Skip to content

OCPBUGS-98489: CVE-2026-59869 bump js-yaml#16760

Open
vikram-raj wants to merge 1 commit into
openshift:mainfrom
vikram-raj:ocpbugs-98489
Open

OCPBUGS-98489: CVE-2026-59869 bump js-yaml#16760
vikram-raj wants to merge 1 commit into
openshift:mainfrom
vikram-raj:ocpbugs-98489

Conversation

@vikram-raj

@vikram-raj vikram-raj commented Jul 14, 2026

Copy link
Copy Markdown
Member

Analysis / Root cause:
CVE-2026-59869: js-yaml versions 3.0.0 to before 3.15.0 and 4.0.0 to before 4.3.0 can spend
quadratic CPU time parsing YAML documents with chained merge keys, enabling Denial of Service
via crafted payloads of only tens of kilobytes.

Jira: https://redhat.atlassian.net/browse/OCPBUGS-98489

Solution description:
Bump the direct js-yaml dependency from ^3.13.1 to ^3.15.0 (patched). The yarn lockfile
naturally resolves v4 consumers to 4.3.0 (also patched), so both v3 and v4 dependents get the
fix with their expected API.

Screenshots / screen recording:
N/A — dependency-only change, no UI impact.

Test setup:
No special setup required.

Test cases:

  • yarn install completes successfully
  • yarn build completes successfully
  • Verify yarn.lock shows js-yaml 3.15.0 for v3 consumers and 4.3.0 for v4 consumers

Browser conformance:
N/A — no UI changes.

Additional info:

  • CVE severity: Major
  • Affected component: openshift5/ose-console-rhel9

Summary by CodeRabbit

  • Chores
    • Updated the YAML parsing library to a newer compatible version.
    • Improved compatibility and stability for YAML processing in frontend tooling.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci-robot openshift-ci-robot added jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels Jul 14, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@vikram-raj: This pull request references Jira Issue OCPBUGS-98489, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Analysis / Root cause:
CVE-2026-59869: js-yaml versions 3.0.0 to before 3.15.0 and 4.0.0 to before 4.3.0 can spend
quadratic CPU time parsing YAML documents with chained merge keys, enabling Denial of Service
via crafted payloads of only tens of kilobytes.

Jira: https://redhat.atlassian.net/browse/OCPBUGS-98489

Solution description:
Bump the direct js-yaml dependency from ^3.13.1 to ^3.15.0 (patched). The yarn lockfile
naturally resolves v4 consumers to 4.3.0 (also patched), so both v3 and v4 dependents get the
fix with their expected API.

Screenshots / screen recording:
N/A — dependency-only change, no UI impact.

Test setup:
No special setup required.

Test cases:

  • yarn install completes successfully
  • yarn build completes successfully
  • Verify yarn.lock shows js-yaml 3.15.0 for v3 consumers and 4.3.0 for v4 consumers

Browser conformance:
N/A — no UI changes.

Additional info:

  • CVE severity: Major
  • Affected component: openshift5/ose-console-rhel9

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Jul 14, 2026
@coderabbitai

coderabbitai Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

Walkthrough

The frontend updates its js-yaml dependency constraint from ^3.13.1 to ^3.15.0.

Changes

Frontend YAML dependency

Layer / File(s) Summary
Update js-yaml constraint
frontend/package.json
Changes the js-yaml dependency constraint from ^3.13.1 to ^3.15.0.

Estimated code review effort: 1 (Trivial) | ~2 minutes

Suggested reviewers: logonoff, rhamilto, jhadvig

🚥 Pre-merge checks | ✅ 15
✅ Passed checks (15 passed)
Check name Status Explanation
Title check ✅ Passed The title is concise, specific, and accurately describes the js-yaml CVE bump.
Description check ✅ Passed The PR description covers the required root cause, solution, testing, and impact sections and is mostly complete.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Only frontend/package.json and frontend/yarn.lock changed; no Ginkgo test titles were added or modified.
Test Structure And Quality ✅ Passed PR only bumps js-yaml in package metadata/lockfile; no Ginkgo test files or test logic changed, so this check is not applicable.
Microshift Test Compatibility ✅ Passed PR only changes frontend package/yarn lockfiles; no new Ginkgo e2e tests or runtime API uses were added.
Single Node Openshift (Sno) Test Compatibility ✅ Passed Only dependency files changed; no new Ginkgo e2e tests were added, so SNO multi-node compatibility is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed Only frontend dependency and lockfile changed; no manifests, controllers, or scheduling constraints were modified.
Ote Binary Stdout Contract ✅ Passed Only frontend/package.json and frontend/yarn.lock changed; no process-level OTE code or stdout writes were added.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed No new Ginkgo e2e tests or network-sensitive code were added; only package.json and yarn.lock changed.
No-Weak-Crypto ✅ Passed The PR only bumps js-yaml in package.json and lockfile resolutions; no weak algorithms, custom crypto, or secret comparisons are introduced.
Container-Privileges ✅ Passed PR only changes frontend/package.json and frontend/yarn.lock; no container/K8s manifest fields like privileged, hostPID, hostNetwork, hostIPC, SYS_ADMIN, or allowPrivilegeEscalation are introduced.
No-Sensitive-Data-In-Logs ✅ Passed Only frontend/package.json and frontend/yarn.lock changed; no code or logging statements were added, so no sensitive-data-in-logs issue.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot requested a review from rhamilto July 14, 2026 16:30
@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: vikram-raj

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot requested a review from TheRealJon July 14, 2026 16:30
@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 14, 2026
@openshift-ci-robot

Copy link
Copy Markdown
Contributor

@vikram-raj: This pull request references Jira Issue OCPBUGS-98489, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

Analysis / Root cause:
CVE-2026-59869: js-yaml versions 3.0.0 to before 3.15.0 and 4.0.0 to before 4.3.0 can spend
quadratic CPU time parsing YAML documents with chained merge keys, enabling Denial of Service
via crafted payloads of only tens of kilobytes.

Jira: https://redhat.atlassian.net/browse/OCPBUGS-98489

Solution description:
Bump the direct js-yaml dependency from ^3.13.1 to ^3.15.0 (patched). The yarn lockfile
naturally resolves v4 consumers to 4.3.0 (also patched), so both v3 and v4 dependents get the
fix with their expected API.

Screenshots / screen recording:
N/A — dependency-only change, no UI impact.

Test setup:
No special setup required.

Test cases:

  • yarn install completes successfully
  • yarn build completes successfully
  • Verify yarn.lock shows js-yaml 3.15.0 for v3 consumers and 4.3.0 for v4 consumers

Browser conformance:
N/A — no UI changes.

Additional info:

  • CVE severity: Major
  • Affected component: openshift5/ose-console-rhel9

Summary by CodeRabbit

  • Chores
  • Updated the YAML parsing library to a newer compatible version.
  • Improved compatibility and stability for YAML processing in frontend tooling.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@frontend/package.json`:
- Line 193: Update the js-yaml dependency in package.json from the caret range
to the exact patched version 3.15.0, then regenerate and commit the
corresponding lockfile entry with its verified integrity hash.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 23f31359-6653-4653-ad2a-f2cba0a7e62e

📥 Commits

Reviewing files that changed from the base of the PR and between 3570425 and be058e2.

⛔ Files ignored due to path filters (1)
  • frontend/yarn.lock is excluded by !**/yarn.lock, !**/*.lock
📒 Files selected for processing (1)
  • frontend/package.json

Comment thread frontend/package.json
"istextorbinary": "^9.5.0",
"js-base64": "^3.7.7",
"js-yaml": "^3.13.1",
"js-yaml": "^3.15.0",

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

Pin the patched release exactly.

^3.15.0 permits future 3.x resolutions, which conflicts with the required exact-version policy. Use "3.15.0" and commit the regenerated lockfile with its integrity hash. OSV and the upstream changelog identify 3.15.0 as the patched v3 release. (osv.dev)

Proposed fix
-    "js-yaml": "^3.15.0",
+    "js-yaml": "3.15.0",

As per path instructions: pin exact versions and verify hashes where supported.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
"js-yaml": "^3.15.0",
"js-yaml": "3.15.0",
🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@frontend/package.json` at line 193, Update the js-yaml dependency in
package.json from the caret range to the exact patched version 3.15.0, then
regenerate and commit the corresponding lockfile entry with its verified
integrity hash.

Source: Path instructions

@openshift-ci

openshift-ci Bot commented Jul 14, 2026

Copy link
Copy Markdown
Contributor

@vikram-raj: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/severity-important Referenced Jira bug's severity is important for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants