Skip to content

GHSA-mh29-5h37-fv8m #42

Open
Open
GHSA-mh29-5h37-fv8m#42
@Mister-Hope

Description

@Mister-Hope
Mister-Hope
opened on May 7, 2026
┌─────────────────────┬────────────────────────────────────────────────────────┐
│ moderate            │ js-yaml has prototype pollution in merge (<<)          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Package             │ js-yaml                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Vulnerable versions │ >=4.0.0 <4.1.1                                         │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Patched versions    │ >=4.1.1                                                │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ Paths               │ packages__hexo-next>@next-theme/utils>js-yaml          │
├─────────────────────┼────────────────────────────────────────────────────────┤
│ More info           │ https://github.com/advisories/GHSA-mh29-5h37-fv8m      │
└─────────────────────┴────────────────────────────────────────────────────────┘

In main branch, js-yaml is replaced by yaml (but still a vulnerable version), when can a fresh new version being published? @stevenjoezhang

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions