Skip to content

Bump the npm_and_yarn group across 2 directories with 1 update #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 20, 2025
Merged

Bump the npm_and_yarn group across 2 directories with 1 update #16

merged 1 commit into from
Nov 20, 2025

Conversation

@dependabot
Copy link
Contributor

@dependabot dependabot bot commented on behalf of github Nov 18, 2025

Bumps the npm_and_yarn group with 1 update in the /backend directory: js-yaml.
Bumps the npm_and_yarn group with 1 update in the /frontend directory: js-yaml.

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

  • Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

  • Types are now exported as yaml.types.XXX.
  • Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

  • Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

  • Check migration guide to see details for all breaking changes.
  • Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
  • Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
  • yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
  • yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
  • !!binary now always mapped to Uint8Array on load.
  • Reduced nesting of /lib folder.
  • Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
  • dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
  • Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
  • Code snippet created in exceptions now contains multiple lines with line numbers.
  • dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
  • dump() with skipInvalid=true now serializes invalid items in collections as null.
  • Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
  • Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

  • Added .mjs (es modules) support.
  • Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
  • Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

  • Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

  • Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

  • Types are now exported as yaml.types.XXX.
  • Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

  • Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

  • Check migration guide to see details for all breaking changes.
  • Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
  • Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
  • yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
  • yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
  • !!binary now always mapped to Uint8Array on load.
  • Reduced nesting of /lib folder.
  • Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
  • dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
  • Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
  • Code snippet created in exceptions now contains multiple lines with line numbers.
  • dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
  • dump() with skipInvalid=true now serializes invalid items in collections as null.
  • Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
  • Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

  • Added .mjs (es modules) support.
  • Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
  • Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot merge will merge this PR after your CI passes on it
  • @dependabot squash and merge will squash and merge this PR after your CI passes on it
  • @dependabot cancel merge will cancel a previously requested merge and block automerging
  • @dependabot reopen will reopen this PR if it is closed
  • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump the npm_and_yarn group across 2 directories with 1 update
945c004 
Bumps the npm_and_yarn group with 1 update in the /backend directory: [js-yaml](https://github.com/nodeca/js-yaml).
Bumps the npm_and_yarn group with 1 update in the /frontend directory: [js-yaml](https://github.com/nodeca/js-yaml).


Updates `js-yaml` from 3.14.1 to 3.14.2
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.14.1...3.14.2)

Updates `js-yaml` from 3.14.1 to 3.14.2
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.14.1...3.14.2)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 3.14.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: js-yaml
  dependency-version: 3.14.2
  dependency-type: indirect
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <[email protected]>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Nov 18, 2025
@semanticdiff-com
Copy link

semanticdiff-com bot commented Nov 18, 2025
edited
Loading

Review changes with  SemanticDiff

Changed Files
File Status
  backend/package-lock.json  72% smaller
  frontend/package-lock.json  72% smaller

@code-genius-code-coverage
Copy link

code-genius-code-coverage bot commented Nov 18, 2025

The files' contents are under analysis for test generation.

@secure-code-warrior-for-github
Copy link

secure-code-warrior-for-github bot commented Nov 18, 2025

Micro-Learning Topic: Prototype pollution (Detected by phrase)

Matched on "prototype pollution"

What is this? (2min video)

By adding or modifying attributes of an object prototype, it is possible to create attributes that exist on every object, or replace critical attributes with malicious ones. This can be problematic if the software depends on existence or non-existence of certain attributes, or uses pre-defined attributes of object prototype (such as hasOwnProperty, toString or valueOf).

Try a challenge in Secure Code Warrior

@gitnotebooks
Copy link

gitnotebooks bot commented Nov 18, 2025

Review these changes at https://app.gitnotebooks.com/OneFineStarstuff/OneFineStarstuff.github.io/pull/16

reviewabot[bot]
reviewabot bot approved these changes Nov 18, 2025
View reviewed changes
Copy link

@reviewabot reviewabot bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The changes in this pull request appear to be updates to the package-lock.json files for both the backend and frontend, specifically updating the versions of the js-yaml and csstype packages.

Here are a few points to consider:

  1. Consistency: The updates to the js-yaml package are consistent across different dependencies, which is good for maintaining uniformity in the project.

  2. Security: There are no secrets or sensitive information in clear text, which is good practice.

  3. Newline at End of File: Ensure that the files end with a newline. This is a common convention and helps avoid issues with concatenation and version control systems.

  4. Dependencies: Make sure that updating these dependencies does not introduce any breaking changes or compatibility issues with other parts of the project. It is always a good idea to run tests to ensure everything works as expected after such updates.

  5. Redundant Line Breaks: There are no redundant line breaks in the changes, which keeps the code clean and readable.

Overall, the changes look good, but please ensure that the files end with a newline.

@difflens
Copy link

difflens bot commented Nov 18, 2025

View changes in DiffLens

@gstraccini gstraccini bot added the 🤖 bot label Nov 18, 2025
@coderabbitai
Copy link

coderabbitai bot commented Nov 18, 2025

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Comment @coderabbitai help to get the list of available commands and usage tips.

@socket-security
Copy link

socket-security bot commented Nov 18, 2025

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addedcrypto@​1.0.11001004250100
Addedeslint@​8.57.09710010050100
Addedeslint-config-next@​14.2.5991006598100
Updated@​types/​react-dom@​18.3.7 ⏵ 18.2.211001007595100
Addedcors@​2.8.510010010075100
Addedexpress-brute@​1.0.1959310077100
Addedhpp@​0.2.310010010077100
Addedeslint-config-node@​4.1.01001009378100
Addedexpress-mongo-sanitize@​2.2.010010010078100
Addedhusky@​8.0.31001007981100
Addedvitest@​1.6.1981007999100
Updated@​types/​react@​18.3.24 ⏵ 18.2.671001007995 -1100
Updated@​types/​node@​24.3.0 ⏵ 20.19.111001008196100
Updated@​types/​node@​24.3.0 ⏵ 20.11.19100 +110082 +196100
Addedclassnames@​2.5.110010010082100
Addednext@​14.2.3282100959870
Addedexpress-session@​1.18.29910010083100
Addedexpress-validator@​7.3.01001008389100
Addedhelmet@​7.2.010010010083100
Addedexpress-slow-down@​2.1.010010010084100
Addedcompression@​1.8.19910010084100
Addedexpress@​4.21.29710010086100
Addedconnect-redis@​7.1.110010010086100
Addedbcryptjs@​2.4.31001001008780
Updatedzustand@​3.7.2 ⏵ 4.5.210010010088100
Addeddompurify@​3.2.61001001008990
Addedtypescript@​5.4.51001009010090
Addeddotenv@​16.6.110010010091100
Addedexpress-rate-limit@​7.5.110010010091100
Addedioredis@​5.7.09910010092100

View full report

@netlify
Copy link

netlify bot commented Nov 18, 2025
edited
Loading

Deploy Preview for onefinestarstuff failed.

Name Link
🔨 Latest commit 945c004
🔍 Latest deploy log https://app.netlify.com/projects/onefinestarstuff/deploys/691c2972293a5b000800b4cb

@OneFineStarstuff OneFineStarstuff merged commit 58af82e into main Nov 20, 2025
19 of 86 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gstraccini gstraccini[bot] gstraccini[bot] approved these changes

+1 more reviewer

@reviewabot reviewabot[bot] reviewabot[bot] approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@OneFineStarstuff OneFineStarstuff

Labels

☑️ auto-merge 🤖 bot dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code size/XS

Projects

@OneFineStarstuff's (Radiant Cosmic Brilliance) project
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@OneFineStarstuff