fix(security): pin yaml devDependency to exact version 2.8.3#23
Open
xiaolai wants to merge 1 commit into
Open
Conversation
Caret ranges allow automatic minor and patch upgrades, which can introduce silent supply-chain drift in CI environments. Pinning to an exact version ensures the installed package is always the audited one. Co-Authored-By: Claude Code <[email protected]>
This was referenced Apr 20, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug
package.jsondeclares theyamldevDependency with a caret range:A caret range allows npm to automatically install any compatible minor or patch release (e.g.
2.9.0,2.8.4). In CI environments, this means the installed version can silently change between runs whenever a new release is published — without any code change in this repo.Since
yamlis used to parsesources.yaml, which controls which external repos are cloned by the sync workflow, an unexpected version bump in the parser could introduce behavioral changes or vulnerabilities without review.Fix
Pin to the exact version that was audited:
This is a one-line change with no functional impact for the current version. Future upgrades remain intentional and visible in the diff.
Why it matters
Supply-chain hygiene for CI scripts: unpinned deps in a workflow that clones third-party repos and writes files to the repo are a meaningful attack surface. Pinning is low-cost and eliminates one category of silent drift.