Skip to content

fix(deps): remove unused depcheck to unblock js-yaml security update#1020

Merged
phil-davis merged 1 commit into
masterfrom
fix/remove-unused-depcheck-jsyaml
Jun 16, 2026
Merged

fix(deps): remove unused depcheck to unblock js-yaml security update#1020
phil-davis merged 1 commit into
masterfrom
fix/remove-unused-depcheck-jsyaml

Conversation

@DeepDiver1975

@DeepDiver1975 DeepDiver1975 commented Jun 16, 2026

Copy link
Copy Markdown
Member

Problem

The Dependabot security update job for js-yaml fails with security_update_not_possible:

security_update_not_possible: js-yaml
  latest-resolvable-version: 3.14.2
  lowest-non-vulnerable-version: 4.2.0
  conflicting-dependency: depcheck@1.4.7 requires js-yaml@^3.14.1

The js-yaml advisory (prototype pollution in the merge << operator) is only fixed in 4.2.0. We already depend on js-yaml@^4.2.0 directly, but depcheck drags a second, transitive, vulnerable js-yaml 3.x into the tree:

  • depcheck@1.4.7 is its latest release and hard-pins js-yaml@^3.14.1.
  • It still calls jsYaml.safeLoad(...), an API removed in js-yaml 4, so it cannot be moved to 4.x.
  • Dependabot's only "fix" would be downgrading depcheck to 0.4.7, which it refuses.

Why removing it is safe

depcheck appears only in package.json — it is never require()d anywhere in gulpfile.js or tasks/, and no npm script (lint, preview, bundle) invokes it. It's a CLI auditing tool meant to be run on demand (npx depcheck), not a runtime/build dependency.

Change

  • Remove depcheck from dependencies.
  • Regenerate package-lock.json (prunes the whole depcheck subtree).

After the change the only js-yaml in the lockfile is the direct devDependency at 4.2.0 — no 3.x remains. No functional change to the build.

If depcheck's auditing is wanted in future, run it ad-hoc with npx depcheck.

🤖 Generated with Claude Code

@DeepDiver1975
fix(deps): remove unused depcheck to unblock js-yaml security update
8098c8d 
depcheck is declared as a dependency but is never imported in the
codebase and is not invoked by any npm script. It is a CLI auditing
tool meant to be run on demand (e.g. `npx depcheck`), not a runtime
dependency.

Its only effect here is harmful: depcheck@1.4.7 (its latest release)
hard-pins js-yaml@^3.14.1 and still calls the removed safeLoad API, so
it cannot move to js-yaml 4.x. This drags a vulnerable transitive
js-yaml 3.x into the tree and makes the js-yaml prototype-pollution
security advisory (only fixed in 4.2.0) unresolvable for Dependabot:

  security_update_not_possible: depcheck@1.4.7 requires js-yaml@^3.14.1

Removing depcheck prunes that subtree; the only remaining js-yaml is
the direct devDependency at 4.2.0. No functional change.

Signed-off-by: Thomas Müller <1005065+DeepDiver1975@users.noreply.github.com>
@phil-davis phil-davis merged commit d63a83c into master Jun 16, 2026
2 checks passed
@phil-davis phil-davis deleted the fix/remove-unused-depcheck-jsyaml branch June 16, 2026 12:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@phil-davis phil-davis phil-davis approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@DeepDiver1975 @phil-davis