jonathan/hostr
jonathan/hostr
1
1
Fork 0
Code Issues Pull requests Packages 1 Activity Actions

Update dependency yaml to v2.9.0 #55

Merged
jonathan merged 1 commit from renovate/yaml-2.x-lockfile into main 2026-05-18 19:29:13 +00:00
Conversation 1 Commits 1 Files changed 1 +1 -3
renovatebot commented 2026-05-18 19:09:11 +00:00
Collaborator
Copy link

This PR contains the following updates:

Package Type Update Change
yaml (source) pnpm.overrides minor 2.8.42.9.0

Release Notes

eemeli/yaml (yaml)

v2.9.0

Compare Source

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

  • fix: Avoid calling Array.prototype.push.apply() with large source array
  • fix(lexer): Avoid recursive calls that may exhaust the call stack

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Type | Update | Change | |---|---|---|---| | [yaml](https://eemeli.org/yaml/) ([source](https://github.com/eemeli/yaml)) | pnpm.overrides | minor | [`2.8.4` → `2.9.0`](https://renovatebot.com/diffs/npm/yaml/2.8.4/2.9.0) | --- ### Release Notes <details> <summary>eemeli/yaml (yaml)</summary> ### [`v2.9.0`](https://github.com/eemeli/yaml/releases/tag/v2.9.0) [Compare Source](https://github.com/eemeli/yaml/compare/v2.8.4...v2.9.0) The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of `parseDocument()` and `parseAllDocuments()`: I've removed the claim that they'll "never throw". It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which `yaml` CVEs have been issued so far. Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases. - fix: Avoid calling `Array.prototype.push.apply()` with large source array - fix(lexer): Avoid recursive calls that may exhaust the call stack </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4xNzEuMCIsInVwZGF0ZWRJblZlciI6IjQzLjE3MS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->
Update dependency yaml to v2.9.0
Some checks failed
renovate/artifacts Artifact file update failure
renovate/stability-days Updates have met minimum release age requirement
Details
ci / build-image (pull_request) Successful in 57s
Details
ci / test-image (pull_request) Successful in 22s
Details
ci / build-image (push) Successful in 55s
Details
ci / test-image (push) Successful in 8s
Details
b66f6e9cdb
renovatebot commented 2026-05-18 19:09:11 +00:00
Author
Collaborator
Copy link

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock
error This project's package.json defines "packageManager": "yarn@pnpm@11.1.2". However the current global version of Yarn is 1.22.22.

Presence of the "packageManager" field indicates that the project is meant to be used with Corepack, a tool included by default with all official Node.js distributions starting from 16.9 and 14.19.
Corepack must currently be enabled by running corepack enable in your terminal. For more information, check out https://yarnpkg.com/corepack.
### ⚠️ Artifact update problem Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is. ♻ Renovate will retry this branch, including artifacts, only when one of the following happens: - any of the package files in this branch needs updating, or - the branch becomes conflicted, or - you click the rebase/retry checkbox if found above, or - you rename this PR's title to start with "rebase!" to trigger it manually The artifact failure details are included below: ##### File name: yarn.lock ``` error This project's package.json defines "packageManager": "yarn@pnpm@11.1.2". However the current global version of Yarn is 1.22.22. Presence of the "packageManager" field indicates that the project is meant to be used with Corepack, a tool included by default with all official Node.js distributions starting from 16.9 and 14.19. Corepack must currently be enabled by running corepack enable in your terminal. For more information, check out https://yarnpkg.com/corepack. ```
jonathan deleted branch renovate/yaml-2.x-lockfile 2026-05-18 19:29:13 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels
No items
No labels
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference
jonathan/hostr!55
No description provided.