Back to Explore

nodeca/js-yaml

GitHub
7 updates · last 90 days2 watchersOpen source

Last release:

js-yaml is a JavaScript YAML 1.2 parser and writer for converting between YAML documents and JavaScript values (load/loadAll for parsing, dump for serializing). It’s useful when you need to read or generate YAML in Node.js or use the included CLI to inspect YAML files from the command line.

Project status

  • Actively maintained, with very recent upstream and package activity (last upstream push 2026-07-02, and multiple npm updates across 2026-07-02 and 2026-06-26).
  • Apparent update cadence is active and clustered, with several updates in late June 2026 (at least 3 distinct versions on 2026-06-26, plus 5.2.1 on 2026-07-02), and additional changes in late May to mid June (for example, 4.2.0 on 2026-05-31, 5.0.0 on 2026-06-20).

AI summary generated

AI-generated from public sources. May be inaccurate. Report

Recent updates

  • 5.2.1

    Release 5.2.1 contains a change to the YAML !!omap sequence tag implementation. No release notes were provided in the publisher release_notes section, but CHANGELOG.md was updated with fixes around Map handling and omap duplicate-key performance/security.

    SecurityFeatures
  • 3.15.0

    No publisher release notes were provided for 3.15.0. The code diff for this version adds a new loader option to cap merge key processing during YAML merge operations and introduces additional hardening against prototype pollution, including safer handling of __proto__ keys.

    BreakingSecurityFeatures
  • 4.3.0

    Release 4.3.0 has no provided release notes. The code diff shows a major refactor of the library internals and a change to the public exports in index.js, including removal of several deprecated aliases and deprecation-safe entrypoints (safeLoad/safeDump) that now throw at runtime.

  • 5.2.0

    No publisher release notes were provided for version 5.2.0. Based on the repository changelog update and the visible diff, this release focuses on adding new loader limits for YAML merge processing and YAML alias counts, plus a fix for integer round-tripping in exponential form.

    BreakingFeatures
  • 5.1.0

    This release (5.1.0) introduces significant internal changes to YAML scalar quoting behavior and to the custom tag infrastructure. It also adds support for collection tags to incrementally populate a carrier and then finalize it into a different result value during parsing.

  • 5.0.0

    The publisher-provided release notes for version 5.0.0 are missing. However, the diff shows a major v5 rewrite, removing the previous CommonJS entrypoint and most of the old implementation under lib/, and introducing a new TypeScript-based architecture with flat named exports and new parsing/presentation layers.

    Features
  • 4.2.0

    Release 4.2.0 introduces a major restructuring of the package entrypoint and internal YAML implementation. The public API surface in index.js is rebuilt, deprecated/legacy exports are removed, and some legacy function names now fail immediately with an error directing users to replacement methods.

  • 3.14.2

    Release 3.14.2 appears to be a targeted security update. The code changes focus on preventing prototype pollution during YAML mapping merge and related mapping handling, plus minor hardening around alias lookup and build banner comments.

    Security
  • 4.1.1

    Version 4.1.1 primarily patches a prototype pollution vulnerability related to YAML merge (<<). The code changes harden how the loader assigns properties for mapping keys, specifically protecting the special key '__proto__'.

    Security
  • 4.1.0

    No release notes were provided by the publisher for version 4.1.0. The code changes in this diff primarily add a public `yaml.types` export, store the original `options` on each `Type`, and modify schema type compilation to preserve original type order when overriding conflicting types via `Schema.extend()`.

    Features
  • 4.0.0

    Release 4.0.0 was published on 2021-01-03, but no release notes were provided by the publisher. Because the release notes are missing, this analysis cannot reliably identify new features, breaking changes, bug fixes, or security updates from documentation.

  • 3.14.1

    Release 3.14.1 is a small patch bump (3.14.0 to 3.14.1) with changes focused on YAML loader alias handling. No release notes were provided by the publisher, but the code diff includes a security-related fix in the loader implementation.

    Security
  • 3.14.0

    Release 3.14.0 updates js-yaml with several behavioral fixes around YAML dumping and stricter input validation in the loader. The repo changelog (added/updated in this diff) documents most items, but the code also includes an additional dumper behavior change affecting when strings containing '#' are quoted.

    Features
  • 3.13.1

    Release 3.13.1 is a small patch update to js-yaml. The changelog indicates a security fix focused on preventing possible code execution during `load()` when unsafe key objects are present.

    Security
  • 3.13.0

    No release notes were provided for 3.13.0, but the code changes include a targeted security/robustness fix in the YAML loader. The loader now rejects nested arrays used as mapping keys instead of risking a hang (and potentially unsafe behavior from implicit string conversion).

    Security
  • 3.12.2

    Release 3.12.2 makes a targeted fix to js-yaml's dumping behavior related to the noArrayIndent option when arrays appear at the root level. The only functional code change is in the dumper logic that computes array indentation.

  • 3.12.1

    Release 3.12.1 is published (2019-01-05), but no release notes were provided. As a result, no specific changes, fixes, or migration details can be confirmed from the release notes alone.