Skip to content

chore(deps): bump js-yaml and @wordpress/scripts in /admin#68

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/admin/multi-3b559832fc
Open

chore(deps): bump js-yaml and @wordpress/scripts in /admin#68
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/admin/multi-3b559832fc

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 30, 2026

Copy link
Copy Markdown
Contributor

Bumps js-yaml to 3.15.0 and updates ancestor dependency @wordpress/scripts. These dependencies need to be updated together.

Updates js-yaml from 3.14.1 to 3.15.0

Changelog

Sourced from js-yaml's changelog.

4.3.0, 3.15.0 - 2026-06-27

Security

  • Backported maxTotalMergeKeys option.

[5.2.0] - 2026-06-26

Added

  • Added maxTotalMergeKeys (10000) loader option to limit the total number of keys processed by YAML merge (<<) across one load() / loadAll() call.
  • Added maxAliases (-1) loader option to limit the number of YAML aliases per document.

Removed

  • maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge processing.

Fixed

  • Round-trip of integers with exponential form (>= 1e21)

[5.1.0] - 2026-06-23

Added

  • Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

  • [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.

[5.0.0] - 2026-06-20

Added

  • Added named exports for schemas, tags, parser events and AST utilities.
  • Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
  • Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
  • Added dump() transform option for changing the generated AST before rendering.
  • Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and tagBeforeAnchor.
  • Added formal data layers (events and AST) for modular data pipelines.
    • Added low-level parser (to events), presenter and visitor APIs.
  • Added the YAML Test Suite to the test set.

Changed

  • See the migration guide for upgrade notes.
  • Rewritten in TypeScript and reorganized the public API around flat named exports.

... (truncated)

Commits

Updates @wordpress/scripts from 19.2.4 to 32.5.1

Release notes

Sourced from @​wordpress/scripts's releases.

23.5.0 RC1

Changelog

Enhancements

  • Style Engine: Export public TypeScript types. (79079)
  • Widget Primitives: Decouple discovery from a hardcoded endpoint. (79322)
  • Widget Primitives: Make @types/react an optional peer dependency. (79272)

Components

  • Add corner radius presets to ThemeProvider. (78816)
  • Autocomplete: Add Group and GroupLabel primitives. (78901)
  • Base Styles: Add wpds-var Sass helper for design token fallbacks. (78698)
  • BaseControl: add text-wrap: Pretty. (79112)
  • BoxControl: Hard deprecate 40px default size. (79419)
  • Components, DataViews: Adopt --wpds-dimension-size-* tokens. (79093)
  • ESLint, UI, Components: Mark Tooltip from @wordpress/ui as recommended. (78693)
  • Popover: Add open/close motion and fix close re-anchor. (78885)
  • Theme: Add Figma scopes to element size tokens. (79032)
  • Theme: Add disabled variants for brand and error interactive color tokens. (79124)
  • Theme: Add stroke-surface tokens for the caution tone. (79198)
  • Theme: Apply ThemeProvider styles inline (I2). (78678)
  • Theme: Differentiate --wpds-color-fg-interactive-{brand,error}-active vs resting state tokens. (79151)
  • Theme: Enforce sRGB seed-color input contract for ThemeProvider. (79148)
  • Theme: Provide design-system token defaults without a runtime <ThemeProvider>. (78664)
  • Theme: Skip serializing data-wpds-root-provider="false" on non-root providers. (79253)
  • Theme: forward ThemeProvider cornerRadius preset to :Root for root providers. (79153)
  • UI Field.Description: add text-wrap: Pretty. (79143)
  • UI: Disable instant overlay popup transitions. (79432)
  • UI: Simplify focus ring styles. (78823)
  • UI: Use isomorphic layout effects for SSR. (79458)
  • Update @ariakit/react to 0.4.29. (79055)
  • [DataViewsPicker]: DataViewsPicker.BulkActionToolbar now renders only the bulk-selection info and action buttons. (79180)
  • theme: Rename bg/fg design token groups to background/foreground. (79098)

Block Library

  • Add support for aspect ratio and related controls in viewport states. (78795)
  • Audio: Apply inert directly instead of wrapping in Disabled. (79423)
  • Classic Block: Port PHPUnit coverage for hiding it from the inserter. (79434)
  • Cover block: Add media editor modal. (79258)
  • File Block: Combine audio/video/image to file transforms. (79242)
  • File Block: Replace on-mount downloadButtonText effect with a default variation. (79236)
  • Icon Block: Add flip and rotate transformation controls. (77017)
  • Icon block: Default to core/info via block.json instead of an insert-time effect. (79212)
  • Icon block: Move flip controls to toolbar group. (79192)
  • Icons block: Insert an icon by default. (79111)
  • Math format: Seed LaTeX input from the current selection. (79052)
  • Pullquote: Migrate to text-align block support. (79225)
  • Remove orphaned convertToListItems util. (79400)
  • Search block: Add opt-in support for the semantic element. (78485)

... (truncated)

Changelog

Sourced from @​wordpress/scripts's changelog.

Unreleased

Enhancements

  • Update stylelint to ^16.26.1 (#79648).

32.5.0 (2026-06-24)

Enhancements

  • lint-style: Detect .cjs and .mjs config files so the bundled default config is not used when one of these is present (#79226).

32.4.1 (2026-06-16)

32.4.0 (2026-06-10)

32.3.0 (2026-05-27)

32.2.0 (2026-05-14)

32.1.0 (2026-04-29)

32.0.0 (2026-04-15)

Breaking Changes

  • The bundled eslint dependency has been upgraded from v8 to v10 (#76654).
  • The lint-js script now uses flat config (eslint.config.*) by default. Legacy .eslintrc.* files are still detected as a fallback, but this support is deprecated and will be removed in a future version (#76654).
  • The default config shipped with wp-scripts has changed from config/.eslintrc.js to config/eslint.config.cjs (#76654).

31.8.0 (2026-04-01)

31.7.0 (2026-03-18)

31.6.0 (2026-03-04)

31.5.0 (2026-02-18)

31.4.0 (2026-01-29)

31.3.0 (2026-01-16)

Internal

  • The bundled eslint dependency has been updated from ^8.3.0 to ^8.57.1 (#74316).

31.1.0 (2025-11-26)

... (truncated)

Commits
  • 9a75283 chore(release): publish
  • 0e7112a chore(release): publish
  • a4c471e Update changelog files
  • b4cef19 Merge changes published in the Gutenberg plugin "release/23.5" branch
  • 99df743 chore(release): publish
  • 58b2002 Update changelogs
  • 6da9506 chore(release): publish
  • 6afbb15 Update changelog files
  • e816d95 Merge changes published in the Gutenberg plugin "release/23.4" branch
  • 6237509 Update changelog files
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by gutenbergplugin, a new releaser for @​wordpress/scripts since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [js-yaml](https://github.com/nodeca/js-yaml) to 3.15.0 and updates ancestor dependency [@wordpress/scripts](https://github.com/WordPress/gutenberg/tree/HEAD/packages/scripts). These dependencies need to be updated together.


Updates `js-yaml` from 3.14.1 to 3.15.0
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@3.14.1...3.15.0)

Updates `@wordpress/scripts` from 19.2.4 to 32.5.1
- [Release notes](https://github.com/WordPress/gutenberg/releases)
- [Changelog](https://github.com/WordPress/gutenberg/blob/trunk/packages/scripts/CHANGELOG.md)
- [Commits](https://github.com/WordPress/gutenberg/commits/@wordpress/scripts@32.5.1/packages/scripts)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 3.15.0
  dependency-type: indirect
- dependency-name: "@wordpress/scripts"
  dependency-version: 32.5.1
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 30, 2026
@socket-security

Copy link
Copy Markdown

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security
Vulnerability Quality Maintenance License
Updatednpm/​@​wordpress/​scripts@​19.2.4 ⏵ 32.5.197100100100 +170

View full report

@socket-security

Copy link
Copy Markdown

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn High
Obfuscated code: npm commander is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: admin/package-lock.jsonnpm/@wordpress/scripts@32.5.1npm/commander@10.0.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/commander@10.0.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm copy-webpack-plugin is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: admin/package-lock.jsonnpm/@wordpress/scripts@32.5.1npm/copy-webpack-plugin@10.2.4

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/copy-webpack-plugin@10.2.4. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm csp_evaluator is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: admin/package-lock.jsonnpm/@wordpress/scripts@32.5.1npm/csp_evaluator@1.1.5

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/csp_evaluator@1.1.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm csp_evaluator is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: admin/package-lock.jsonnpm/@wordpress/scripts@32.5.1npm/csp_evaluator@1.1.5

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/csp_evaluator@1.1.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm css-tree is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: admin/package-lock.jsonnpm/@wordpress/scripts@32.5.1npm/css-tree@3.2.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/css-tree@3.2.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm data-urls is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: admin/package-lock.jsonnpm/@wordpress/scripts@32.5.1npm/data-urls@5.0.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/data-urls@5.0.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm es-abstract is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: admin/package-lock.jsonnpm/@wordpress/scripts@32.5.1npm/es-abstract@1.24.2

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/es-abstract@1.24.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm eslint-plugin-react is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: admin/package-lock.jsonnpm/@wordpress/scripts@32.5.1npm/eslint-plugin-react@7.37.5

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/eslint-plugin-react@7.37.5. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm node-forge is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: admin/package-lock.jsonnpm/@wordpress/scripts@32.5.1npm/node-forge@1.4.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-forge@1.4.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm puppeteer-core is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: admin/package-lock.jsonnpm/@wordpress/scripts@32.5.1npm/puppeteer-core@24.43.1

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/puppeteer-core@24.43.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm rrweb-cssom is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: admin/package-lock.jsonnpm/@wordpress/scripts@32.5.1npm/rrweb-cssom@0.8.0

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/rrweb-cssom@0.8.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm webpack is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: admin/package-lock.jsonnpm/@wordpress/scripts@32.5.1npm/webpack@5.108.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/webpack@5.108.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

Warn High
Obfuscated code: npm yargs is 90.0% likely obfuscated

Confidence: 0.90

Location: Package overview

From: admin/package-lock.jsonnpm/@wordpress/scripts@32.5.1npm/yargs@17.7.3

ℹ Read more on: This package | This alert | What is obfuscated code?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/yargs@17.7.3. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants