Skip to content

chore(deps): bump yaml from 2.8.4 to 2.9.0 in the production-dependencies group across 1 directory#24

Merged
capyBearista merged 1 commit into
mainfrom
dependabot/bun/production-dependencies-d4197686fa
May 17, 2026
Merged

chore(deps): bump yaml from 2.8.4 to 2.9.0 in the production-dependencies group across 1 directory#24
capyBearista merged 1 commit into
mainfrom
dependabot/bun/production-dependencies-d4197686fa

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot Bot commented on behalf of github May 11, 2026
edited
Loading

Bumps the production-dependencies group with 1 update in the / directory: yaml.

Updates yaml from 2.8.4 to 2.9.0

Release notes

Sourced from yaml's releases.

v2.9.0

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

  • fix: Avoid calling Array.prototype.push.apply() with large source array
  • fix(lexer): Avoid recursive calls that may exhaust the call stack
Commits
  • ddb21b0 2.9.0
  • 167365b docs: Clarify that not all errors can be avoided
  • 6eca2a7 fix: Avoid calling Array.prototype.push.apply() with large source array
  • 0543cd5 fix(lexer): Avoid recursive calls that may exhaust the call stack
  • See full diff in compare view

@capyBearista capyBearista self-requested a review May 17, 2026 17:05
@capyBearista
Copy link
Copy Markdown
Owner

capyBearista commented May 17, 2026

@dependabot recreate

@dependabot dependabot Bot changed the title chore(deps): bump yaml from 2.8.4 to 2.9.0 in the production-dependencies group chore(deps): bump yaml from 2.8.4 to 2.9.0 in the production-dependencies group across 1 directory May 17, 2026
@dependabot dependabot Bot force-pushed the dependabot/bun/production-dependencies-d4197686fa branch 2 times, most recently from 5e17cc6 to ef9437a Compare May 17, 2026 17:19
@dependabot
chore(deps): bump yaml
59863d4 
Bumps the production-dependencies group with 1 update in the / directory: [yaml](https://github.com/eemeli/yaml).


Updates `yaml` from 2.8.4 to 2.9.0
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](eemeli/yaml@v2.8.4...v2.9.0)

---
updated-dependencies:
- dependency-name: yaml
  dependency-version: 2.9.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: production-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot force-pushed the dependabot/bun/production-dependencies-d4197686fa branch from ef9437a to 59863d4 Compare May 17, 2026 17:25
@capyBearista capyBearista merged commit d4bfd1c into main May 17, 2026
3 checks passed
@dependabot dependabot Bot deleted the dependabot/bun/production-dependencies-d4197686fa branch May 17, 2026 17:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@capyBearista capyBearista capyBearista approved these changes

Assignees

No one assigned

Labels

bun dependencies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@capyBearista