Skip to content

AB#146238 fix: address security vulnerabilities#901

Open
fabclj wants to merge 1 commit into
masterfrom
fix/146238-fix-vulnerability
Open

AB#146238 fix: address security vulnerabilities#901
fabclj wants to merge 1 commit into
masterfrom
fix/146238-fix-vulnerability

Conversation

@fabclj

@fabclj fabclj commented Jul 17, 2026

Copy link
Copy Markdown
Contributor

Summary

Bumps js-yaml 4.1.1 → 4.3.0 in the diffbot and chuck-norris-jokes extensions to fix a Snyk-flagged CVE (high severity). 4.3.0 is a security-only backport (maxTotalMergeKeys); confirmed the "breaking change" label Snyk sometimes attaches to this bump is a false positive (matches the 4.0.0 safeLoad-removal changelog entry, not anything in the 4.1→4.3 range).

Security

No security implications beyond the fix itself — transitive dev/runtime dependency patch, no API surface change.

How to test

  1. npm run build in extensions/diffbot and extensions/chuck-norris-jokes (transpile + lint + test + zip)
  2. snyk test in both extensions reports the js-yaml CVE cleared

Verification

  • diffbot: 6/6 tests pass, build clean, snyk clean for js-yaml
  • chuck-norris-jokes: build clean, snyk clean for js-yaml
  • Remaining Snyk findings (langchain major, ws minor) are pre-existing and out of scope for this fix

Copilot AI review requested due to automatic review settings July 17, 2026 13:49
@snyk-io

snyk-io Bot commented Jul 17, 2026

Copy link
Copy Markdown

Snyk checks have passed. No issues have been found so far.

Status Scan Engine Critical High Medium Low Total (0)
Open Source Security 0 0 0 0 0 issues
Licenses 0 0 0 0 0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot wasn't able to review any files in this pull request.

Files not reviewed (2)
  • extensions/chuck-norris-jokes/package-lock.json: Generated file
  • extensions/diffbot/package-lock.json: Generated file

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants