round-trip integers that stringify in exponential notation (#771)
  • 89024c4 Update migration info, close #770
  • f1e45cd 5.1.0 released
  • 53b22be Fix constructor coverage
  • a1eaa2b Fix quote style options and restore forceQuotes
  • 0532e7d Add finalizers for immutable collection tags
  • Additional commits viewable in compare view

@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Jul 6, 2026
@mergify mergify Bot had a problem deploying to Mergify Merge Protections July 6, 2026 06:37 Failure
@mergify

mergify Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

Merge Protections

🔴 1 of 6 protections blocking · waiting on 🤖 CI and 🙋 you

Protection Waiting on
🔴 🤖 Continuous Integration 🤖 CI and 🙋 you
🟢 👀 Review Requirements
🟢 Enforce conventional commit
🟢 🔎 Reviews
🟢 📕 PR description
🟢 🚦 Auto-queue

🔴 🤖 Continuous Integration

Waiting for

  • check-success = build
  • check-success = lint
  • any of:
    • check-success = test-broken-links
    • label = ignore-broken-links
This rule is failing.
  • all of:
    • check-success = build
    • check-success = lint
    • any of:
      • check-success = test-broken-links
      • label = ignore-broken-links
    • check-success = test
    • any of:
      • check-success=Cloudflare Pages
      • -head-repo-full-name~=^Mergifyio/

Show 5 satisfied protections

🟢 👀 Review Requirements

  • any of:
    • author = dependabot[bot]
    • #approved-reviews-by >= 2
    • author = mergify-ci-bot

🟢 Enforce conventional commit

Make sure that we follow https://www.conventionalcommits.org/en/v1.0.0/

  • title ~= ^(fix|feat|docs|style|refactor|perf|test|build|ci|chore|revert|ui)(?:\(.+\))?:

🟢 🔎 Reviews

  • #changes-requested-reviews-by = 0
  • #review-requested = 0
  • #review-threads-unresolved = 0

🟢 📕 PR description

  • body ~= (?ms:.{48,})

🟢 🚦 Auto-queue

When all merge protections are satisfied, this pull request will be queued automatically.

Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.2.0 to 5.2.0.
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.2.0...5.2.0)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 5.2.0
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/npm_and_yarn/js-yaml-5.2.0 branch from 64d1873 to d441585 Compare July 7, 2026 06:40
@mergify mergify Bot had a problem deploying to Mergify Merge Protections July 7, 2026 06:40 Failure
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Development

Successfully merging this pull request may close these issues.

0 participants