Skip to content

Update dependency js-yaml to v5#1750

Open
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/js-yaml-5.x
Open

Update dependency js-yaml to v5#1750
renovate[bot] wants to merge 1 commit into
masterfrom
renovate/js-yaml-5.x

Conversation

@renovate

@renovate renovate Bot commented Jun 20, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
js-yaml 4.3.05.2.1 age confidence

Release Notes

nodeca/js-yaml (js-yaml)

v5.2.1

Compare Source

Fixed
  • Add Map support to !!omap (should work when realMapTag used)
Security
  • Remove quadratic complexity from !!omap addItem. Regression from v5
    (usually not critical, because YAML11_SCHEMA is not default anymore).

v5.2.0

Compare Source

Added
  • Added maxTotalMergeKeys (10000) loader option to limit the total number of
    keys processed by YAML merge (<<) across one load() / loadAll() call.
  • Added maxAliases (-1) loader option to limit the number of YAML aliases per
    document.
Removed
  • maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge
    processing.
Fixed
  • Round-trip of integers with exponential form (>= 1e21)

v5.1.0

Compare Source

Added
  • Collection tags can finalize an incrementally populated carrier into a
    different result value.
Changed
  • [breaking] quoteStyle now selects the preferred quote style; use the
    restored forceQuotes option to force quoting non-key strings.

v5.0.0

Compare Source

Added
  • Added named exports for schemas, tags, parser events and AST utilities.
  • Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution
    rules, and added YAML11_SCHEMA.
  • Added realMapTag for lossless mappings with non-string and complex keys.
    Object-based mappings now reject complex keys instead of stringifying them.
  • Added dump() transform option for changing the generated AST before
    rendering.
  • Added dump() options seqInlineFirst, flowBracketPadding,
    flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and
    tagBeforeAnchor.
  • Added formal data layers (events and AST) for modular data pipelines.
    • Added low-level parser (to events), presenter and visitor APIs.
  • Added the YAML Test Suite to the
    test set.
Changed
  • See the migration guide for upgrade notes.
  • Rewritten in TypeScript and reorganized the public API around flat named
    exports.
  • Reduced the set of exported schemas:
    • YAML 1.2 schemas: CORE_SCHEMA (loader default), JSON_SCHEMA,
      FAILSAFE_SCHEMA.
    • YAML11_SCHEMA, a combination of all YAML 1.1 tags (YAML 1.1 does not
      specify a schema, only "types").
  • load/dump default behaviour is now specified exactly via schemas:
    • load uses CORE_SCHEMA, without !!merge by default.
    • dump uses YAML11_SCHEMA + CORE_SCHEMA for the quoting check, to
      guarantee backward compatibility by default.
  • !!set is now loaded as a JavaScript Set.
  • Replaced the Type API with a tags API. Similar, but more precise and
    simpler. See examples for details. Tags can be defined via
    defineScalarTag(), defineSequenceTag() and defineMappingTag(), or as a
    spread + override of an existing tag.
  • Renamed Schema.extend() to Schema.withTags().
  • Expanded YAML 1.2 conformance and improved handling of directives, document
    markers, block keys, multiline scalars, tag syntax and other things.
  • load() now throws on empty input instead of returning undefined.
  • Moved browser builds to the js-yaml/browser export.
  • Deprecated the loadAll signature with an iterator (still works, but is a
    candidate for removal).
Removed
  • Removed deprecated safeLoad(), safeLoadAll() and safeDump() exports.
  • Removed DEFAULT_SCHEMA and the nested types export.
  • Removed loader options onWarning, legacy and listener.
  • Removed dumper options styles, replacer, noCompatMode, condenseFlow,
    quotingType and forceQuotes. Renamed noArrayIndent to seqNoIndent.
    Formatting and representation are now configured through presenter options,
    schemas and tag definitions. See migration guide on how to replace.
  • Removed support for importing internal files from lib/.

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate Bot added the 📦 dependencies Pull requests that update a dependency file label Jun 20, 2026
@renovate renovate Bot enabled auto-merge (squash) June 20, 2026 18:16
@renovate renovate Bot added the 📦 dependencies Pull requests that update a dependency file label Jun 20, 2026
@renovate renovate Bot force-pushed the renovate/js-yaml-5.x branch from a67b88b to 49f3f9e Compare June 21, 2026 00:46
@github-actions github-actions Bot modified the milestone: v0.3.16 Jun 21, 2026
@renovate renovate Bot force-pushed the renovate/js-yaml-5.x branch 2 times, most recently from 8d61cfa to 00efb39 Compare June 23, 2026 01:35

@codacy-production codacy-production Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR aims to upgrade js-yaml to version 5, which introduces significant breaking changes. However, the current diff is empty, and no changes have been made to package.json or the source code.

Key risks include the removal of safeLoad and safeDump functions, and a behavioral change where load() now throws an error on empty input instead of returning undefined. These changes require manual code migration and testing to prevent runtime failures. The PR is currently not ready for merging as the implementation is missing.

About this PR

  • The upgrade to v5 requires replacing all instances of safeLoad and safeDump with load and dump. Additionally, logic handling YAML loading must be updated to account for the fact that load() now throws on empty input. Failure to address these will lead to application crashes.
  • The PR does not contain any file changes. A dependency upgrade requires updating the manifest files and addressing any resulting breaking changes in the source code.

Test suggestions

  • Verify load() throws an error on empty input as per v5 specification
  • Verify YAML dumping with renamed options (e.g., seqNoIndent) works as expected
  • Verify that code using previously deprecated and now removed safeLoad/safeDump functions still functions correctly
Prompt proposal for missing tests
Consider implementing these tests if applicable:
1. Verify load() throws an error on empty input as per v5 specification
2. Verify YAML dumping with renamed options (e.g., seqNoIndent) works as expected
3. Verify that code using previously deprecated and now removed safeLoad/safeDump functions still functions correctly

TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback

@codacy-production

codacy-production Bot commented Jun 23, 2026

Copy link
Copy Markdown

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric Results
Complexity 0
Duplication 0

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

Run reviewer

TIP This summary will be updated as you push new changes.

@renovate renovate Bot force-pushed the renovate/js-yaml-5.x branch 13 times, most recently from cf0c144 to ebce7d8 Compare July 1, 2026 23:15
@renovate renovate Bot force-pushed the renovate/js-yaml-5.x branch from ebce7d8 to e81337e Compare July 2, 2026 01:03
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

📦 dependencies Pull requests that update a dependency file

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants