Moderate vulnerability in yaml version

[Ericlm]

According to the GitHub Advisory Database, there is a moderate severity issue in yaml version 2.2.1, which is fixed in 2.2.2. I think the dependency should be upgraded.

[ai]

We are using ^ in version and all clients can update dependencies by calling npm update.

But I updated dependencies inside this repo https://github.com/postcss/postcss-load-config/commit/03adf207615dcc7cd650e8d4ceebb71d4044f850

[alex-r-redfern]

Is there any chance of tagging the above commit? Thanks for all you do :)

[ai]

@alex-r-redfern why do you need it?

[alex-r-redfern]

This is possibly me being dumb, but on the 4.0.1 tag, yaml is required at ^2.1.1 which will accept any patch version changes, but yaml have fixed this under a minor so the change won't be picked up. I could be wrong on this?

[ai]

@alex-r-redfern why you can’t bump yaml instead?

pnpm has useful pnpm -R update yaml command.

npm also have tool for nested dependencies update.

[alex-r-redfern]

Hey Andrey, It's only because I'm not requiring this package, or indeed yaml, directly: it's via tailwindcss so me requiring yaml directly I don't think will help in this instance. No worries though, I'll bring it up on the tailwind issues instead. All the best, Alex