Update dependency js-yaml to v4 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
js-yaml	3.14.2 → 4.2.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases

CVE-2026-53550 / GHSA-h67p-54hq-rp68

More information

Details

Summary

A crafted YAML document can trigger algorithmic CPU exhaustion in js-yaml merge-key processing (<<) by repeating the same alias many times in a merge sequence.
This causes quadratic parse-time behavior relative to input size and can block a Node.js worker/event loop for seconds with a relatively small payload (tens of KB), resulting in denial of service.

Details

The issue is in merge handling inside lib/loader.js:

• storeMappingPair(...) iterates every element of a merge sequence when key tag is tag:yaml.org,2002:merge.
• For each element, it calls mergeMappings(...).
• mergeMappings(...) computes Object.keys(source) and performs _hasOwnProperty.call(destination, key) checks for each key.

When input is of the form:

a: &a {k0:0, k1:0, ..., kK:0}
b: {<<: [*a, *a, *a, ... repeated M times ...]}
all *a entries refer to the same anchored object. After the first merge, subsequent merges are semantically no-ops, but the parser still reprocesses all keys each time.
Resulting work is O(K * M), while input size is O(K + M), giving quadratic scaling as payload grows.
Relevant code path:
lib/loader.js in storeMappingPair(...) merge branch (keyTag === 'tag:yaml.org,2002:merge')
lib/loader.js mergeMappings(...)

Root cause

File: lib/loader.js
Function: storeMappingPair(state, _result, overridableKeys, keyTag, keyNode,
valueNode, startLine, startLineStart, startPos)
Lines: ~359-366

if (keyTag === 'tag:yaml.org,2002:merge') {
  if (Array.isArray(valueNode)) {
    for (index = 0, quantity = valueNode.length; index < quantity; index += 1) {
      mergeMappings(state, _result, valueNode[index], overridableKeys);
    }
  } else {
    mergeMappings(state, _result, valueNode, overridableKeys);
  }
}

When the merge value is a sequence (YAML 1.1 <<: [ *a, *a, ... ]), each element
is handed to mergeMappings() without deduplication. mergeMappings() then does

sourceKeys = Object.keys(source);
for (index = 0; index < sourceKeys.length; index += 1) {
  key = sourceKeys[index];
  if (!_hasOwnProperty.call(destination, key)) {
    setProperty(destination, key, source[key]);
    overridableKeys[key] = true;
  }
}

Every alias reference in the sequence resolves (by design) to the SAME object
via state.anchorMap. After the first merge, every subsequent merge of that same
reference is a pure no-op semantically, but still performs:

• one Object.keys(source) call (O(K))
• K _hasOwnProperty.call checks on the destination

Total: M * K hasOwnProperty checks + M Object.keys allocations, while the final
object and all observable side effects are identical to a single merge.

YAML semantics for <<: are idempotent and commutative over duplicate sources,
so collapsing duplicates preserves behavior exactly; this isn't a spec trade-off.

PoC

Environment:
js-yaml version: 4.1.1
Node.js: v24.5.0
Platform: arm64 macOS (reproduced consistently)
Reproduction script:
Create many keys in one anchored map (&a).
Merge that same alias repeatedly via <<: [*a, *a, ...].
Measure parse time and compare with control payload using single merge (<<: *a).
Observed repeated runs (same machine):
K=M=1000, input 9,909 bytes: ~33–36 ms
K=M=2000, input 20,909 bytes: ~121–123 ms
K=M=4000, input 42,909 bytes: ~524–537 ms
K=M=6000, input 64,909 bytes: ~1,608–1,829 ms
K=M=8000, input 86,909 bytes: ~3,395–3,565 ms
Control (single merge, similar key counts):
K=2000: ~1–2 ms
K=4000: ~3 ms
K=8000: ~5 ms
Also verified: repeated-merge output equals single-merge output (same key count and same JSON), confirming excess time is redundant computation.

Impact

This is a denial-of-service vulnerability (CPU exhaustion / algorithmic complexity).
Any service parsing untrusted YAML with js-yaml can be impacted, including API backends, CI tools, config processors, and automation services. An attacker can submit crafted YAML to significantly increase CPU time and reduce availability.

Suggested fix:

Dedupe the merge source list by reference before invoking mergeMappings. Any of
the following are minimal and preserve YAML 1.1 merge semantics:

dedupe in storeMappingPair:

if (keyTag === 'tag:yaml.org,2002:merge') {
  if (Array.isArray(valueNode)) {
    var seen = new Set();
    for (index = 0, quantity = valueNode.length; index < quantity; index += 1) {
      var src = valueNode[index];
      if (seen.has(src)) continue;   // idempotent; skip redundant alias
      seen.add(src);
      mergeMappings(state, _result, src, overridableKeys);
    }
  } else {
    mergeMappings(state, _result, valueNode, overridableKeys);
  }
}

Severity

• CVSS Score: 5.3 / 10 (Medium)
• Vector String: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

References

• https://github.com/nodeca/js-yaml/security/advisories/GHSA-h67p-54hq-rp68
• https://github.com/advisories/GHSA-h67p-54hq-rp68

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

nodeca/js-yaml (js-yaml)

v4.2.0

Compare Source

Added

• Added docs/safety.md with notes about processing untrusted YAML.
• Added maxDepth (100) loader option. Not a problem, but gives a better
  exception instead of RangeError on stack overflow.
• Added maxMergeSeqLength (20) loader option. Not a problem after merge fix,
  but an additional restriction for safety.
• Added sourcemaps to dist/ builds.

Changed

• Stop resolving numbers with underscores as numeric scalars, #​627.
• Switched dev toolchains to Vite / neostandard.
• Updated demo.
• Reorganized tests.
• dist/ files are no longer kept in the repository.

Fixed

• Fix parsing of properties on the first implicit block mapping key, #​62.
• Fix trailing whitespace handling when folding flow scalar lines, #​307.
• Reject top-level block scalars without content indentation, #​280.
• Ensure numbers survive round-trip, #​737.
• Fix test coverage for issue #​221.
• Fix flow scalar trailing whitespace folding, #​307.
• Fix digits in YAML named tag handles.

Security

• Fix potential DoS via quadratic complexity in merge - deduplicate repeated
  elements (makes sense for malformed files > 10K).

v4.1.1

Compare Source

v4.1.0

Compare Source

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were
  (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts
  (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

v4.0.0

Compare Source

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are
  moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump
  instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use
  yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal,
  0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #​470, #​557.
• Line and column in exceptions are now formatted as (X:Y) instead of
  at line X, column Y (also present in compact format), #​332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with
  undefined in mappings, #​571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #​576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #​258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure
  string literal style, #​290, #​529.
• Added styles: { '!!null': 'empty' } option for dumper
  (serializes { foo: null } as "foo: "), #​570.
• Added replacer option (similar to option in JSON.stringify), #​339.
• Custom Tag can now handle all tags or multiple tags with the same prefix, #​385.

Fixed

• Astral characters are no longer encoded by dump(), #​587.
• "duplicate mapping key" exception now points at the correct column, #​452.
• Extra commas in flow collections (e.g. [foo,,bar]) now throw an exception
  instead of producing null, #​321.
• __proto__ key no longer overrides object prototype, #​164.
• Removed bower.json.
• Tags are now url-decoded in load() and url-encoded in dump()
  (previously usage of custom non-ascii tags may have led to invalid YAML that can't be parsed).
• Anchors now work correctly with empty nodes, #​301.
• Fix incorrect parsing of invalid block mapping syntax, #​418.
• Throw an error if block sequence/mapping indent contains a tab, #​80.

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 34a56c1

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR