Skip to content

Bump js-yaml, sanity and next-sanity#54

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-4c6e2d9e58
Open

Bump js-yaml, sanity and next-sanity#54
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/npm_and_yarn/multi-4c6e2d9e58

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 29, 2026

Copy link
Copy Markdown
Contributor

Bumps js-yaml to 4.3.0 and updates ancestor dependencies js-yaml, sanity and next-sanity. These dependencies need to be updated together.

Updates js-yaml from 4.1.1 to 4.3.0

Changelog

Sourced from js-yaml's changelog.

4.3.0 - 2026-06-27

Added

  • [backport] Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.

Fixed

  • Restore umd builds back to es5.

Removed

  • [backport] maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

[4.2.0] - 2026-06-01

Added

  • Added docs/safety.md with notes about processing untrusted YAML.
  • Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
  • Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
  • Added sourcemaps to dist/ builds.

Changed

  • Stop resolving numbers with underscores as numeric scalars, #627.
  • Switched dev toolchains to Vite / neostandard.
  • Updated demo.
  • Reorganized tests.
  • dist/ files are no longer kept in the repository.

Fixed

  • Fix parsing of properties on the first implicit block mapping key, #62.
  • Fix trailing whitespace handling when folding flow scalar lines, #307.
  • Reject top-level block scalars without content indentation, #280.
  • Ensure numbers survive round-trip, #737.
  • Fix test coverage for issue #221.
  • Fix flow scalar trailing whitespace folding, #307.
  • Fix digits in YAML named tag handles.

Security

  • Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

  • Backported v4.1.1 fix to v3
Commits
  • 33d05b5 4.3.0 released
  • 663bfab Drop demo publish, to not override new v5 one.
  • 1cb8c7b Add v4-legacy tag for publish
  • 02f27af Restore umd builds back to es5
  • 8be84ed Fix es5 compatibility
  • 59423c6 Replace maxMergeSeqLength option with maxTotalMergeKeys (more robust). Ba...
  • 6842ef6 doc polish
  • 590dbab 4.2.0 released
  • f944dc5 Add package.json funding field
  • f692719 Changelog update
  • Additional commits viewable in compare view

Updates sanity from 4.22.0 to 6.2.0

Release notes

Sourced from sanity's releases.

v6.2.0

Sanity Studio v6.2.0

This release includes various improvements and bug fixes.

For the complete changelog with all details, please visit: www.sanity.io/changelog/studio-Ni4xLjA

Install or upgrade Sanity Studio

To upgrade to this version, run:

npm install sanity@latest

To initiate a new Sanity Studio project or learn more about upgrading, please refer to our comprehensive guide on Installing and Upgrading Sanity Studio.

