• Home
  • Features
  • Pricing
  • Docs
  • Announcements
  • Sign In

Unleash / unleash / 27601527557
87%
master: 91%

Build:
Build:
LAST BUILD BRANCH: main
DEFAULT BRANCH: master
Ran 16 Jun 2026 07:38AM UTC
Jobs 1
Files 1186
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst

16 Jun 2026 07:29AM UTC coverage: 87.333% (-0.03%) from 87.361%
27601527557

push

github

web-flow
chore(deps): update dependency js-yaml to v4.2.0 [security] (#12315)

This PR contains the following updates:

| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
| [js-yaml](https://redirect.github.com/nodeca/js-yaml) | [`4.1.1` →
`4.2.0`](https://renovatebot.com/diffs/npm/js-yaml/4.1.1/4.2.0) |
![age](https://developer.mend.io/api/mc/badges/age/npm/js-yaml/4.2.0?slim=true)
|
![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/js-yaml/4.1.1/4.2.0?slim=true)
|

---

> [!WARNING]
> Some dependencies could not be looked up. Check the [Dependency
Dashboard](../issues/959) for more information.

---

### JS-YAML: Quadratic-complexity DoS in merge key handling via repeated
aliases
[CVE-2026-53550](https://nvd.nist.gov/vuln/detail/CVE-2026-53550) /
[GHSA-h67p-54hq-rp68](https://redirect.github.com/advisories/GHSA-h67p-54hq-rp68)

<details>
<summary>More information</summary>

#### Details
##### Summary
A crafted YAML document can trigger algorithmic CPU exhaustion in
`js-yaml` merge-key processing (`<<`) by repeating the same alias many
times in a merge sequence.
This causes quadratic parse-time behavior relative to input size and can
block a Node.js worker/event loop for seconds with a relatively small
payload (tens of KB), resulting in denial of service.

##### Details
The issue is in merge handling inside `lib/loader.js`:

- `storeMappingPair(...)` iterates every element of a merge sequence
when key tag is `tag:yaml.org,2002:merge`.
- For each element, it calls `mergeMappings(...)`.
- `mergeMappings(...)` computes `Object.keys(source)` and performs
`_hasOwnProperty.call(destination, key)` checks for each key.

When input is of the form:

a: &a {k0:0, k1:0, ..., kK:0}
b: {<<: [*a, *a, *a, ... repeated M times ...]}
all *a entries refer to the same anchored object. After the first merge,
subsequent merges are semantically no-ops, but t... (continued)

1875 of 2069 branches covered (90.62%)

15209 of 17415 relevant lines covered (87.33%)

908.86 hits per line

Coverage Regressions

Lines Coverage ∆ File
5
79.09
-4.55% src/lib/features/playground/feature-evaluator/constraint.ts
1
89.58
-2.08% src/lib/features/frontend-api/client-feature-toggle-read-model.ts
Jobs
ID Job ID Ran Files Coverage
1 27601527557.1 16 Jun 2026 07:38AM UTC 1186
87.33
GitHub Action Run
Source Files on build 27601527557
  • Tree
  • List 1186
  • Changed 3
  • Source Changed 0
  • Coverage Changed 3
Coverage ∆ File Lines Relevant Covered Missed Hits/Line Branch Hits Branch Misses
  • Back to Repo
  • Github Actions Build #27601527557
  • ad32352c on github
  • Prev Build on main (#27600569097)
  • Next Build on main (#27621572083)
STATUS · Troubleshooting · Open an Issue · Sales · Support · CAREERS · ENTERPRISE · START FREE · SCHEDULE DEMO
ANNOUNCEMENTS · TWITTER · TOS & SLA · Supported CI Services · What's a CI service? · Automated Testing

© 2026 Coveralls, Inc