Skip to content

[DPEDE-1784](deps): Bump yaml from 2.8.2 to 2.8.3#2005

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot-npm_and_yarn-yaml-2.8.3
Open

[DPEDE-1784](deps): Bump yaml from 2.8.2 to 2.8.3#2005
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot-npm_and_yarn-yaml-2.8.3

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Mar 30, 2026

Copy link
Copy Markdown
Contributor

Bumps yaml from 2.8.2 to 2.8.3.

Release notes

Sourced from yaml's releases.

v2.8.3

  • Add trailingComma ToString option for multiline flow formatting (#670)
  • Catch stack overflow during node composition (1e84ebb)
Commits
  • ce14587 2.8.3
  • 1e84ebb fix: Catch stack overflow during node composition
  • 6b24090 ci: Include Prettier check in lint action
  • 9424dee chore: Refresh lockfile
  • d1aca82 Add trailingComma ToString option for multiline flow formatting (#670)
  • 4321509 ci: Drop the branch filter from GitHub PR actions
  • 47207d0 chore: Update docs-slate
  • 5212fae chore: Update docs-slate
  • See full diff in compare view

Dependabot compatibility score

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

Bumps [yaml](https://github.com/eemeli/yaml) from 2.8.2 to 2.8.3.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](eemeli/yaml@v2.8.2...v2.8.3)

---
updated-dependencies:
- dependency-name: yaml
  dependency-version: 2.8.3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 30, 2026
@dependabot dependabot Bot requested a review from a team as a code owner March 30, 2026 21:11
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 30, 2026
@lumen-jenkins-prod

Copy link
Copy Markdown

The CI pipeline did not run successfully in https://jenkinsprod.corp.intranet:8443/job/UX-CHI/job/Productive/job/Chi/job/PR-2005/1/. ❌

@cl-aifel-test

cl-aifel-test Bot commented Jun 29, 2026

Copy link
Copy Markdown

🔖 aifel-verdict — AiFEL dependency-triage verdict (schema 1.1)

AiFEL verdict — 🚨 Escalate (ci-health) — human review required

Routine yaml patch (2.8.2→2.8.3) fixes one medium advisory and introduces no breaking changes, but critical CI on master is at 64.3% pass rate — escalating for a human to confirm the failures are pre-existing and unrelated before merging.

TL;DR

  • Merge: 🔍 review CI health, then merge — the dependency itself is safe; verify that failing critical checks on master pre-date this PR before merging.
  • Breaks your code? ✅ Most likely not.
  • Security? ✅ This bump fixes GHSA-48c2-rrv3-qjmp.
  • Update: yamlyou have 2.8.2, this PR installs 2.8.3 (patch, spans 1 release). Fixes a medium-severity stack overflow advisory (CVSS 4.3); no code changes needed.
Signal Value Interpretation
Bump type patch z-level increment only (2.8.2→2.8.3); patch bumps are backward-compatible by semver convention.
Dependency risk low Patch bump with no breaking API changes; changelog adds only a trailingComma formatting option and fixes a stack overflow during node composition. No import of yaml detected in the repo, so blast radius is zero.
Security risk low Fixes GHSA-48c2-rrv3-qjmp (CVE-2026-33532, CVSS 4.3, medium) — that advisory's range is >= 2.0.0, < 2.8.3, so 2.8.3 is clear. GHSA-f9xv-q969-pqx4 (CVE-2023-2251, CVSS 7.5) affects only >= 2.0.0-5, < 2.2.2 — neither 2.8.2 nor 2.8.3 is in that range; not applicable. No advisories remain after the bump.
CI health risk high Critical checks: 28 runs on master, pass rate 64.3% (< 70% threshold) → ci_confidence: low. Failures are concentrated on other Dependabot PRs (@babel/preset-env, nuxt, vite updates), strongly suggesting pre-existing repo instability unrelated to this yaml patch. Flakiness: 0%.
API usage in repo false Zero matches across all import forms (from 'yaml', require('yaml'), import('yaml'), export ... from 'yaml') — confirmed by local file scan.
Cross-repo signal standalone No publishable root manifest found in the repo root.
Data completeness complete All 5 signals obtained: classification, API usage, release notes, CI health, cascade scan.
📋 Why this route + what AiFEL checked (click to expand)

Why this route?

escalate because: critical CI confidence is low (pass rate 64.3% on master, 28 critical runs, below the 70% threshold).

