[GHSA-h67p-54hq-rp68] JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases#8152
Conversation
|
Hi there @puzrin! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
Bot
changed the base branch from
main
to
G-Rath/advisory-improvement-8152
There was a problem hiding this comment.
Pull request overview
Updates the GHSA-h67p-54hq-rp68 advisory record to reflect corrected affected version ranges for js-yaml, including the v3 backport fix, and adds an additional supporting reference.
Changes:
- Refines the v4 affected range to start at
4.0.0(fixed in4.2.0). - Adds a separate affected entry indicating v3 is fixed in
3.15.0. - Adds a reference to the upstream PR comment documenting the v3 backport.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
I've updated version info in package source advisory GHSA-h67p-54hq-rp68 |
Updates
Comments
This was backported to v3:
maxMergeSeqLength = 20option in v3 nodeca/js-yaml#761 (comment)