📓 Full changelog

Author Message Commit
@​juice49 chore(sanity): document inventory group feedback integration (#13267) dd0bb3181d87a69b13fd8cff5ab01887252bb2b8
@​bjoerge feat(debug-proxy): add network flap and latency simulation (#13290) aca23b8f68f815d545e31dcf0ccdbb6254bf5342
@​juice49 chore(sanity): document group inventory (#13071) 7d0fffa86117a70909f7354a53f4c5ec690c9fae
@​juice49 chore(sanity): remove version chips when versions inventory switched on (#13071) 347da06ef7b4a00c87e77b9219cb7f867976d81d
@​snorrees fix(CLDX-5683): preserve an explicit empty block decorator set (#13291) 234029c74f57dd1250b9dff173fdbdf43d4207fa
@​snorrees fix(CLDX-5683): preserve portable text block decorators in schema descriptor (#13288) fa8b84cb0734ca75b74719a3b26858aef2cf99d0
@​juice49 fix: revert "refactor(core): abstract use bundle documents , reuse for variants (#13226)" (#13287) e9a865e55c932da74c03f0c041a69b9ddd67a68c
@​juice49 fix: revert "chore(core): variant documents creation (#13105)" (#13287) b5cf9f7b81a8f77c5cac4a5cc76e0c6a6618d044
@​juice49 fix: revert "chore(core): deprecate useDocumentVersionInfo hook (#13113)" (#13287) d9160f585673e2e922cd072267e23846aac283be
@​juice49 chore: generate DTS exports (#13287) a4841c5fe46d18d2697c023dd85ad2a560809088
squiggler-app[bot] chore(deps): dedupe pnpm-lock.yaml (#13280) 4c23ebc56274d4d2ffc40232c41427c5c83090f5
squiggler-app[bot] fix(deps): update vanilla-extract monorepo (#13275) 1c5621af9f4b9bc4a9829db99788c384fb5e5067
squiggler-app[bot] chore(deps): update dependency uuid to ^14.0.1 (#13283) 664b80623e0c85181ec171169dc91666547da823
squiggler-app[bot] chore(deps): update dependency semver to ^7.8.5 (#13282) b50930902b9cc53dae59ddaa0528ed385723cfed
squiggler-app[bot] chore(deps): update dependency nanoid to ^5.1.15 (#13281) 1d0c1c4808ebfced63844d176c7c00a922420492
squiggler-app[bot] fix(deps): update dependency @​sanity/cli to ^7.4.0 (#13278) ca741184f7d89f6a4244fce952b244bfebdb9dcb
squiggler-app[bot] chore(deps): update actions/cache action to v6 (#13279) 0bbc1c5a4975d5db40f2ba2101e874d49a4f1a0a
squiggler-app[bot] chore(deps): update dependency @​vitejs/plugin-react to ^6.0.3 (#13273) aa0111790006e1349959d2e6335e9272f53b7197
@​jordanl17 feat(core): make reference fields searchable in list previews (#13138) 9cc756677534be16f6f71f29a542d650c8fea313
@​jordanl17 fix(core): retain last known org id when project fetch fails (#12968) 62d250c2bd86d9fad1bd74b931f28d27dc0b39f7
squiggler-app[bot] chore(deps): update dependency vite to ^8.1.0 (#13274) 02148c2120d8b84490345ffe8fad0d494ca89462
squiggler-app[bot] fix(deps): update portabletext (#13271) 59300a7dc42ac03884bed37977700d3d9a469185
squiggler-app[bot] chore(deps): update dependency @​sanity/blueprints to ^0.21.0 (#13269) 750da7421dd8525cbbd0c257c62c32c5a670539e
squiggler-app[bot] chore(deps): update dependency @​sentry/react to ^10.59.0 (#13270) 5fb2b06a2c6d33668d00bd1a708abc672edd3969
squiggler-app[bot] chore(tests): generate dts tests 🤖 ✨ (#13268) 0f94ace49ddaf9fac255c888f7b72ec9d3cc855c
@​juice49 refactor(sanity): move useVersionRelease to shared location (#13260) 4385a40497b3958d23341db3bdfef77422d0028f
squiggler-app[bot] chore(deps): update dependency oxfmt to ^0.56.0 (#13263) 7e08d5e98e5aceb92eb0c29d3ad87f4476f18a20
squiggler-app[bot] fix(deps): update typescript-tooling (#13262) c89f54c6b1ead2d160fa5fbcf2277a2ab2f49efb

... (truncated)

Changelog

Sourced from sanity's changelog.

6.2.0 (2026-06-24)

Features

  • core: add document _system to useDocumentVersions (#13094) (d4acef0)
  • core: add selectedVariant and bundle to perspective context (#13093) (d5f2d75)
  • core: make reference fields searchable in list previews (#13138) (9cc7566)
  • presentation: add appearance ordering to documents on this page (#13135) (f82ee8b)
  • structure: sort document list search results by relevance (#13082) (4a56294)

Bug Fixes

  • CLDX-5683: preserve an explicit empty block decorator set (#13291) (234029c)
  • CLDX-5683: preserve portable text block decorators in schema descriptor (#13288) (fa8b84c)
  • comments: submit the editor's live value, not the debounced draft (8575f65)
  • core: guard against undefined CSS global in node test environments (#13232) (abcdb34)
  • core: retain last known org id when project fetch fails (#12968) (62d250c)
  • deps: update dependency @​sanity/cli to ^7.3.0 (#13265) (57e23d1)
  • deps: update dependency @​sanity/cli to ^7.4.0 (#13278) (ca74118)
  • deps: Update dnd-kit monorepo to v10 (#13154) (4bb6ffd)
  • deps: Update dnd-kit monorepo to v7 (#13151) (1846f73)
  • deps: Update dnd-kit monorepo to v9 (#13153) (ccb210c)
  • deps: Update portabletext (#13127) (0e29c52)
  • deps: Update portabletext (#13144) (99f7a63)
  • deps: update portabletext (#13271) (59300a7)
  • deps: Update portabletext to ^3.1.3 (#13192) (70c6352)
  • deps: Update sentry-javascript monorepo to v10 (#13168) (344c861)
  • deps: Update tanstack-virtual monorepo to ^3.14.3 (#13193) (bbf2274)
  • deps: Update xstate monorepo to ^5.32.1 (#13128) (4dd08ac)
  • form: disable native browser autocomplete on input fields (#12973) (896ed12)
  • form: honor enabled on the markdown plugin alongside deprecated config (51ce0ce)
  • portable-text: size the drop indicator to the block, not the full editable (54785f6)
  • releases: return undefined for empty values in temporarilyBuildDocumentSystem (#13121) (46aaaf0)
  • revert "chore(core): deprecate useDocumentVersionInfo hook (#13113)" (d9160f5)
  • revert "chore(core): variant documents creation (#13105)" (b5cf9f7)
  • revert "refactor(core): abstract use bundle documents , reuse for variants (#13226)" (e9a865e)
  • structure: resolve lint-fix workflow failure in DocumentListPane (#13134) (c85f177)
  • structure: restore default sort order and layout in document list pane (#13110) (31c46eb)

