Skip to content

chore(deps): bump yaml from 2.3.4 to 2.8.3#8969

Closed
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/yaml-2.8.3
Closed

chore(deps): bump yaml from 2.3.4 to 2.8.3#8969
dependabot[bot] wants to merge 1 commit intomainfrom
dependabot/npm_and_yarn/yaml-2.8.3

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 26, 2026
edited
Loading

Bumps yaml from 2.3.4 to 2.8.3.

Release notes

Sourced from yaml's releases.

v2.8.3

  • Add trailingComma ToString option for multiline flow formatting (#670)
  • Catch stack overflow during node composition (1e84ebb)

v2.8.2

  • Serialize -0 as -0 (#638)
  • Do not double newlines for empty map values (#642)

v2.8.1

  • Preserve empty block literals (#634)

v2.8.0

  • Add node cache for faster alias resolution (#612)
  • Re-introduce compatibility with Node.js 14.6 (#614)
  • Add --merge option to CLI tool (#611)
  • Improve error for tag resolution error on null value (#616)
  • Allow empty string as plain scalar representation, for failsafe schema (#616)
  • docs: include cli example (#617)

v2.7.1

  • Do not allow seq with single-line collection value on same line with map key (#603)
  • Improve warning & avoid TypeError on bad YAML 1.1 nodes (#610)

v2.7.0

The library is now available on JSR as @​eemeli/yaml and on deno.land/x as yaml. In addition to Node.js and browsers, it should work in Deno, Bun, and Cloudflare Workers.

  • Use .ts extension in all relative imports (#591)
  • Ignore newline after block seq indicator as space before value (#590)
  • Require Node.js 14.18 or later (was 14.6) (#598)

v2.6.1

  • Do not strip :00 seconds from !!timestamp values (#578, with thanks to @​qraynaud)
  • Tighten regexp for JSON !!bool (#587, with thanks to @​vra5107)
  • Default to literal block scalar if folded would overflow (#585)

v2.6.0

  • Use a proper tag for !!merge << keys (#580)
  • Add stringKeys parse option (#581)
  • Stringify a Document as a Document (#576)
  • Add sponsorship by Manifest

v2.5.1

  • Include range in flow sequence pair maps (#573)

v2.5.0

  • Add --indent option to CLI tool (#559, with thanks to @​danielbayley)
  • Require newline in all cases for props on block sequence (#557)
  • Always reset indentation in lexer on ... (#558)
  • Ignore minContentWidth if greater than lineWidth (#562)
  • Drop unused Collection.maxFlowStringSingleLineLength (#522, #421)

... (truncated)

Commits
  • ce14587 2.8.3
  • 1e84ebb fix: Catch stack overflow during node composition
  • 6b24090 ci: Include Prettier check in lint action
  • 9424dee chore: Refresh lockfile
  • d1aca82 Add trailingComma ToString option for multiline flow formatting (#670)
  • 4321509 ci: Drop the branch filter from GitHub PR actions
  • 47207d0 chore: Update docs-slate
  • 5212fae chore: Update docs-slate
  • 086fa6b 2.8.2
  • 95f01e9 chore: Add funding to package.json
  • Additional commits viewable in compare view

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
chore(deps): bump yaml from 2.3.4 to 2.8.3
dd7c3b4 
Bumps [yaml](https://github.com/eemeli/yaml) from 2.3.4 to 2.8.3.
- [Release notes](https://github.com/eemeli/yaml/releases)
- [Commits](eemeli/yaml@v2.3.4...v2.8.3)

---
updated-dependencies:
- dependency-name: yaml
  dependency-version: 2.8.3
  dependency-type: indirect
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 26, 2026
@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 26, 2026
edited
Loading

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

PR Title

  • Current: chore(deps): bump yaml from 2.3.4 to 2.8.3
  • Issue: None — title is clear and follows the conventional commits pattern for a dependency bump.
  • Recommendation: Keep as-is. (Optional: you can include the package scope if you want more specificity, but this is fine.)

Commit Type

  • The PR body does not follow the required PR body template and does not explicitly mark one of the commit type checkboxes from the template.
  • Note: For this bump the correct commit type is chore (dependency update). Please add the commit type selection to the PR body using the template (check chore).

Risk Level

  • The PR body did not include the template's Risk Level section and there is no explicit risk:low / risk:medium / risk:high label applied.
  • Assessment: Missing. This repository requires an explicit risk selection in the PR body and a matching risk:* label on the PR. The change itself (a small dependency bump of the yaml package; 1 addition / 1 deletion) looks low risk.
  • Recommendation: Add the Risk Level section to the PR body and apply the risk:low label to this PR. (If you believe risk is higher, choose appropriately and ensure the label matches.)

What & Why

  • Current: (Missing — PR body is the Dependabot standard release notes and not the repo template.)
  • Issue: The PR body must include the short "What & Why" description required by the project template. Dependabot text is useful but does not replace the required template fields.
  • Recommendation: Add a brief "What & Why" such as:
    • "What: Bump yaml from 2.3.4 to 2.8.3 (package and lockfile)."
    • "Why: Pull in upstream bug fixes (stack overflow catch), formatting improvements and compatibility updates provided in the 2.8.x releases."

Impact of Change

  • The PR body does not include the Impact section required by the template.
  • Recommendation: Fill out the Impact of Change section; example entries for this dependency bump:
    • Users: No user-facing behavior changes expected.
    • Developers: Build/test environment may require Node >= 14.18 (per release notes); verify local development docs and CI Node versions.
    • System: Minor dependency update — run CI to validate no regressions.

Test Plan

  • Assessment: Missing. The template's Test Plan section is not present. The PR also does not document any unit/E2E tests added or updated.
  • Recommendation: For a dependency bump, either:
    • Mark "Manual testing completed" and describe what you manually validated (e.g., CI green, app starts, key flows exercise), or
    • Run relevant unit/E2E tests and check the boxes plus reference the changed test files in the diff.
    • At minimum: ensure CI passes and note that in the Test Plan, and mention any additional verification performed locally.

⚠️ Contributors

  • Assessment: Empty (optional). The PR body doesn't include a Contributors section.
  • Recommendation: Not mandatory — but please add contributors or a short note acknowledging Dependabot and any reviewers if relevant.

⚠️ Screenshots/Videos

  • Assessment: Not applicable (no visual change). No action required.

Summary Table

Section Status Recommendation
Title Keep the title as-is.
Commit Type Mark chore in the PR template commit type.
Risk Level Add Risk Level to the body and attach risk:low label.
What & Why Add a short What & Why explaining the bump.
Impact of Change Fill out Users/Developers/System impacts.
Test Plan Document CI/pass verification or add tests.
Contributors ⚠️ Optional: add acknowledgements if relevant.
Screenshots/Videos ⚠️ Not applicable.

Final Notes and Next Steps

  • This PR does not pass the repository's PR body template validation because the template sections are missing and there is no risk label. Please update the PR body to the required template and add a matching risk:low label (this change appears low risk given the small diff and nature of the update). Also ensure CI runs and passes and note that in the Test Plan section.
  • Additional recommendations specific to this dependency bump:
    • Confirm CI Node version is compatible with yaml@2.8.x (release notes mention Node >= 14.18 compatibility). If your CI or supported environments target older Node versions, either: upgrade Node in CI or delay/flag this dependency bump.
    • Ensure the lockfile (yarn.lock or package-lock.json) is included in the PR (Dependabot typically does this). Confirm the diff includes both package.json and lockfile updates.
    • Run your test suite locally or rely on CI and add a short note in Test Plan: CI passed (all checks green) and basic smoke tests ran: <list actions>.

Please update the PR title/body as recommended above, add the risk:low label, and re-run CI. Once updated, re-request review. Thank you for keeping dependencies up to date!

Last updated: Fri, 27 Mar 2026 22:39:55 GMT

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 26, 2026

🤖 AI PR Validation Report

PR Review Results

Thank you for your submission! Here's detailed feedback on your PR title and body compliance:

PR Title

  • Current: chore(deps): bump yaml from 2.3.4 to 2.8.3
  • Issue: None — title is clear and follows conventional style for dependency bumps.
  • Recommendation: No change required. Optionally include the lockfile update note (e.g., + pnpm-lock.yaml updated) if you want extra clarity.

Commit Type

  • No commit type selection from the PR body template was provided.
  • Note: The PR body did not include the PR template checkboxes for Commit Type. Please select a single commit type (one of the listed options). For this change, the correct choice is:
    • chore (dependency maintenance)

Risk Level

  • Assessment: The PR body did not include a Risk Level selection and there is no risk:... label on the PR.
  • Based on the code changes (only lockfile-related changes and a dependency bump), the advised risk level is: Low.
  • Recommendation: add the risk:low label to match the Risk Level section of the template and avoid failing automation that expects that label.

