From ffdc78b3545fbd7c9d94a5e6d6b309c88f90da76 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Mon, 1 Dec 2025 02:18:44 +0000
Subject: [PATCH] Use safe yaml.JSON_SCHEMA to prevent code execution
 vulnerabilities

Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>
---
 packages/backend/scripts/compile_config.js       |  2 +-
 packages/i18n/build.ts                           |  2 +-
 packages/i18n/scripts/generateLocaleInterface.ts |  2 +-
 pnpm-lock.yaml                                   | 13 ++++++-------
 4 files changed, 9 insertions(+), 10 deletions(-)

diff --git a/packages/backend/scripts/compile_config.js b/packages/backend/scripts/compile_config.js
index 0f79000883..61133b8d02 100644
--- a/packages/backend/scripts/compile_config.js
+++ b/packages/backend/scripts/compile_config.js
@@ -28,7 +28,7 @@ if (!fs.existsSync(configYmlPath)) {
 }
 
 const yamlContent = fs.readFileSync(configYmlPath, 'utf-8');
-const config = yaml.load(yamlContent);
+const config = yaml.load(yamlContent, { schema: yaml.JSON_SCHEMA });
 fs.writeFileSync(configJsonPath, JSON.stringify(config, null, '\t'), 'utf-8');
 
 console.log(`Compiled config: ${configYmlPath} -> ${configJsonPath}`);
diff --git a/packages/i18n/build.ts b/packages/i18n/build.ts
index fde46f0c18..abee886236 100644
--- a/packages/i18n/build.ts
+++ b/packages/i18n/build.ts
@@ -70,7 +70,7 @@ function compileLocales(): void {
 	const files = fs.readdirSync(srcDir).filter(f => f.endsWith('.yml'));
 	for (const file of files) {
 		const yamlContent = clean(fs.readFileSync(resolve(srcDir, file), 'utf-8'));
-		const jsonContent = yaml.load(yamlContent);
+		const jsonContent = yaml.load(yamlContent, { schema: yaml.JSON_SCHEMA });
 		const jsonFile = file.replace(/\.yml$/, '.json');
 		fs.writeFileSync(resolve(destDir, jsonFile), JSON.stringify(jsonContent), 'utf-8');
 	}
diff --git a/packages/i18n/scripts/generateLocaleInterface.ts b/packages/i18n/scripts/generateLocaleInterface.ts
index 1c0f5c6a79..5144b794fd 100644
--- a/packages/i18n/scripts/generateLocaleInterface.ts
+++ b/packages/i18n/scripts/generateLocaleInterface.ts
@@ -62,7 +62,7 @@ function createMembers(record: LocaleRecord): ts.TypeElement[] {
 }
 
 export async function generateLocaleInterface(localesDir: string): Promise<void> {
-	const locale = yaml.load(fs.readFileSync(`${localesDir}/ja-JP.yml`, 'utf-8').toString()) as LocaleRecord;
+	const locale = yaml.load(fs.readFileSync(`${localesDir}/ja-JP.yml`, 'utf-8').toString(), { schema: yaml.JSON_SCHEMA }) as LocaleRecord;
 	const members = createMembers(locale);
 
 	const elements: ts.Statement[] = [
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index f971d79363..8ebab6b02b 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -267,9 +267,6 @@ importers:
       is-svg:
         specifier: 6.1.0
         version: 6.1.0
-      js-yaml:
-        specifier: 4.1.1
-        version: 4.1.1
       json5:
         specifier: 2.2.3
         version: 2.2.3
@@ -580,6 +577,9 @@ importers:
       jest-util:
         specifier: 29.7.0
         version: 29.7.0
+      js-yaml:
+        specifier: 4.1.1
+        version: 4.1.1
       nodemon:
         specifier: 3.1.11
         version: 3.1.11
@@ -1331,10 +1331,6 @@ importers:
         version: 10.2.0(eslint@9.39.1)
 
   packages/i18n:
-    dependencies:
-      js-yaml:
-        specifier: 4.1.1
-        version: 4.1.1
     devDependencies:
       '@types/js-yaml':
         specifier: 4.0.9
@@ -1360,6 +1356,9 @@ importers:
       glob:
         specifier: 11.1.0
         version: 11.1.0
+      js-yaml:
+        specifier: 4.1.1
+        version: 4.1.1
       nodemon:
         specifier: 3.1.11
         version: 3.1.11