fix(core): use zkochan/js-yaml directly to avoid false audit errors (#25999)

Some of the audit tools have been falsely flagging the alias to
`@zkochan/js-yaml` as `[email protected]` (which has security holes) so we
decided to use the package explicitly.

## Current Behavior
<!-- This is the behavior we have today -->

## Expected Behavior
<!-- This is the behavior we should expect with the changes in this PR
-->

## Related Issue(s)
<!-- Please link the issue being fixed so it gets closed when this is
merged. -->

Fixes #

Author: meeroslav

e2e/utils/create-project-utils.ts

@@ -18,7 +18,7 @@ import {
 import * as isCI from 'is-ci';
 
 import { angularCliVersion as defaultAngularCliVersion } from '@nx/workspace/src/utils/versions';
-import { dump } from 'js-yaml';
+import { dump } from '@zkochan/js-yaml';
 import { execSync, ExecSyncOptions } from 'child_process';
 
 import { performance, PerformanceMeasure } from 'perf_hooks';

nx-dev/ui-markdoc/src/index.ts

@@ -6,7 +6,7 @@ import {
   Tokenizer,
   transform,
 } from '@markdoc/markdoc';
-import { load as yamlLoad } from 'js-yaml';
+import { load as yamlLoad } from '@zkochan/js-yaml';
 import React, { ReactNode } from 'react';
 import { Heading } from './lib/nodes/heading.component';
 import { heading } from './lib/nodes/heading.schema';

package.json

@@ -136,6 +136,7 @@
     "@xstate/immer": "0.3.1",
     "@xstate/inspect": "0.7.0",
     "@xstate/react": "3.0.1",
+    "@zkochan/js-yaml": "0.0.7",
     "ai": "^2.2.10",
     "ajv": "^8.12.0",
     "autoprefixer": "10.4.13",
@@ -206,7 +207,6 @@
     "jest-runtime": "^29.4.1",
     "jest-util": "^29.4.1",
     "js-tokens": "^4.0.0",
-    "js-yaml": "npm:@zkochan/[email protected]",
     "jsonc-eslint-parser": "^2.1.0",
     "jsonc-parser": "3.2.0",
     "kill-port": "^1.6.1",

packages/eslint/.eslintrc.json

@@ -39,8 +39,7 @@
               "typescript",
               "eslint",
               "@angular-devkit/core",
-              "@typescript-eslint/eslint-plugin",
-              "js-yaml" // The rule is failing with alias dependencies see
+              "@typescript-eslint/eslint-plugin"
             ]
           }
         ]

packages/eslint/package.json

@@ -31,7 +31,7 @@
   "generators": "./generators.json",
   "executors": "./executors.json",
   "peerDependencies": {
-    "js-yaml": "npm:@zkochan/js-yaml@0.0.7"
+    "@zkochan/js-yaml": "0.0.7"
   },
   "dependencies": {
     "@nx/devkit": "file:../devkit",
@@ -42,7 +42,7 @@
     "typescript": "~5.4.2"
   },
   "peerDependenciesMeta": {
-    "js-yaml": {
+    "@zkochan/js-yaml": {
       "optional": true
     }
   },

packages/eslint/src/generators/convert-to-flat-config/generator.spec.ts

@@ -15,7 +15,7 @@ import { ConvertToFlatConfigGeneratorSchema } from './schema';
 import { lintProjectGenerator } from '../lint-project/lint-project';
 import { Linter } from '../utils/linter';
 import { eslintrcVersion } from '../../utils/versions';
-import { dump } from 'js-yaml';
+import { dump } from '@zkochan/js-yaml';
 
 describe('convert-to-flat-config generator', () => {
   let tree: Tree;

packages/eslint/src/generators/convert-to-flat-config/generator.ts

@@ -16,7 +16,6 @@ import { join } from 'path';
 import { eslintrcVersion, eslintVersion } from '../../utils/versions';
 import { ESLint } from 'eslint';
 import { convertEslintJsonToFlatConfig } from './converters/json-converter';
-import { load } from 'js-yaml';
 
