[PR #6879] fix: bump js-yaml to 3.14.2 to resolve CVE-2025-64718 #5368

Closed
opened 2026-02-20 17:51:36 -05:00 by yindo · 0 comments
Owner

Original Pull Request: https://github.com/langchain-ai/langgraph/pull/6879

State: closed
Merged: Yes


Security Alert Patch

Resolves 1 Dependabot security alert (medium severity).

Package Updated

Package Old Version New Version Strategy CVE Resolved
js-yaml 3.14.1 3.14.2 Lockfile patch (within-range bump) CVE-2025-64718

CVE Details

CVE-2025-64718 / GHSA-mh29-5h37-fv8mjs-yaml prototype pollution via YAML merge keys (<<). Affects versions < 3.14.2.

The vulnerable package is a transitive dev dependency pulled in by @istanbuljs/load-nyc-config@1.1.0 (a Jest internal). No runtime impact.

Fix Strategy

Lockfile-only patch in libs/cli/js-examples/yarn.lock. The ^3.13.1 version range already allows 3.14.2, so no manifest changes were needed. The js-yaml@^4.1.1 entry (used by @eslint/eslintrc) is untouched.

Verification

  • Lockfile updated — js-yaml@^3.13.1 now resolves to 3.14.2
  • js-yaml@^4.1.1 entry unchanged (4.1.1)
  • yarn install --frozen-lockfile passes

🤖 Submitted by langster-patch

**Original Pull Request:** https://github.com/langchain-ai/langgraph/pull/6879 **State:** closed **Merged:** Yes --- ## Security Alert Patch Resolves 1 Dependabot security alert (medium severity). ### Package Updated | Package | Old Version | New Version | Strategy | CVE Resolved | |---------|-------------|-------------|----------|--------------| | `js-yaml` | 3.14.1 | 3.14.2 | Lockfile patch (within-range bump) | CVE-2025-64718 | ### CVE Details **CVE-2025-64718** / [GHSA-mh29-5h37-fv8m](https://github.com/advisories/GHSA-mh29-5h37-fv8m) — `js-yaml` prototype pollution via YAML merge keys (`<<`). Affects versions < 3.14.2. The vulnerable package is a transitive dev dependency pulled in by `@istanbuljs/load-nyc-config@1.1.0` (a Jest internal). No runtime impact. ### Fix Strategy Lockfile-only patch in `libs/cli/js-examples/yarn.lock`. The `^3.13.1` version range already allows 3.14.2, so no manifest changes were needed. The `js-yaml@^4.1.1` entry (used by `@eslint/eslintrc`) is untouched. ### Verification - [x] Lockfile updated — `js-yaml@^3.13.1` now resolves to `3.14.2` - [x] `js-yaml@^4.1.1` entry unchanged (`4.1.1`) - [x] `yarn install --frozen-lockfile` passes 🤖 Submitted by langster-patch
yindo added the pull-request label 2026-02-20 17:51:36 -05:00
yindo closed this issue 2026-02-20 17:51:36 -05:00
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: langchain-ai/langgraph#5368