Skip to content

fix(release): 修復 js-yaml 4 override 破壞 changesets release#503

Merged
s123104 merged 1 commit into
mainfrom
fix/release-read-yaml-file-jsyaml4-2026-06
Jun 28, 2026
Merged

fix(release): 修復 js-yaml 4 override 破壞 changesets release#503
s123104 merged 1 commit into
mainfrom
fix/release-read-yaml-file-jsyaml4-2026-06

Conversation

@s123104

@s123104 s123104 commented Jun 28, 2026

Copy link
Copy Markdown
Contributor

問題

合併 #502Release workflow 失敗,版本無法 bump、release PR 無法建立:

🦋 error: Function yaml.safeLoad is removed in js-yaml 4. Use yaml.load instead.
   at read-yaml-file@1.1.0 ... during `pnpm changeset:version`

根因

安全修復 PR #501 的 override js-yaml@<=4.1.1 → 4.2.0 將 js-yaml 強制升到 4.x(移除 safeLoad)。
但 changesets 的傳遞相依 @changesets/cli → @manypkg/get-packages@1.1.3 → read-yaml-file@1.1.0 仍呼叫已移除的 yaml.safeLoadchangeset version 崩潰,阻塞所有發版。

修法(KISS,保留 js-yaml 安全版本)

新增 pnpm override,將過舊的 read-yaml-file 升到 js-yaml 4 相容的 v2:

"read-yaml-file@<2": "^2.1.0"

read-yaml-file@2.1.0 改用 yaml.load,API 對 @manypkg/get-packages 相容;js-yaml 維持 4.2.0 不動。

驗證

  • pnpm changeset status 正常輸出 @app/ratewise patch(原 safeLoad 錯誤消除)
  • pnpm changeset:version 端到端成功(bump 2.25.9→2.25.10、CHANGELOG、release metadata、markdown mirrors、live rates restore 全數完成,exit 0;本地已還原不入此 PR)
  • read-yaml-file 解析版本由 1.1.0 → 2.1.0

🤖 Generated with Claude Code

- js-yaml@4.2.0 override 移除 safeLoad,導致 changesets 的 read-yaml-file@1.1.0 在 changeset version 崩潰
- 新增 override read-yaml-file@<2 → ^2.1.0(js-yaml 4 相容),保留 js-yaml 安全版本
- 修復 Release workflow 無法建立 release PR、版本無法 bump 的阻塞

測試:pnpm changeset status 正常輸出 @app/ratewise patch(原 safeLoad 錯誤已消除)

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
@chatgpt-codex-connector

Copy link
Copy Markdown

You have reached your Codex usage limits for code reviews. You can see your limits in the Codex usage dashboard.
To continue using code reviews, you can upgrade your account or add credits to your account and enable them for code reviews in your settings.

@github-actions

Copy link
Copy Markdown
Contributor

⚠️ Deprecation Warning: The deny-licenses option is deprecated for possible removal in the next major release. For more information, see issue 997.

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

OpenSSF Scorecard

PackageVersionScoreDetails
npm/read-yaml-file 2.1.0 🟢 3.3
Details
CheckScoreReason
Code-Review⚠️ 0Found 0/30 approved changesets -- score normalized to 0
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Packaging⚠️ -1packaging workflow not detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Maintained⚠️ 12 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 1
Pinned-Dependencies🟢 6dependency not pinned by hash detected -- score normalized to 6
Binary-Artifacts🟢 10no binaries found in the repo
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Security-Policy⚠️ 0security policy file not detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0
npm/strip-bom 4.0.0 🟢 3.6
Details
CheckScoreReason
Packaging⚠️ -1packaging workflow not detected
Code-Review⚠️ 1Found 3/30 approved changesets -- score normalized to 1
Maintained⚠️ 00 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 0
Binary-Artifacts🟢 10no binaries found in the repo
Dangerous-Workflow🟢 10no dangerous workflow patterns detected
Token-Permissions⚠️ 0detected GitHub workflow tokens with excessive permissions
Security-Policy🟢 10security policy file detected
Pinned-Dependencies⚠️ 0dependency not pinned by hash detected -- score normalized to 0
CII-Best-Practices⚠️ 0no effort to earn an OpenSSF best practices badge detected
Fuzzing⚠️ 0project is not fuzzed
License🟢 10license file detected
Signed-Releases⚠️ -1no releases found
Branch-Protection⚠️ 0branch protection not enabled on development/release branches
SAST⚠️ 0SAST tool is not run on all commits -- score normalized to 0

Scanned Files

  • pnpm-lock.yaml

@s123104 s123104 merged commit 34311f0 into main Jun 28, 2026
16 checks passed
@s123104 s123104 deleted the fix/release-read-yaml-file-jsyaml4-2026-06 branch June 28, 2026 04:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant