Description:
read-yaml-file@2.1.0 currently depends on js-yaml@^4.0.0. The last release of read-yaml-file was published 5 years ago, so the published package.json still shows ^4.0.0.
npm audit reports a moderate prototype pollution vulnerability in js-yaml ≤4.1.0 (GHSA-mh29-5h37-fv8m). While downstream projects can use overrides or npm resolves the latest 4.x version locally, the older declared version is still flagged by scans that rely on the published metadata or lockfiles.
Request:
Please update the js-yaml dependency to 4.1.1 so that downstream projects automatically get a non-vulnerable version without needing overrides.
Impact:
Description:
read-yaml-file@2.1.0currently depends on js-yaml@^4.0.0. The last release ofread-yaml-filewas published 5 years ago, so the publishedpackage.jsonstill shows^4.0.0.npm auditreports a moderate prototype pollution vulnerability injs-yaml≤4.1.0 (GHSA-mh29-5h37-fv8m). While downstream projects can use overrides or npm resolves the latest 4.x version locally, the older declared version is still flagged by scans that rely on the published metadata or lockfiles.Request:
Please update the
js-yamldependency to4.1.1so that downstream projects automatically get a non-vulnerable version without needing overrides.Impact:
Resolves the prototype pollution vulnerability
Ensures security scans no longer flag
js-yamlin projects depending onread-yaml-file