Check migration guide to see details for all breaking changes.
Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are
moved to js-yaml-js-types package.
Breaking: removed safe* functions. Use load, loadAll, dump
instead which are all now safe by default.
yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use
yaml.DEFAULT_SCHEMA instead.
yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
!!binary now always mapped to Uint8Array on load.
Reduced nesting of /lib folder.
Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal,
0o1234 is octal, 1:23 is parsed as string instead of base60).
dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
Line and column in exceptions are now formatted as (X:Y) instead of
at line X, column Y (also present in compact format), #332.
Code snippet created in exceptions now contains multiple lines with line numbers.
dump() now serializes undefined as null in collections and removes keys with
undefined in mappings, #571.
dump() with skipInvalid=true now serializes invalid items in collections as null.
Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.
Added
Added .mjs (es modules) support.
Added quotingType and forceQuotes options for dumper to configure
string literal style, #290, #529.
Added styles: { '!!null': 'empty' } option for dumper
(serializes { foo: null } as "foo: "), #570.
Added replacer option (similar to option in JSON.stringify), #339.
Custom Tag can now handle all tags or multiple tags with the same prefix, #385.
Fixed
Astral characters are no longer encoded by dump(), #587.
"duplicate mapping key" exception now points at the correct column, #452.
Extra commas in flow collections (e.g. [foo,,bar]) now throw an exception
instead of producing null, #321.
__proto__ key no longer overrides object prototype, #164.
Removed bower.json.
Tags are now url-decoded in load() and url-encoded in dump()
(previously usage of custom non-ascii tags may have led to invalid YAML that can't be parsed).
Anchors now work correctly with empty nodes, #301.
Fix incorrect parsing of invalid block mapping syntax, #418.
Throw an error if block sequence/mapping indent contains a tab, #80.
[3.14.1] - 2020-12-07
Security
Fix possible code execution in (already unsafe) .load() (in &anchor).
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.
Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot squash and merge` will squash and merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge and block automerging
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
- `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme
Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)
Bumps js-yaml from 3.14.0 to 4.0.0.
Changelog
Sourced from js-yaml's changelog.
Commits
ee74ce4
4.0.0 releaseda44bb7c
dist rebuildaee620a
Throw an error if block sequence/mapping indent contains a tabf0f205b
Fix parsing of invalid block mappingse8cf6f6
Fix error with anchor not being assigned to an empty nodea583097
Shorthand tags with !! whenever possiblea0d0caa
Dump custom tags starting with!
as!tag
instead of!\<!tag>
1ea8370
Fix examples73ef02c
Add multi tags covering all tags with the fixed prefix359b264
Add replacer similar to one in JSON.stringifyDependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase
.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot merge` will merge this PR after your CI passes on it - `@dependabot squash and merge` will squash and merge this PR after your CI passes on it - `@dependabot cancel merge` will cancel a previously requested merge and block automerging - `@dependabot reopen` will reopen this PR if it is closed - `@dependabot close` will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) - `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language - `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language - `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language - `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language - `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com): - Update frequency (including time of day and day of week) - Pull request limits (per update run and/or open at any time) - Out-of-range updates (receive only lockfile updates, if desired) - Security updates (receive only security updates, if desired)