Source: node-js-yaml Version: 4.2.0+~4.0.9-1 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 4.1.0+dfsg+~4.0.5-7 Control: found -1 3.14.1+dfsg+~3.12.6-2
Hi, The following vulnerability was published for node-js-yaml. CVE-2026-59869[0]: | js-yaml is a JavaScript YAML parser and dumper. From 3.0.0 before | 3.15.0 and from 4.0.0 before 4.3.0, js-yaml can spend quadratic CPU | time parsing a document whose size grows only linearly when a chain | of mappings uses merge keys where each mapping merges the previous | one. This issue is fixed in versions 3.15.0 and 4.3.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-59869 https://www.cve.org/CVERecord?id=CVE-2026-59869 [1] https://github.com/nodeca/js-yaml/security/advisories/GHSA-52cp-r559-cp3m [2] https://github.com/nodeca/js-yaml/commit/59423c6f8cdc78742ac00e25a4dd39ef16b702e4 Regards, Salvatore -- Pkg-javascript-devel mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-javascript-devel
