chore(deps): bump js-yaml to 4.2.0 and nodemailer to 8.0.9

[waleedlatif1]

Summary

• Bump js-yaml 4.1.1 → 4.2.0 in apps/sim
• Bump nodemailer 8.0.7 → 8.0.9 in apps/sim
• Regenerated bun.lock; both resolve cleanly at the top level (unrelated transitive pins of js-yaml/nodemailer in other packages are untouched)

Backwards compatibility

• nodemailer 8.0.9 — patch-level security/bug fixes only (strict TLS for OAuth2/Ethereal, SMTP stream-leak fixes, jsonTransport access-bypass + List-* CRLF-injection advisories). No API changes. Our usage is the standard createTransport/sendMail surface (SMTP, SES, SMTP send route).
• js-yaml 4.2.0 — load() API unchanged. Two edge-case behavioral changes, both safety hardening: new default maxDepth (100) / maxMergeSeqLength (20) loader limits, and underscored numbers (1_000) now parse as strings. Both load() callsites (yaml-parser.ts, json-yaml-chunker.ts) wrap parsing in try/catch and surface errors gracefully.
• @types/js-yaml and @types/nodemailer unchanged; typecheck clean on all affected files.

Type of Change

• Chore / dependency bump

Testing

• bun install resolves cleanly
• tsc --noEmit shows no errors in affected files

Checklist

• Code follows project style guidelines
• Self-reviewed my changes
• Tests added/updated and passing
• No new warnings introduced
• I confirm that I have read and agree to the terms outlined in the Contributor License Agreement (CLA)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
docs	Ready	Preview, Comment	Jun 15, 2026 8:10pm

[cursor]

PR Summary

Low Risk
Dependency-only bump with patch/minor security hardening; email and YAML call sites are unchanged, though js-yaml’s new parsing limits could affect edge-case YAML inputs.

Overview
Bumps direct dependencies in apps/sim: js-yaml 4.1.1 → 4.2.0 and nodemailer 8.0.7 → 8.0.9, with bun.lock updated so the app resolves those versions at the top level.

There are no application code changes—only manifest and lockfile. js-yaml still backs YAML parsing in file/chunker paths; nodemailer still powers SMTP tooling and mail providers (SMTP/SES). Transitive packages may keep older pinned js-yaml entries in the lockfile.

nodemailer is a patch bump (security/bug fixes on the existing transport/sendMail API). js-yaml adds loader safety defaults (maxDepth, maxMergeSeqLength) and treats underscored numeric literals as strings—worth a quick sanity check on unusually deep or oddly formatted YAML inputs.

^{Reviewed by Cursor Bugbot for commit 64dedef. Configure here.}

[greptile-apps]

Greptile Summary

Routine dependency maintenance bumping js-yaml from 4.1.1 to 4.2.0 and nodemailer from 8.0.7 to 8.0.9 in apps/sim, with the lock file correctly pinning the old js-yaml@4.1.1 for the handful of transitive consumers that still require it.

• nodemailer 8.0.9 is a pure security/bug-fix patch (strict TLS, SMTP stream-leak, CRLF-injection fixes) with no API changes to the createTransport/sendMail surface used in this app.
• js-yaml 4.2.0 introduces two safety-hardening behavioral changes: a new default maxDepth: 100 / maxMergeSeqLength: 20 (guarded by existing try/catch at both callsites) and a silent type change where underscored numeric literals like 1_000 now parse as strings instead of numbers — the latter is not surfaced by error handling and could silently affect downstream consumers of parsed YAML data.

Confidence Score: 4/5

Safe to merge; changes are limited to two well-understood dependency bumps with no API surface changes.

The nodemailer bump is straightforward. The js-yaml bump introduces a silent type change for underscored numeric literals that is not caught by the existing error-handling, so any YAML files in user data that rely on that syntax would silently change behavior without a visible failure.

The two js-yaml callsites — apps/sim/lib/file-parsers/yaml-parser.ts and apps/sim/lib/chunkers/json-yaml-chunker.ts — are worth verifying against representative YAML fixtures to confirm no user data uses underscore-separated numbers.

Important Files Changed

Filename	Overview
apps/sim/package.json	Bumps js-yaml 4.1.1→4.2.0 and nodemailer 8.0.7→8.0.9; both are well-scoped upgrades with no API surface changes.
bun.lock	Lock file correctly promotes js-yaml and nodemailer at the top level while adding explicit js-yaml@4.1.1 overrides for the packages that still require the older version (@apidevtools/json-schema-ref-parser, fumadocs-core, fumadocs-mdx, fumadocs-openapi, json-schema-to-typescript).

Sequence Diagram

sequenceDiagram
    participant Caller
    participant yaml_parser as yaml-parser.ts
    participant chunker as json-yaml-chunker.ts
    participant jsyaml as js-yaml@4.2.0

    Caller->>yaml_parser: parseYAML(filePath)
    yaml_parser->>jsyaml: yaml.load(content)
    Note over jsyaml: New: maxDepth=100, maxMergeSeqLength=20<br/>New: underscored numbers → string (silent)
    jsyaml-->>yaml_parser: parsed object (or throws YAMLException)
    alt Parse succeeds
        yaml_parser-->>Caller: FileParseResult (JSON string)
    else Parse throws (depth/merge limits)
        yaml_parser-->>Caller: throws "Invalid YAML: ..."
    end

    Caller->>chunker: JsonYamlChunker.chunk(content)
    chunker->>jsyaml: yaml.load(content)
    jsyaml-->>chunker: parsed object (or throws)
    alt Parse succeeds
        chunker-->>Caller: Chunk[]
    else Parse throws
        chunker-->>Caller: falls back to chunkAsText()
    end

Loading

_{Reviews (1): Last reviewed commit: "chore(deps): bump js-yaml to 4.2.0 and n..." | Re-trigger Greptile}