 export async function convertToFlatConfigGenerator(
   tree: Tree,
@@ -182,6 +181,7 @@ function convertConfigToFlatConfig(
   }
   if (source.endsWith('.yaml') || source.endsWith('.yml')) {
     const originalContent = tree.read(`${root}/${source}`, 'utf-8');
+    const { load } = require('@zkochan/js-yaml');
     const config = load(originalContent, {
       json: true,
       filename: source,

packages/nx/.eslintrc.json

@@ -100,8 +100,7 @@
               "events", // This is coming from @storybook/builder-manager since it uses the browser polyfill
               "process", // This is coming from @storybook/builder-manager since it uses the browser polyfill
               "prettier", // This is coming from @storybook/builder-manager since it uses the browser polyfill
-              "util", // This is coming from @storybook/builder-manager since it uses the browser polyfill
-              "js-yaml" // The rule is failing with alias dependencies
+              "util" // This is coming from @storybook/builder-manager since it uses the browser polyfill
             ]
           }
         ]

packages/nx/package.json

@@ -39,6 +39,7 @@
   "dependencies": {
     "@yarnpkg/lockfile": "^1.1.0",
     "@yarnpkg/parsers": "3.0.0-rc.46",
+    "@zkochan/js-yaml": "0.0.7",
     "axios": "^1.6.0",
     "chalk": "^4.1.0",
     "cli-cursor": "3.1.0",
@@ -52,7 +53,6 @@
     "fs-extra": "^11.1.0",
     "ignore": "^5.0.4",
     "jest-diff": "^29.4.1",
-    "js-yaml": "npm:@zkochan/[email protected]",
     "jsonc-parser": "3.2.0",
     "lines-and-columns": "~2.0.3",
     "minimatch": "9.0.3",

packages/nx/src/command-line/release/utils/github.ts

@@ -318,7 +318,7 @@ export async function resolveGithubToken(): Promise<string | null> {
   );
   if (existsSync(ghCLIPath)) {
     const yamlContents = await fsp.readFile(ghCLIPath, 'utf8');
-    const { load } = require('js-yaml');
+    const { load } = require('@zkochan/js-yaml');
     const ghCLIConfig = load(yamlContents);
     if (ghCLIConfig['github.com']) {
       // Web based session (the token is already embedded in the config)

packages/nx/src/plugins/js/lock-file/utils/pnpm-normalizer.ts

@@ -22,7 +22,7 @@ export function loadPnpmHoistedDepsDefinition() {
 
   if (existsSync(fullPath)) {
     const content = readFileSync(fullPath, 'utf-8');
-    const { load } = require('js-yaml');
+    const { load } = require('@zkochan/js-yaml');
     return load(content)?.hoistedDependencies ?? {};
   } else {
     throw new Error(`Could not find ".modules.yaml" at "${fullPath}"`);
@@ -38,7 +38,7 @@ export function loadPnpmHoistedDepsDefinition() {
  * https://github.com/pnpm/pnpm/blob/af3e5559d377870d4c3d303429b3ed1a4e64fedc/lockfile/lockfile-file/src/read.ts#L91
  */
 export function parseAndNormalizePnpmLockfile(content: string): Lockfile {
-  const { load } = require('js-yaml');
+  const { load } = require('@zkochan/js-yaml');
   const lockFileData = load(content);
   return revertFromInlineSpecifiersFormatIfNecessary(
     convertFromLockfileFileMutable(lockFileData)
@@ -87,7 +87,7 @@ export function stringifyToPnpmYaml(lockfile: Lockfile): string {
   const adaptedLockfile = isLockfileV6
     ? convertToInlineSpecifiersFormat(lockfile)
     : lockfile;
-  const { dump } = require('js-yaml');
+  const { dump } = require('@zkochan/js-yaml');
   return dump(
     sortLockfileKeys(
       normalizeLockfile(adaptedLockfile as Lockfile, isLockfileV6)

packages/nx/src/utils/fileutils.ts

@@ -71,7 +71,7 @@ export function readYamlFile<T extends object = any>(
   options?: YamlReadOptions
 ): T {
   const content = readFileSync(path, 'utf-8');
-  const { load } = require('js-yaml');
+  const { load } = require('@zkochan/js-yaml');
   return load(content, { ...options, filename: path }) as T;
 }