fix(deps): replace gray-matter with yaml.load for js-yaml 4.x compatibility#26555
Merged
fix(deps): replace gray-matter with yaml.load for js-yaml 4.x compatibility#26555
Conversation
…ibility gray-matter uses yaml.safeLoad() which was removed in js-yaml 4.x, causing 500 errors on app store pages after the js-yaml 4.1.1 update (CWE-1321 fix) - Add parseFrontmatter function using yaml.load with JSON_SCHEMA - Add type guard for safe type narrowing - Add unit tests for frontmatter parsing and security - Remove gray-matter dependency
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
2 issues found across 4 files
Prompt for AI agents (all issues)
Check if these issues are valid — if so, understand the root cause of each and fix them.
<file name="apps/web/lib/apps/[slug]/__tests__/parseFrontmatter.test.ts">
<violation number="1" location="apps/web/lib/apps/[slug]/__tests__/parseFrontmatter.test.ts:59">
P2: Test name suggests testing trailing spaces after delimiters, but the test data doesn't contain any trailing spaces. Consider adding actual trailing spaces (e.g., `--- `) to the test input to verify the functionality being claimed.</violation>
</file>
<file name="apps/web/lib/apps/[slug]/getStaticProps.ts">
<violation number="1" location="apps/web/lib/apps/[slug]/getStaticProps.ts:30">
P2: `yaml.load()` throws on malformed YAML but there's no error handling. Since the function already returns `{ data: {}, content: source }` when no frontmatter is found, consider wrapping the YAML parsing in a try-catch to gracefully handle malformed frontmatter and maintain the same resilience pattern.</violation>
</file>
Reply with feedback, questions, or to request a fix. Tag @cubic-dev-ai to re-run a review.
Contributor
E2E results are ready! |
- Wrap yaml.load in try-catch to prevent 500 errors - Log warnings using structured logger for debugging - Rename misleading test name
joeauyeung
approved these changes
Jan 7, 2026
keithwillcode
approved these changes
Jan 7, 2026
emrysal
pushed a commit
that referenced
this pull request
Jan 8, 2026
…ibility (#26555) gray-matter uses yaml.safeLoad() which was removed in js-yaml 4.x, causing 500 errors on app store pages after the js-yaml 4.1.1 update (CWE-1321 fix) - Add parseFrontmatter function using yaml.load with JSON_SCHEMA - Add type guard for safe type narrowing - Add unit tests for frontmatter parsing and security - Remove gray-matter dependency
Anshumancanrock
pushed a commit
to Anshumancanrock/cal.com
that referenced
this pull request
Jan 12, 2026
…ibility (calcom#26555) gray-matter uses yaml.safeLoad() which was removed in js-yaml 4.x, causing 500 errors on app store pages after the js-yaml 4.1.1 update (CWE-1321 fix) - Add parseFrontmatter function using yaml.load with JSON_SCHEMA - Add type guard for safe type narrowing - Add unit tests for frontmatter parsing and security - Remove gray-matter dependency
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What does this PR do?
Replaces
gray-matterwith a directyaml.load()implementation to fix production 500 errors on app store pages caused by js-yaml 4.x incompatibility.Changes
getStaticProps.tsparseFrontmatter()function using js-yaml directlygetStaticProps.tsJSON_SCHEMAfor additional security (blocks unsafe YAML types)parseFrontmatter.test.tspackage.jsongray-matterdependencyBackground
PR #26390 updated
js-yamlfrom 3.x to 4.1.1 to fix CWE-1321 (prototype pollution). However,gray-matter@4.0.3internally usesyaml.safeLoad()which was removed in js-yaml 4.x, causing 500 errors on all/apps/*pages.This PR replaces the abandoned
gray-matterpackage (last updated 2019) with a simple function that:yaml.load()which is safe by default in js-yaml 4.xJSON_SCHEMAto block unsafe YAML typesVisual Demo
Before:
After:
How to test
yarn test apps/web/lib/apps/[slug]/__tests__/parseFrontmatter.test.tsyarn dev/apps/google-calendar→ page should load with images/apps/zoom→ page should load correctlyMandatory Tasks