Skip to content

Bump js-yaml from 4.1.1 to 4.2.0 in /apps/runner/images/css#2321

Open
dependabot[bot] wants to merge 38 commits into
masterfrom
dependabot/npm_and_yarn/apps/runner/images/css/js-yaml-4.2.0
Open

Bump js-yaml from 4.1.1 to 4.2.0 in /apps/runner/images/css#2321
dependabot[bot] wants to merge 38 commits into
masterfrom
dependabot/npm_and_yarn/apps/runner/images/css/js-yaml-4.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 22, 2026

Copy link
Copy Markdown
Contributor

Bumps js-yaml from 4.1.1 to 4.2.0.

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

  • Added docs/safety.md with notes about processing untrusted YAML.
  • Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
  • Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
  • Added sourcemaps to dist/ builds.

Changed

  • Stop resolving numbers with underscores as numeric scalars, #627.
  • Switched dev toolchains to Vite / neostandard.
  • Updated demo.
  • Reorganized tests.
  • dist/ files are no longer kept in the repository.

Fixed

  • Fix parsing of properties on the first implicit block mapping key, #62.
  • Fix trailing whitespace handling when folding flow scalar lines, #307.
  • Reject top-level block scalars without content indentation, #280.
  • Ensure numbers survive round-trip, #737.
  • Fix test coverage for issue #221.
  • Fix flow scalar trailing whitespace folding, #307.
  • Fix digits in YAML named tag handles.

Security

  • Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

  • Backported v4.1.1 fix to v3
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

vtm9 and others added 30 commits June 15, 2026 22:24
@vtm9
Add token
6e34041
@vtm9
improve
65d669f
@vtm9
Fix
b9457bc
@vtm9
Add tournaments socket
53fec83
@vtm9
Minor updates
6991c8b
@vtm9
Improve clipboard
4d7f8f1
@vtm9
Fix
ca5db9b
@vtm9
fix
75417d9
@vtm9
Fix FE
34dd282
@vtm9
Improve
a34bd2b
@vtm9
Fix
83527eb
@vtm9
Fix
b57dd45
@vtm9
Fix
d104b98
@vtm9
Minor fix
6c68fab
@vtm9
Add auth
e98ed46
@vtm9 @claude
Wire simulator buttons to drive tournament lifecycle
9eebb12 
- Stop fires :finish_tournament so the final results get calculated
  instead of leaving the tournament in limbo.
- Retry now tops the tournament back up to 200 simulator players via
  Setup.top_up_players/1 between :retry and :start, so dropouts are
  re-joined automatically.
- Drop the Pause/Continue buttons (freeze/unfreeze) — they weren't
  the control surface admins actually wanted.
- Stream-state controller already accepts the TokenAuth api key via
  query or x-auth-key header; tests now isolate Application env so the
  api_key mutation doesn't bleed into other suites.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@vtm9 @claude
Let token-authed paths bypass RescrictAccess guest redirect
355d5f0 
The stream-state endpoint authenticates itself via the api_key
(auth_token query param or x-auth-key header), but on hosts where
the restrict_guests_access flag is on, the :browser pipeline's
RescrictAccess plug short-circuits anonymous requests with a 302 to
/session/new before the controller ever runs.

Whitelist the stream-state path so token-authed callers (curl, OBS,
dashboards) can reach the controller and complete the api-key check.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
@vtm9
fix
ff81e37
@vtm9
Fix
5077179
@vtm9
Fix
73a08c9
@vtm9
fix
e92e02c
@vtm9
fix
21882d1
@vtm9
Add task
4dfaa21
@vtm9
fix
ab23567
@vtm9
Impvoe
1de3e66
@vtm9
fix
a0b5e69
@vtm9
Fix
669667f
@vtm9
Fix
a9efc70
@vtm9
Fix
7d77df6
@vtm9
Fix simulator
52f7bf9
vtm9 and others added 8 commits June 21, 2026 12:26
@vtm9
Fix
36be7ba
@vtm9
Fix
bd2743b
@ReDBrother
add total time
ceae1d9
@vtm9
Fix
29fed2f
@vtm9
Fix
06ec4f9
@vtm9
Fix
aa469b4
@vtm9
Fix
fae56d5
@dependabot
Bump js-yaml from 4.1.1 to 4.2.0 in /apps/runner/images/css
381a457 
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.1 to 4.2.0.
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.1...4.2.0)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.2.0
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 22, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vtm9 @ReDBrother