[Security] Transitive js-yaml vulnerability (GHSA-h67p-54hq-rp68) via babel-jest → @jest/transform → babel-plugin-istanbul → @istanbuljs/load-nyc-config

[nandeshwarshubh]

Version

30.4.2

Steps to reproduce

1. Install jest@30.4.2 in any project

   npm install jest@30.4.2

2. Run npm audit
3. Observe the following output:
   js-yaml <=4.1.1
   Severity: moderate
   JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases - GHSA-h67p-54hq-rp68
   fix available via npm audit fix --force
   Will install jest@25.0.0, which is a breaking change
   node_modules/js-yaml
   @istanbuljs/load-nyc-config *
   Depends on vulnerable versions of js-yaml
   node_modules/@istanbuljs/load-nyc-config
   babel-plugin-istanbul >=6.0.0-beta.0
   Depends on vulnerable versions of @istanbuljs/load-nyc-config
   node_modules/babel-plugin-istanbul
   @jest/transform >=25.1.0
   Depends on vulnerable versions of babel-plugin-istanbul
   node_modules/@jest/transform
   @jest/core >=25.1.0
   Depends on vulnerable versions of @jest/reporters
   Depends on vulnerable versions of @jest/transform
   Depends on vulnerable versions of jest-config
   Depends on vulnerable versions of jest-resolve-dependencies
   Depends on vulnerable versions of jest-runner
   Depends on vulnerable versions of jest-runtime
   Depends on vulnerable versions of jest-snapshot
   node_modules/@jest/core
   jest >=25.1.0
   Depends on vulnerable versions of @jest/core
   Depends on vulnerable versions of jest-cli
   node_modules/jest
   jest-cli >=25.1.0
   Depends on vulnerable versions of @jest/core
   Depends on vulnerable versions of jest-config
   node_modules/jest-cli
   @jest/reporters >=25.1.0
   Depends on vulnerable versions of @jest/transform
   node_modules/@jest/reporters
   jest-runner >=25.1.0
   Depends on vulnerable versions of @jest/transform
   Depends on vulnerable versions of jest-runtime
   node_modules/jest-runner
   jest-config >=25.1.0
   Depends on vulnerable versions of babel-jest
   Depends on vulnerable versions of jest-circus
   Depends on vulnerable versions of jest-runner
   node_modules/jest-config
   jest-runtime >=25.1.0
   Depends on vulnerable versions of @jest/globals
   Depends on vulnerable versions of @jest/transform
   Depends on vulnerable versions of jest-snapshot
   node_modules/jest-runtime
   jest-circus >=25.2.4
   Depends on vulnerable versions of @jest/expect
   Depends on vulnerable versions of jest-runtime
   Depends on vulnerable versions of jest-snapshot
   node_modules/jest-circus
   jest-snapshot >=27.0.0-next.0
   Depends on vulnerable versions of @jest/transform
   node_modules/jest-snapshot
   @jest/expect *
   Depends on vulnerable versions of jest-snapshot
   node_modules/@jest/expect
   @jest/globals >=28.0.0-alpha.0
   Depends on vulnerable versions of @jest/expect
   node_modules/@jest/globals
   jest-resolve-dependencies >=27.0.0-next.0
   Depends on vulnerable versions of jest-snapshot
   node_modules/jest-resolve-dependencies
   babel-jest >=25.1.0
   Depends on vulnerable versions of @jest/transform
   Depends on vulnerable versions of babel-plugin-istanbul
   node_modules/babel-jest

17 moderate severity vulnerabilities

Expected behavior

Running npm audit on a project using jest@30.4.2 should report
zero vulnerabilities from the jest dependency chain.

Actual behavior

Running npm audit reports a moderate severity vulnerability in js-yaml@3.14.2,
nested inside @istanbuljs/load-nyc-config, which is a transitive dependency of jest.

The only suggested fix is:
npm audit fix --force

Additional context

No response

Environment

System:
    OS: macOS 26.5
    CPU: (10) arm64 Apple M4
  Binaries:
    Node: 24.13.0 - /opt/homebrew/opt/node@24/bin/node
    Yarn: 1.22.19 - /usr/local/bin/yarn
    npm: 11.6.2 - /opt/homebrew/opt/node@24/bin/npm
    pnpm: 10.12.4 - /opt/homebrew/bin/pnpm
    bun: 0.5.7 - /Users/shubhamnandeshwar/.bun/bin/bun
  npmPackages:
    jest: 30.4.2 => 30.4.2