Willing to publish v3 version with CVE fix?

[Eric-Arellano]

Hi, thank you for releasing 383665f!

I am wondering if you would be open to please cherry-pick that fix to the v3 branch and to deploy that patch fix? I'm asking because some open-source projects still use js-yaml v3 as a transitive dependency, and it is not possible to use resolutions to force-upgrade to js-yaml v4 because it will break their code. So, the only way to address the vulnerability for those dependencies is for them to upgrade to js-yaml v4, or to stop using that dependency entirely. I've found two instances of that:

• Willing to publish v3 to bump js-yaml due to CVE? oozcitak/xmlbuilder2#205 (their recent v4 release breaks with ESM)
• deps: Update js-yaml to ^4.1.0 jonschlinkert/gray-matter#172 (comment) (unmaintained library)

No worries if that is not possible; I understand v3 is quite old. Either way, thank you for this project!

[puzrin]

To be honest, v3 is very old, and i don't remember what happens there and is the used tooling still working. I have no principal objections about publishing v3 patch, but can not promise any deadlines. If anyone wish to make PR to v3 branch, that will help significatnly.

[mhassan1]

@puzrin I put up a PR: #731.

[puzrin]

Published. Please check and let me know how it is.

@mhassan1 thank you very much

[mhassan1]

@puzrin It looks like the latest tag now points to 3.14.2, which is probably not right; otherwise, the release looks good.

[puzrin]

Ups... fixed latest tag in npm, but badges are still cached with old version. If they will not refresh, will make a dummy release.

Thank you again!

[mhassan1]

Thanks. I've also submitted this to the GitHub Security Advisory Database: github/advisory-database#6420.

[Eric-Arellano]

Thank you so much @mhassan1 and @puzrin! 🙌

[SaleDrache]

Hi, just a small follow-up regarding the advisory metadata, since it affects some external security databases.

The fix for GHSA-mh29-5h37-fv8m was correctly backported to v3.14.2, and the GitHub Advisory Database already reflects this:
https:// github.com/advisories/GHSA-mh29-5h37-fv8m

However, the repository-level advisory still lists only v4.1.1 as patched:
https:// github.com/nodeca/js-yaml/security/advisories/GHSA-mh29-5h37-fv8m

Because these two advisories are out of sync, some external scanners (e.g. BlackDuck) and public vulnerability databases still show only v4.1.1 as patched. For example:
https://www.cve.org/CVERecord?id=CVE-2025-64718

If the repository advisory is updated to include 3.14.2 as a patched version, these downstream tools will automatically pick up the correct information.

Thank you very much — just mentioning this so downstream users don’t continue receiving false vulnerability reports.

[nnicolosi]

@SaleDrache Thanks for the follow-up on the advisory metadata. Do you happen to know the process for getting the repository-level advisory updated to reflect v3.14.2 as a patched version?