Performance Improvements

  • core: lazy-load default plugin and asset source UI components (#13088) (9fd25d9)

6.1.0 (2026-06-16)

Features

  • core: add page-visibility context to studio timing telemetry (#13083) (467aa57)
  • releases: deep-link release validation errors to the offending field (#12978) (a937280)

Bug Fixes

... (truncated)

Commits
  • 18904cd chore(release): publish v6.2.0
  • dd0bb31 chore(sanity): document inventory group feedback integration
  • 347da06 chore(sanity): remove version chips when versions inventory switched on
  • 7d0fffa chore(sanity): document group inventory
  • 234029c fix(CLDX-5683): preserve an explicit empty block decorator set (#13291)
  • fa8b84c fix(CLDX-5683): preserve portable text block decorators in schema descriptor ...
  • d9160f5 fix: revert "chore(core): deprecate useDocumentVersionInfo hook (#13113)"
  • b5cf9f7 fix: revert "chore(core): variant documents creation (#13105)"
  • e9a865e fix: revert "refactor(core): abstract use bundle documents , reuse for varian...
  • 664b806 chore(deps): update dependency uuid to ^14.0.1 (#13283)
  • Additional commits viewable in compare view

Updates next-sanity from 11.6.12 to 11.6.13

Release notes

Sourced from next-sanity's releases.

next-sanity@11.6.13

What's Changed

Full Changelog: sanity-io/next-sanity@next-sanity-v11.6.12...next-sanity-v11.6.13

Changelog

Sourced from next-sanity's changelog.

11.6.13 (2026-04-14)

Bug Fixes

Allow sanity v5 as a peer dependency.

Commits
  • 8c717de fix: allow sanity v5 as a peer dependency
  • aa961b7 chore: downgrade to sanity V4
  • 9a0a75c fix(deps)!: update sanity monorepo to v5 (main) (major) (#3077)
  • See full diff in compare view
Attestation changes

This version has no provenance attestation, while the previous version (11.6.12) was attested. Review the package versions before updating.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [js-yaml](https://github.com/nodeca/js-yaml) to 4.3.0 and updates ancestor dependencies [js-yaml](https://github.com/nodeca/js-yaml), [sanity](https://github.com/sanity-io/sanity/tree/HEAD/packages/sanity) and [next-sanity](https://github.com/sanity-io/next-sanity/tree/HEAD/packages/next-sanity). These dependencies need to be updated together.


Updates `js-yaml` from 4.1.1 to 4.3.0
- [Changelog](https://github.com/nodeca/js-yaml/blob/4.3.0/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.1...4.3.0)

Updates `sanity` from 4.22.0 to 6.2.0
- [Release notes](https://github.com/sanity-io/sanity/releases)
- [Changelog](https://github.com/sanity-io/sanity/blob/main/packages/sanity/CHANGELOG.md)
- [Commits](https://github.com/sanity-io/sanity/commits/v6.2.0/packages/sanity)

Updates `next-sanity` from 11.6.12 to 11.6.13
- [Release notes](https://github.com/sanity-io/next-sanity/releases)
- [Changelog](https://github.com/sanity-io/next-sanity/blob/next-sanity-v11.6.13/packages/next-sanity/CHANGELOG.md)
- [Commits](https://github.com/sanity-io/next-sanity/commits/next-sanity-v11.6.13/packages/next-sanity)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.3.0
  dependency-type: indirect
- dependency-name: sanity
  dependency-version: 6.2.0
  dependency-type: direct:production
- dependency-name: next-sanity
  dependency-version: 11.6.13
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants