Security Vulnerability: Transitive dependency on js-yaml@3.14.1 #5307
Description
Hello Team,
Security scanners (like Dependabot and npm audit) are flagging a prototype pollution vulnerability in js-yaml. The patched version is 4.1.1 or higher.
The latest version of codeceptjs (3.7.5) has transitive dependencies on two different vulnerable versions of js-yaml, which creates a conflict that cannot be automatically resolved.
Here is the dependency tree from npm ls js-yaml:
├─┬ codeceptjs@3.7.5
│ ├─┬ @codeceptjs/detox-helper@1.1.12
│ │ └─┬ react-native@0.81.4
│ │ └─┬ babel-jest@29.7.0
│ │ └─┬ babel-plugin-istanbul@6.1.1
│ │ └─┬ @istanbuljs/load-nyc-config@1.1.0
│ │ └── js-yaml@3.14.1 <-- VULNERABLE
│ └─┬ mocha@11.7.2
│ └── js-yaml@4.1.0 deduped <-- VULNERABLE
└─┬ eslint@8.57.1
├─┬ @eslint/eslintrc@2.1.4
│ └── js-yaml@4.1.0 deduped <-- VULNERABLE
└── js-yaml@4.1.0 <-- VULNERABLE
This conflict (one path requiring ^3.x and another ^4.x) prevents npm audit fix or Dependabot from applying the security patch. The only way for users to fix this currently is to manually add an override or resolution for js-yaml in their package.json.
Could these dependencies be updated to consolidate on a patched version of js-yaml (4.1.1 or higher) to resolve this security vulnerability?
Thank you!