Potential Security Vulnerability Detected
Repository: grafana/grafana
Commit: 4467967
Author: renovate-sh-app[bot]
Date: 2026-06-16T15:12:51Z
Commit Message
fix(security/medium/): update security js-yaml to v4.2.0 [security] (#126517)
* fix(security/medium/): update security js-yaml to v4.2.0 [security]
| datasource | package | from | to |
| ---------- | ------- | ----- | ----- |
| npm | js-yaml | 4.1.1 | 4.2.0 |
Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
* chore: update resolutions
---------
Signed-off-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
Co-authored-by: renovate-sh-app[bot] <219655108+renovate-sh-app[bot]@users.noreply.github.com>
Co-authored-by: Hugo Häggmark <hugo.haggmark@gmail.com>
Pull Request
PR: #126517 - fix(security/medium/): update security js-yaml to v4.2.0 [security]
Labels: area/frontend, automerge-security-update, severity:MEDIUM
Description:
This PR contains the following updates:
Analysis
Vulnerability Type: Denial of Service (DoS)
Severity: Medium
Description
This patch updates js-yaml from version 4.1.1 to 4.2.0 to fix a quadratic-complexity Denial of Service (DoS) vulnerability in the handling of merge keys (<<) with repeated aliases. An attacker can craft a YAML document that repetitively uses the same alias multiple times in merge sequences, causing excessive CPU consumption and effectively a DoS during parsing.
Affected Code
js-yaml versions prior to 4.2.0, including 4.1.1, where the merge key handling did not properly limit repeated alias expansions, allowing algorithmic CPU exhaustion.
Proof of Concept
---
foo: &a [x]
bar: &b [y]
baz: &c [z]
combined:
<<: [*a, *a, *a, *a, *a, *a, *a, *a, *a, *a, *a, *a, *a, *a, *a, *a]
# Parsing this document with js-yaml <=4.1.1 causes excessive CPU usage and high resource consumption due to quadratic expansion of repeated aliases in the merge key.
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-06-16T18:01:34.378Z
Potential Security Vulnerability Detected
Repository: grafana/grafana
Commit: 4467967
Author: renovate-sh-app[bot]
Date: 2026-06-16T15:12:51Z
Commit Message
Pull Request
PR: #126517 - fix(security/medium/): update security js-yaml to v4.2.0 [security]
Labels: area/frontend, automerge-security-update, severity:MEDIUM
Description:
This PR contains the following updates:
4.1.1→4.2.0](https://renovatebot.com/diffs/npm/js-yaml/4.1.1/4.2.0)Analysis
Vulnerability Type: Denial of Service (DoS)
Severity: Medium
Description
This patch updates js-yaml from version 4.1.1 to 4.2.0 to fix a quadratic-complexity Denial of Service (DoS) vulnerability in the handling of merge keys (<<) with repeated aliases. An attacker can craft a YAML document that repetitively uses the same alias multiple times in merge sequences, causing excessive CPU consumption and effectively a DoS during parsing.
Affected Code
Proof of Concept
This issue was automatically created by Vulnerability Spoiler Alert.
Detected at: 2026-06-16T18:01:34.378Z