Update dependency yaml to v2.9.0 #16

Open

renovate wants to merge 1 commit from renovate/yaml-2.x-lockfile into main

pull from: renovate/yaml-2.x-lockfile

merge into: florian:main

florian:main

florian:renovate/node-24.x

florian:renovate/actions-setup-node-6.x

florian:renovate/actions-checkout-6.x

florian:renovate/mermaid-11.x-lockfile

florian:renovate/vitest-monorepo

florian:renovate/react-monorepo

florian:renovate/nextjs-monorepo

florian:renovate/vitejs-plugin-react-6.x-lockfile

florian:renovate/node-22.x-lockfile

florian:clawteam/greenroom-mvp-cycle-1/shared

florian:clawteam/greenroom-mvp-cycle-1/coordinator

florian:feature/greenroom-mvp-graph-traversal

florian:feature/us-003-entity-relationship-panels-f8dc6072

florian:feature/us-004-docs-navigation-shell-2a639be7

florian:feature/us-002-catalog-index-and-facet-filters-7e01571e

Conversation 0 Commits 1 Files changed 1 +3 -3

renovate commented 2026-06-14 03:22:10 +02:00

Collaborator

Copy link

This PR contains the following updates:

Package	Change	Age	Confidence
yaml (source)	2.8.3 → 2.9.0

---

Release Notes

eemeli/yaml (yaml)

v2.9.0

Compare Source

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

• fix: Avoid calling Array.prototype.push.apply() with large source array
• fix(lexer): Avoid recursive calls that may exhaust the call stack

v2.8.4

Compare Source

• Disable alias resolution with maxAliasCount:0 (#​677)
• Handle invalid unicode escapes (e1a1a77)
• Apply minFractionDigits only to decimal strings (#​676)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

This PR contains the following updates: | Package | Change | [Age](https://docs.renovatebot.com/merge-confidence/) | [Confidence](https://docs.renovatebot.com/merge-confidence/) | |---|---|---|---| | [yaml](https://eemeli.org/yaml/) ([source](https://github.com/eemeli/yaml)) | [`2.8.3` → `2.9.0`](https://renovatebot.com/diffs/npm/yaml/2.8.3/2.9.0) |  |  | --- ### Release Notes <details> <summary>eemeli/yaml (yaml)</summary> ### [`v2.9.0`](https://github.com/eemeli/yaml/releases/tag/v2.9.0) [Compare Source](https://github.com/eemeli/yaml/compare/v2.8.4...v2.9.0) The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of `parseDocument()` and `parseAllDocuments()`: I've removed the claim that they'll "never throw". It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which `yaml` CVEs have been issued so far. Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases. - fix: Avoid calling `Array.prototype.push.apply()` with large source array - fix(lexer): Avoid recursive calls that may exhaust the call stack ### [`v2.8.4`](https://github.com/eemeli/yaml/releases/tag/v2.8.4) [Compare Source](https://github.com/eemeli/yaml/compare/v2.8.3...v2.8.4) - Disable alias resolution with `maxAliasCount:0` ([#&#8203;677](https://github.com/eemeli/yaml/issues/677)) - Handle invalid unicode escapes ([`e1a1a77`](https://github.com/eemeli/yaml/commit/e1a1a77)) - Apply `minFractionDigits` only to decimal strings ([#&#8203;676](https://github.com/eemeli/yaml/issues/676)) </details> --- ### Configuration 📅 **Schedule**: (UTC) - Branch creation - At any time (no schedule defined) - Automerge - At any time (no schedule defined) 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Mend Renovate](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My4yMjAuMCIsInVwZGF0ZWRJblZlciI6IjQzLjIyMC4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiIsImxhYmVscyI6W119-->

renovate added 1 commit 2026-06-14 03:22:10 +02:00

Update dependency yaml to v2.9.0 1e2b4ad00f

All checks were successful

Hide all checks

CI / build (push) Successful in 1m16s

Details

CI / build (pull_request) Successful in 1m17s

Details

This pull request can be merged automatically.

You are not authorized to merge this pull request.

View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.

git fetch -u origin renovate/yaml-2.x-lockfile:renovate/yaml-2.x-lockfile

git switch renovate/yaml-2.x-lockfile

Merge

Merge the changes and update on Forgejo.

Warning: The "Autodetect manual merge" setting is not enabled for this repository, you will have to mark this pull request as manually merged afterwards.

git switch main

git merge --no-ff renovate/yaml-2.x-lockfile

git switch renovate/yaml-2.x-lockfile

git rebase main

git switch main

git merge --ff-only renovate/yaml-2.x-lockfile

git switch renovate/yaml-2.x-lockfile

git rebase main

git switch main

git merge --no-ff renovate/yaml-2.x-lockfile

git switch main

git merge --squash renovate/yaml-2.x-lockfile

git switch main

git merge --ff-only renovate/yaml-2.x-lockfile

git switch main

git merge renovate/yaml-2.x-lockfile

git push origin main

Sign in to join this conversation.

Reviewers

No reviewers

Labels

Clear labels   

bug

Something isn't working

  

documentation

Improvements or additions to documentation

  

duplicate

This issue or pull request already exists

  

enhancement

New feature or request

  

good first issue

Good for newcomers

  

help wanted

Extra attention is needed

  

invalid

This doesn't seem right

  

question

Further information is requested

  

wontfix

This will not be worked on

No labels

bug

documentation

duplicate

enhancement

good first issue

help wanted

invalid

question

wontfix

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference

florian/greenroom!16

No description provided.