From 4987d99c86e57606f675ef0d6248e4780b0f7016 Mon Sep 17 00:00:00 2001 From: "dependabot[bot]" <49699333+dependabot[bot]@users.noreply.github.com> Date: Tue, 30 Jun 2026 13:23:58 +0000 Subject: [PATCH 1/5] deps: bump js-yaml from 4.3.0 to 5.2.0 Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.3.0 to 5.2.0. - [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md) - [Commits](https://github.com/nodeca/js-yaml/compare/4.3.0...5.2.0) --- updated-dependencies: - dependency-name: js-yaml dependency-version: 5.2.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] --- package.json | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/package.json b/package.json index bb84198..de773ad 100644 --- a/package.json +++ b/package.json @@ -37,7 +37,7 @@ "typescript": "^6.0.3" }, "dependencies": { - "js-yaml": "^4.1.1", + "js-yaml": "^5.2.0", "proper-lockfile": "^4.1.2", "yargs": "^18.0.0" } From 5008893c2d19a53297022d610406efa4a0df0b44 Mon Sep 17 00:00:00 2001 From: Steve Krenzel Date: Thu, 2 Jul 2026 18:02:48 -0700 Subject: [PATCH 2/5] deps: update js-yaml lockfile --- bun.lock | 4 ++-- src/yaml/parse.ts | 15 +++++++++++++-- 2 files changed, 15 insertions(+), 4 deletions(-) diff --git a/bun.lock b/bun.lock index f1666d6..90b0045 100644 --- a/bun.lock +++ b/bun.lock @@ -5,7 +5,7 @@ "": { "name": "crew", "dependencies": { - "js-yaml": "^4.1.1", + "js-yaml": "^5.2.0", "proper-lockfile": "^4.1.2", "yargs": "^18.0.0", }, @@ -72,7 +72,7 @@ "graceful-fs": ["graceful-fs@4.2.11", "", {}, "sha512-RbJ5/jmFcNNCcDV5o9eTnBLJ/HszWV0P73bc+Ff4nS/rJj+YaS6IGyiOL0VoBYX+l1Wrl3k63h/KrH+nhJ0XvQ=="], - "js-yaml": ["js-yaml@4.1.1", "", { "dependencies": { "argparse": "^2.0.1" }, "bin": { "js-yaml": "bin/js-yaml.js" } }, "sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA=="], + "js-yaml": ["js-yaml@5.2.1", "", { "dependencies": { "argparse": "^2.0.1" }, "bin": { "js-yaml": "bin/js-yaml.mjs" } }, "sha512-zfLtNfQqxVqq3uaTqSkh4x4hZw3KHobGUA0fJUj4wawW8bsQLTVqpHdXSIzidh7o+4lEW36tANuAGdaFx6Zgnw=="], "proper-lockfile": ["proper-lockfile@4.1.2", "", { "dependencies": { "graceful-fs": "^4.2.4", "retry": "^0.12.0", "signal-exit": "^3.0.2" } }, "sha512-TjNPblN4BwAWMXU8s9AEz4JmQxnD1NNL7bNOY/AKUzyamc379FWASUhc/K1pL2noVb+XmZKLL68cjzLsiOAMaA=="], diff --git a/src/yaml/parse.ts b/src/yaml/parse.ts index ccd8a18..594468e 100644 --- a/src/yaml/parse.ts +++ b/src/yaml/parse.ts @@ -11,7 +11,7 @@ * - one import site to update if we ever want to swap the library. */ -import { dump, load } from "js-yaml"; +import { dump, load, YAMLException } from "js-yaml"; /** The value kinds we accept. */ export type YamlValue = string | number | boolean | null | YamlValue[] | YamlMap; @@ -22,7 +22,18 @@ export function parseYaml(source: string): YamlValue { // `load` already rejects multi-document input (use `loadAll` for that) and // in js-yaml v4 it uses the DEFAULT_SCHEMA which is safe (no !!js/function, // no !!js/regexp, no !!js/undefined). - const value = load(source); + let value: unknown; + try { + value = load(source); + } catch (err) { + if ( + err instanceof YAMLException && + err.reason === "expected a document, but the input is empty" + ) { + return null; + } + throw err; + } // js-yaml returns `undefined` for an empty document; we normalize to `null` // so callers never have to branch between the two (YAML itself treats them // the same — `~`, `null`, and an empty document all mean "no value"). From 898f0f3dc301193fc23e9031e9d2bde3e06c2869 Mon Sep 17 00:00:00 2001 From: Steve Krenzel Date: Thu, 2 Jul 2026 18:07:31 -0700 Subject: [PATCH 3/5] deps: preserve yaml empty document handling --- src/yaml/parse.ts | 8 +------- 1 file changed, 1 insertion(+), 7 deletions(-) diff --git a/src/yaml/parse.ts b/src/yaml/parse.ts index 594468e..9ff3fd2 100644 --- a/src/yaml/parse.ts +++ b/src/yaml/parse.ts @@ -20,7 +20,7 @@ export type YamlMap = { [key: string]: YamlValue }; /** Parse a YAML document. Throws on malformed input. */ export function parseYaml(source: string): YamlValue { // `load` already rejects multi-document input (use `loadAll` for that) and - // in js-yaml v4 it uses the DEFAULT_SCHEMA which is safe (no !!js/function, + // uses the DEFAULT_SCHEMA, which is safe (no !!js/function, // no !!js/regexp, no !!js/undefined). let value: unknown; try { @@ -34,12 +34,6 @@ export function parseYaml(source: string): YamlValue { } throw err; } - // js-yaml returns `undefined` for an empty document; we normalize to `null` - // so callers never have to branch between the two (YAML itself treats them - // the same — `~`, `null`, and an empty document all mean "no value"). - if (value === undefined) { - return null; - } return value as YamlValue; } From ef44f1074809c988e39cc5c63f116221f4debe95 Mon Sep 17 00:00:00 2001 From: Steve Krenzel Date: Thu, 2 Jul 2026 18:13:45 -0700 Subject: [PATCH 4/5] chore: retrigger required deploy checks From c6f1f7778895be869a9a40068e67c930c996d1b0 Mon Sep 17 00:00:00 2001 From: Steve Krenzel Date: Thu, 2 Jul 2026 18:14:19 -0700 Subject: [PATCH 5/5] chore: retrigger required deploy checks