🐛 yaml.load is safe by default! Please stop using yaml.safeLoad!

[DevKoenv]

Hello there,

So I recently found an issue with the NPM package. Whenever I try to reinstall the module it goes all fine. When I run my code for the second time I keep getting an error from the node_modules\discord-giveaways\src\Constants.js file. The error has to do with the module js-yaml. For some reason I can't find the code that's giving me the errors in the GitHub repo, but I can find it in the installed module. The following code is giving me the error shown in attachments:

function loadFile(file) { return (myFile = yaml.safeLoad(fs.readFileSync(`${file}`, 'utf8'))) `}

js-yaml Doesn't want to load the file because yaml.safeLoad is not supported anymore. The following code is a fix for the issue just I don't know where to push it to. This fixes the issue and doesn't remove any safety loading as yaml.load is safe by default

function loadFile(file) { return (myFile = yaml.load(fs.readFileSync(`${file}`, 'utf8'))) `}

I hope you can do anything with this issue/bug report

Attachments: Error Logs.txt Error Logs Trace-Warnings.txt

[Nico105]

ahm why is js-yaml trying to load discord-giveaways files? did you wrote that into your code? because discord-giveaways has nothing to do/does not use anything yaml related, so this is should not be a problem of the discord-giveaways package... I mean yaml.safeLoad('Constants.js') has to be called somewhere right? but we don't do that so don't you do that yourself?

[DevKoenv]

I never added this myself and the yaml.safeLoad get used inside of the node_modules/discord-giveaways/src/Constants.ja

I can upload a zip of the module itself later(I clean install my node modules every test)

Weird that i have this problem if js-yaml shouldn't get used

[DevKoenv]

I'm sorry for the delay but my hosting provider had some network problems.

Here is my node_modules/discord-giveaways/ zipped

discord-giveaways.zip

in src/constants.js there is a yaml.safeLoad() I haven't added it myself The zip is from npm install and then zipped it So a clean install

[Nico105]

In the package.json of your bot does it say "discord-giveaways": "^4.4.3" or something else = have you maybe installed a fork of somebody?

[DevKoenv]

This is what is in my package.json "discord-giveaways": "^4.4.3", "discord.js": "^12.5.1",

[Nico105]

and so npm uninstall discord-giveaways; npm i discord-giveaways will still download that weird Constants file? if yes, try npm i Androz2091/discord-giveaways#master and check there

[DevKoenv]

It still gives the same Constats file

[Nico105]

npm i Androz2091/discord-giveaways#develop ?

[DevKoenv]

Still downloads the weird constants file...

I'm actually questioning if it could be docker or yaml-js that is doing something with this

[Nico105]

Idk, I mean does it work if you try downloading on a new node.js project?

[DevKoenv]

I have, it doesn't download it on that (it was downloaded outside of docker)

[DevKoenv]

When I use the following command it downloads the normal file for 10 seconds and then the weird command shows up again:

git pull && npm install Androz2091/discord-giveaways#develop && node index.js

if I keep that as the startup command it works, but it almost hits the CPU limit for my bot (50% of one core) when i start it up.

I'll try to find the origin of the issue and try to fix it as this isn't a bug with discord-giveaways