Skip to content

Security: xmlbuilder2 uses vulnerable js-yaml@3.14.1 #6244

New issue
New issue
Closed
#6249
Closed
Security: xmlbuilder2 uses vulnerable js-yaml@3.14.1#6244
#6249
@MAlkabbani

Description

@MAlkabbani
MAlkabbani
opened on Dec 29, 2025

Which project does this relate to?

Start

Describe the bug

Summary

@tanstack/react-start uses xmlbuilder2 which depends on js-yaml@3.14.1 (MODERATE severity: GHSA-mh29-5h37-fv8m).

Request: Please update xmlbuilder2 to a version that uses j s-yaml@3.14.2 or later to resolve this vulnerability.

Dependency path: @tanstack/react-start -> @tanstack/start-plugin-core -> xmlbuilder2 -> js-yaml@3.14.1
Advisory: GHSA-mh29-5h37-fv8m

DentiBee Security Audit Team.

Your Example Website or App

GHSA-mh29-5h37-fv8m

Steps to Reproduce the Bug or Issue

  1. Run pnpm audit in a project using @tanstack/react-start.
    1. Observe js-yaml@3.14.1 vulnerability reported via xmlbuilder2.

Expected behavior

Update xmlbuilder2 to a version that uses js-yaml@3.14.2 or later to resolve the vulnerability.

Screenshots or Videos

No response

Platform

  • Router / Start Version: [e.g. 1.121.0]
  • OS: [e.g. macOS, Windows, Linux]
  • Browser: [e.g. Chrome, Safari, Firefox]
  • Browser Version: [e.g. 91.1]Security Audit / Transitive Dependency
  • Bundler: [e.g. vite]
  • Bundler Version: [e.g. 7.0.0]

Additional context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions