Bug
The Docs Deploy job in release.yml has failed on the last two stable releases (v2.12.0 run 28778826343, and the 2026-06-20 release run 27862889701). The docs site has not deployed since.
Root cause
PR #1733 added a root npm override pinning js-yaml to 4.2.0 for all transitive consumers to remediate CVE-2026-53550. Docusaurus parses markdown front matter via gray-matter@4.0.3, which calls yaml.safeLoad — an API removed in js-yaml 4. The docs build fails with:
[ERROR] Error while parsing Markdown front matter.
[cause]: Error: Function yaml.safeLoad is removed in js-yaml 4. Use yaml.load instead
Fix
Per GHSA advisory for CVE-2026-53550, the 3.x line is patched in 3.15.0. Scope the override so gray-matter gets the patched 3.x (keeps the safeLoad API) while everything else stays on 4.2.0:
"overrides": {
"js-yaml": "4.2.0",
"gray-matter": { "js-yaml": "3.15.0" }
}
No security regression: 3.15.0 is the patched version for the 3.x range.
[orchestrator] Filed during the v2.12.0 /release post-merge verification.
Bug
The
Docs Deployjob inrelease.ymlhas failed on the last two stable releases (v2.12.0 run 28778826343, and the 2026-06-20 release run 27862889701). The docs site has not deployed since.Root cause
PR #1733 added a root npm override pinning
js-yamlto4.2.0for all transitive consumers to remediate CVE-2026-53550. Docusaurus parses markdown front matter viagray-matter@4.0.3, which callsyaml.safeLoad— an API removed in js-yaml 4. The docs build fails with:Fix
Per GHSA advisory for CVE-2026-53550, the 3.x line is patched in 3.15.0. Scope the override so
gray-mattergets the patched 3.x (keeps thesafeLoadAPI) while everything else stays on 4.2.0:No security regression: 3.15.0 is the patched version for the 3.x range.
[orchestrator] Filed during the v2.12.0
/releasepost-merge verification.