Escalation category: ci-health (dependency and security axes are both low; this escalation is driven entirely by the repo's general CI instability, not by anything in this yaml patch).

Confidence breakdown — score: 0.85.

  • ✅ Patch bump — no breaking API changes expected by semver

  • ✅ No in-repo usage of yaml confirmed by local grep (zero hits, zero files)

  • ✅ No advisories affect yaml 2.8.3; GHSA-48c2-rrv3-qjmp is resolved by this bump

  • ✅ Release notes reviewed — only additive changes, no breaking APIs

  • ✅ No cascade conflicts

  • ⚠️ Critical CI low (pass rate 64.3%, below 70% threshold) — score −0.15

  • 💡 To reach a lower route: Improve critical CI pass rate on master to ≥ 70% (→ ci_confidence: medium, route spot_check) or ≥ 90% with ≤ 10% flakiness (→ high, route auto_eligible). The failing workflows (@babel/preset-env, nuxt, vite Dependabot PRs) appear pre-existing and unrelated to yaml — resolving those would unblock this and future patches automatically.

What AiFEL checked

  1. Triage — classified patch (yaml 2.8.2→2.8.3).
  2. Symbol extraction — none found (0 import sites across scanned files).
  3. Release-notes comparator — v2.8.3: adds trailingComma ToString option for multiline flow formatting; catches stack overflow during node composition (1e84ebb). No breaking changes.
  4. CI health — 28 critical runs on master: pass 64.3%, flaky 0% → confidence low; informational excluded: none.
  5. Cascade coordinator — 0 conflicts.
  6. Data completeness — obtained 5/5 signals; missing: none.

Will merging break your code?

Per AiFEL analysis, most likely won't impact your code. The yaml package has zero import sites in the repo source, so no code paths are touched by this bump.

Security advisories

✅ This bump resolves all 1 known advisories and none affect 2.8.3 — clear on the security axis.

Resolved by this bump (1): GHSA-48c2-rrv3-qjmp — no action needed (CVSS 4.3).

Note: GHSA-f9xv-q969-pqx4 (CVE-2023-2251, CVSS 7.5, high) affects yaml >= 2.0.0-5, < 2.2.2 only; neither the old version (2.8.2) nor the new version (2.8.3) falls in that range — not applicable to this PR.

Packages — what you have vs what this PR installs

Ecosystem Package You have This PR installs What changes for you
npm yaml 2.8.2 2.8.3 Routine patch — fixes GHSA-48c2-rrv3-qjmp (stack overflow, CVSS 4.3); no code impact

Machine-readable verdict
{
  "schema_version": "1.1",
  "classification": "patch",
  "risk_band": "low",
  "ci_confidence": "low",
  "decision_route": "escalate",
  "data_completeness": "complete",
  "escalate_reason": "risk",
  "missing_signals": [],
  "confidence": 0.85,
  "packages": [{"ecosystem": "npm", "name": "yaml", "old_version": "2.8.2", "new_version": "2.8.3"}],
  "breaking_changes": [],
  "cascade_conflicts": [],
  "summary": "Routine yaml patch (2.8.2→2.8.3) fixes GHSA-48c2-rrv3-qjmp (CVSS 4.3); zero in-repo usage confirmed; escalated due to low CI confidence (64.3% pass rate on master).",
  "upgrade_risk_note": null,
  "cross_repo_signal": "standalone",
  "api_usage_found": false,
  "advisory_ids": [],
  "max_cvss": null,
  "feedback_capture_marker": "aifel-CenturyLink-Chi-2005",
  "agent_version": "1.1.1-aw"
}

🤖 Generated by AiFEL — AI-assisted Dependabot triage. Advisory only; a human reviewer still decides and merges.
📝 Share your AiFEL experience

@cl-aifel-test cl-aifel-test Bot added the aifel/escalate AiFEL: human review required (breaking change or risk) label Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

aifel/escalate AiFEL: human review required (breaking change or risk) dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants