Skip to content

[0.81][0.80][0.79]Component Governance critical alert Upgrade js-yaml from 4.1.0 to 4.1.1 #15458

New issue
New issue
Open
Bug
Open
[0.81][0.80][0.79]Component Governance critical alert Upgrade js-yaml from 4.1.0 to 4.1.1#15458
Bug
Assignees
HariniMalothu17
Labels
bugsecurityPull requests that address a security vulnerability
Milestone
0.82
@HariniMalothu17

Description

@HariniMalothu17
HariniMalothu17
opened on Dec 8, 2025

Impact
In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (proto). All users who parse untrusted yaml documents may be impacted.

Patches
Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds
You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).
Recommendation
Upgrade js-yaml from 4.1.0 to 4.1.1 to fix the vulnerability.

Metadata

Metadata

Assignees

Labels

bugsecurityPull requests that address a security vulnerability

Type

Bug

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions