Use yaml.safeLoad instead of load

probot / no-response

a GitHub App that closes issues where the author hasn't responded to a request for more information

ISC License

107 stars 22 forks source link

Closed bkeepers closed 7 years ago

bkeepers commented 7 years ago

Fixes issue where untrusted yaml file could contain JavaScript: https://github.com/nodeca/js-yaml#safeload-string---options-

cc @lee-dohm

bkeepers commented 7 years ago

@lee-dohm I'm going to go ahead and merge this since it's a security issues.

lee-dohm commented 7 years ago

Thanks @bkeepers :+1: