fix(core): js-yaml 4.2.0 CVE fix

[melloware]

Fix #3619

Summary by CodeRabbit

• Chores
  • Updated project dependencies to their latest compatible versions to maintain security and compatibility standards.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 480b0cf4-348a-4583-a74f-c57d4e0e304c

📥 Commits

Reviewing files that changed from the base of the PR and between 79f0970 and bb4b6b4.

⛔ Files ignored due to path filters (1)

• bun.lock is excluded by !**/*.lock

📒 Files selected for processing (1)

• packages/orval/package.json

---

📝 Walkthrough

Walkthrough

Five dependency versions in packages/orval/package.json are bumped: @commander-js/extra-typings from ^14.0.0 to ^15.0.0, and @scalar/json-magic, @scalar/openapi-parser, commander, and js-yaml updated to newer versions. No other metadata or dependency keys are changed.

Changes

Dependency version bumps

Layer / File(s)	Summary
Dependency version updates packages/orval/package.json	@commander-js/extra-typings bumped to ^15.0.0; @scalar/json-magic, @scalar/openapi-parser, commander, and js-yaml updated to newer versions.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• orval-labs/orval#3272: Previously bumped the same @scalar/json-magic and @scalar/openapi-parser entries in packages/orval/package.json.
• orval-labs/orval#3437: Also bumped @scalar/openapi-parser and other dependency versions in packages/orval/package.json.

Poem

🐇 Hop, hop, a version leaps ahead,
Old js-yaml DoS bug now dead.
Commander climbs to fifteen high,
Scalar libs reach for the sky.
This bunny keeps the deps up-to-date,
Patching vulnerabilities — isn't that great? 🌟

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and concisely summarizes the main change: fixing a CVE security vulnerability in js-yaml by updating to version 4.2.0.
Linked Issues check	✅ Passed	The PR successfully addresses the primary objective of issue #3619 by updating js-yaml to version 4.2.0 to eliminate the moderate severity CVE (GHSA-h67p-54hq-rp68) involving quadratic-complexity DoS attacks.
Out of Scope Changes check	✅ Passed	All changes in the PR are directly related to resolving the js-yaml CVE vulnerability. Updates to other dependencies appear to be coordinated changes supporting the security fix objective.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch O361

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	js-yaml@​4.2.0
	@​commander-js/​extra-typings@​14.0.0 ⏵ 15.0.0	+1		+2
	commander@​14.0.3 ⏵ 15.0.0	+1
	@​scalar/​openapi-parser@​0.28.5 ⏵ 0.28.7
	@​scalar/​json-magic@​0.12.14 ⏵ 0.12.16

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm js-yaml is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: packages/orval/package.json → npm/js-yaml@4.2.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report