Security: js-yaml prototype-pollution vulnerability via bundled dependency

[huulanka]

Description:

gray-matter transitively depends on a vulnerable js-yaml version (<4.1.1) which is subject to prototype pollution (GHSA-mh29-5h37-fv8m / CVE-2025-64718). This causes npm audit to report a moderate severity vulnerability for projects that install gray-matter.

Reproduction (local output from my project):

• npm audit report:
  js-yaml <4.1.1
  Severity: moderate
  js-yaml has prototype pollution in merge (<<) - GHSA-mh29-5h37-fv8m
  node_modules/gray-matter/node_modules/js-yaml
  gray-matter <=1.2.6 || >=2.0.2
  Depends on vulnerable versions of js-yaml
  node_modules/gray-matter

Expected behavior:

gray-matter releases should not depend on js-yaml versions older than 4.1.1. Projects installing gray-matter should not trigger an npm audit vulnerability for js-yaml.

References:

• GitHub Advisory: GHSA-mh29-5h37-fv8m
• CVE: CVE-2025-64718

Notes:

• I attempted to upgrade js-yaml to v4.1.1 locally, but this breaks gray-matter because gray-matter uses the removed APIs yaml.safeLoad / yaml.safeDump.
• Example runtime error observed after forcing js-yaml@4.1.1:

  Error: Function yaml.safeLoad is removed in js-yaml 4. Use yaml.load instead, which is now safe by default.

• Current gray-matter code (lib/engines.js) uses yaml.safeLoad and yaml.safeDump, so consumers cannot safely upgrade js-yaml themselves without a gray-matter change.

[jeroengui]

Looks like the fix for this problem was already implemented in PR #176, should be safe to merge and upgrade bundled dependency.

[vladajankovic]

Hi @jonschlinkert, when can we expect this PR to be merged?

[torokati44]

@vladajankovic Fortunately, js-yaml also put out a maintenance release from the 3.x series, you can update to that without having to update gray-matter itself.