node-js-yaml - Debian Package Tracker

general

source: node-js-yaml (main)
version: 4.1.0+dfsg+~4.0.5-7
maintainer: Debian Javascript Maintainers (archive) (DMD)
uploaders: Yadd [DMD]
arch: all
std-ver: 4.6.1
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

o-o-stable: 3.14.1+dfsg+~3.12.6-2
oldstable: 4.1.0+dfsg+~4.0.5-7
stable: 4.1.0+dfsg+~4.0.5-7
testing: 4.1.0+dfsg+~4.0.5-7
unstable: 4.1.0+dfsg+~4.0.5-7

versioned links

3.14.1+dfsg+~3.12.6-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
4.1.0+dfsg+~4.0.5-7: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

node-js-yaml

action needed

A new upstream version is available: 4.1.1+~4.0.9 high

A new upstream version 4.1.1+~4.0.9 is available, you should consider packaging it.

Created: 2025-11-27 Last update: 2026-02-07 19:47

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2025-64718: js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).

Created: 2025-11-14 Last update: 2026-01-30 04:00

1 security issue in forky high

There is 1 open security issue in forky.

1 important issue:

CVE-2025-64718: js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).

Created: 2025-11-14 Last update: 2026-01-30 04:00

lintian reports 22 warnings high

Lintian reports 22 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2022-10-29 Last update: 2024-10-05 05:03

1 low-priority security issue in trixie low

There is 1 open security issue in trixie.

1 issue left for the package maintainer to handle:

CVE-2025-64718: (needs triaging) js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-11-14 Last update: 2026-01-30 04:00

1 low-priority security issue in bookworm low

There is 1 open security issue in bookworm.

1 issue left for the package maintainer to handle:

CVE-2025-64718: (needs triaging) js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (`__proto__`). All users who parse untrusted yaml documents may be impacted. The problem is patched in js-yaml 4.1.1 and 3.14.2. Users can protect against this kind of attack on the server by using `node --disable-proto=delete` or `deno` (in Deno, pollution protection is on by default).

You can find information about how to handle this issue in the security team's documentation.

Created: 2025-11-14 Last update: 2026-01-30 04:00

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.3 instead of 4.6.1).

Created: 2022-12-17 Last update: 2025-12-23 20:00

news

[rss feed]

[2022-10-28] node-js-yaml 4.1.0+dfsg+~4.0.5-7 MIGRATED to testing (Debian testing watch)
[2022-10-26] Accepted node-js-yaml 4.1.0+dfsg+~4.0.5-7 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2022-01-31] node-js-yaml 4.1.0+dfsg+~4.0.5-6 MIGRATED to testing (Debian testing watch)
[2022-01-28] Accepted node-js-yaml 4.1.0+dfsg+~4.0.5-6 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-12-12] node-js-yaml 4.1.0+dfsg+~4.0.5-5 MIGRATED to testing (Debian testing watch)
[2021-12-10] Accepted node-js-yaml 4.1.0+dfsg+~4.0.5-5 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-11-28] node-js-yaml 4.1.0+dfsg+~4.0.5-4 MIGRATED to testing (Debian testing watch)
[2021-11-25] Accepted node-js-yaml 4.1.0+dfsg+~4.0.5-4 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-11-24] Accepted node-js-yaml 4.1.0+dfsg+~4.0.5-3 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-11-21] Accepted node-js-yaml 4.1.0+dfsg+~4.0.5-2 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-11-20] Accepted node-js-yaml 4.1.0+dfsg+~4.0.5-1 (source) into unstable (Yadd) (signed by: Xavier Guimard)
[2021-01-16] node-js-yaml 3.14.1+dfsg+~3.12.6-2 MIGRATED to testing (Debian testing watch)
[2021-01-12] Accepted node-js-yaml 3.14.1+dfsg+~3.12.6-2 (source) into unstable (Xavier Guimard)
[2021-01-11] Accepted node-js-yaml 3.14.1+dfsg+~3.12.6-1 (source) into unstable (Xavier Guimard)
[2020-12-29] node-js-yaml 3.14.0+dfsg-3 MIGRATED to testing (Debian testing watch)
[2020-12-27] Accepted node-js-yaml 3.14.0+dfsg-3 (source) into unstable (Xavier Guimard)
[2020-11-03] node-js-yaml 3.14.0+dfsg-2 MIGRATED to testing (Debian testing watch)
[2020-11-01] Accepted node-js-yaml 3.14.0+dfsg-2 (source) into unstable (Xavier Guimard)
[2020-05-30] node-js-yaml 3.14.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2020-05-28] Accepted node-js-yaml 3.14.0+dfsg-1 (source) into unstable (Xavier Guimard)
[2019-11-18] Accepted node-js-yaml 3.13.1+dfsg-2~bpo10+1 (source all) into buster-backports, buster-backports (Utkarsh Gupta) (signed by: Praveen Arimbrathodiyil)
[2019-08-06] node-js-yaml 3.13.1+dfsg-2 MIGRATED to testing (Debian testing watch)
[2019-08-04] Accepted node-js-yaml 3.13.1+dfsg-2 (source) into unstable (Xavier Guimard)
[2019-07-11] node-js-yaml 3.13.1+dfsg-1 MIGRATED to testing (Debian testing watch)
[2019-07-08] Accepted node-js-yaml 3.13.1+dfsg-1 (source) into unstable (Xavier Guimard)
[2018-05-11] node-js-yaml 3.11.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2018-05-08] Accepted node-js-yaml 3.11.0+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2017-09-20] node-js-yaml 3.10.0+dfsg-1 MIGRATED to testing (Debian testing watch)
[2017-09-14] Accepted node-js-yaml 3.10.0+dfsg-1 (source) into unstable (Bastien Roucariès) (signed by: Bastien ROUCARIÈS)
[2017-08-23] node-js-yaml 3.9.1+dfsg-1 MIGRATED to testing (Debian testing watch)

bugs [bug history graph]

all: 1
RC: 0
I&N: 1
M&W: 0
F&P: 0
patch: 0

links

homepage
lintian (0, 22)
buildd: logs, reproducibility
popcon
browse source code
edit tags
other distros
security tracker
screenshots
debian patches
debci

ubuntu

[Information about Ubuntu for Debian Developers]

version: 4.1.0+dfsg+~4.0.5-7