What & Why

  • Current: (Missing) — the PR body does not include the required "What & Why" template section.
  • Issue: The PR only shows Dependabot release notes; it did not fill out the required PR template fields. This repository expects a short "What & Why" explanation.
  • Recommendation: Add a brief entry. Example you can paste and adapt:
    • What & Why: "Bump yaml from 2.3.4 to 2.8.3 to pick up bug fixes and improvements (notably: catch stack overflow during node composition and multiline flow formatting option). The pnpm-lock change also updates tslib from 2.4.0 to 2.7.0. Verify Node.js engine compatibility (yaml v2.7.0+ mentions Node.js 14.18+)."

Impact of Change

  • Issue: The Impact section from the template is missing.
  • Recommendation (fill in these):
    • Users: No direct user-facing changes expected; runtime behavior unaffected in UI unless YAML parsing is used at runtime.
    • Developers: May need to ensure local/dev Node versions meet yaml's minimum (yaml v2.7.0 notes Node 14.18+). CI/dev tooling should be validated.
    • System: Minimal; update is to dependency and lockfile. Run full CI/build to make sure there are no compatibility regressions.

Test Plan

  • Assessment: The PR contains no test additions/updates and the PR body does not mark any Test Plan checkboxes.
  • Recommendation: For a dependency bump like this, at minimum indicate that you ran the repository's test suite and CI runs successfully. Update the Test Plan section to include:
    • Manual testing completed — describe steps (e.g., yarn install && yarn build && yarn test or pnpm install && pnpm build && pnpm test) and confirm CI passed.
    • If no unit/E2E tests needed, explicitly state why (e.g., "no source code changes; only lockfile updated") and reference successful CI that ran the test suite.

⚠️ Contributors

  • Assessment: No contributors listed in the PR body template. This is optional but recommended.
  • Recommendation: Add acknowledgements if others contributed review or design input. If none, you may leave blank but consider a short note crediting Dependabot as author.

Screenshots/Videos

  • Assessment: Not applicable for this dependency/lockfile change.
  • Recommendation: No screenshots required.

Summary Table

Section Status Recommendation
Title Title is good.
Commit Type Select chore in the PR template.
Risk Level Add risk:low label and mark Low in template.
What & Why Add a short description why yaml is bumped and note lockfile change & Node compatibility.
Impact of Change Fill users/developers/system bullets and mention Node version check.
Test Plan State that CI/tests were run; list manual steps or add tests if needed.
Contributors ⚠️ Optional: add contributors or a short note.
Screenshots/Videos Not applicable.

Final Message
This PR does not pass the PR-body template checks because the required template sections (Commit Type, Risk Level, What & Why, Impact, Test Plan) are not present. The actual code changes are very small (only a lockfile change shown: pnpm-lock.yaml change updating tslib from 2.4.0 to 2.7.0; overall the bump to yaml is a dependency update); I assess the risk as Low.

Please update the PR body using the repository template and make the following concrete edits before re-submitting:

  • Select one Commit Type checkbox: chore.
  • Select one Risk Level checkbox: Low and add label risk:low to the PR.
  • Fill the "What & Why" with a short explanation (example provided above).
  • Fill Impact of Change (Users/Developers/System) — note Node.js compatibility if relevant.
  • Update Test Plan to state that you ran pnpm install, pnpm build, and pnpm test locally/CI and the results, or add required tests if this is not sufficient.

Once you update the PR body and ensure CI passes, this should be acceptable for merge.

Thank you for the contribution and for keeping dependencies up to date!

Last updated: Thu, 26 Mar 2026 18:21:00 GMT

@github-actions
Copy link
Copy Markdown

github-actions bot commented Mar 26, 2026

📊 Coverage Check

No source files changed in this PR.

@dependabot @github
Copy link
Copy Markdown
Contributor Author

dependabot bot commented on behalf of github Mar 27, 2026

Looks like yaml is no longer updatable, so this is no longer needed.

@dependabot dependabot bot closed this Mar 27, 2026
@dependabot dependabot bot deleted the dependabot/npm_and_yarn/yaml-2.8.3 branch March 27, 2026 22:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code needs-pr-update

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

0 participants