mediawiki/extensions/ReadingLists: main (log #2515015)

sourcepatches

This run took 63 seconds.

From 11280cf4aa93028154dd6d9a82343c1ffb0d1a8b Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Fri, 3 Jul 2026 21:40:56 +0000
Subject: [PATCH] build: Updating js-yaml to 3.15.0, 4.2.0

* https://github.com/advisories/GHSA-h67p-54hq-rp68

Change-Id: I040d196e114093f4913863c3fbf86c980a053f55
---
 package-lock.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index a1bb239..7d78160 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -2336,9 +2336,9 @@
 			}
 		},
 		"node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml": {
-			"version": "3.14.2",
-			"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz",
-			"integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==",
+			"version": "3.15.0",
+			"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.15.0.tgz",
+			"integrity": "sha512-ttBQIIQPDeLjpPOohtUdXuXUVoA2uIB6fEH9HyJ7234s5mBJ5wTx20njxplLZQgLaOfpmPQA7X2t5AX6tIPbog==",
 			"dev": true,
 			"dependencies": {
 				"argparse": "^1.0.7",
-- 
2.47.3

$ date
--- stdout ---
Fri Jul  3 21:39:59 UTC 2026

--- end ---
$ git clone file:///srv/git/mediawiki-extensions-ReadingLists.git /src/repo --depth=1 -b master
--- stderr ---
Cloning into '/src/repo'...
--- stdout ---

--- end ---
$ git config user.name libraryupgrader
--- stdout ---

--- end ---
$ git config user.email tools.libraryupgrader@tools.wmflabs.org
--- stdout ---

--- end ---
$ git submodule update --init
--- stdout ---

--- end ---
$ grr init
--- stdout ---
Installed commit-msg hook.

--- end ---
$ git show-ref refs/heads/master
--- stdout ---
88fcdb2164a2c6cb30a9200ec51376e23548318c refs/heads/master

--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "js-yaml": {
      "name": "js-yaml",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1121859,
          "name": "js-yaml",
          "dependency": "js-yaml",
          "title": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases",
          "url": "https://github.com/advisories/GHSA-h67p-54hq-rp68",
          "severity": "moderate",
          "cwe": [
            "CWE-407"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": "<3.15.0"
        }
      ],
      "effects": [],
      "range": "<3.15.0",
      "nodes": [
        "node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml"
      ],
      "fixAvailable": true
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 1,
      "high": 0,
      "critical": 0,
      "total": 1
    },
    "dependencies": {
      "prod": 1,
      "dev": 830,
      "optional": 3,
      "peer": 29,
      "peerOptional": 0,
      "total": 830
    }
  }
}

--- end ---
$ /usr/bin/composer install
--- stderr ---
No composer.lock file present. Updating dependencies to latest instead of installing from lock file. See https://getcomposer.org/install for more information.
Loading composer repositories with package information
Updating dependencies
Lock file operations: 39 installs, 0 updates, 0 removals
  - Locking composer/pcre (3.4.0)
  - Locking composer/semver (3.4.4)
  - Locking composer/spdx-licenses (1.6.0)
  - Locking composer/xdebug-handler (3.0.5)
  - Locking danog/advanced-json-rpc (v3.2.3)
  - Locking dealerdirect/phpcodesniffer-composer-installer (v1.2.1)
  - Locking doctrine/deprecations (1.1.6)
  - Locking mediawiki/mediawiki-codesniffer (v51.0.0)
  - Locking mediawiki/mediawiki-phan-config (0.20.0)
  - Locking mediawiki/minus-x (2.0.1)
  - Locking mediawiki/phan-taint-check-plugin (9.1.0)
  - Locking netresearch/jsonmapper (v5.0.1)
  - Locking phan/phan (6.0.2)
  - Locking phan/tolerant-php-parser (v0.2.0)
  - Locking phan/var_representation_polyfill (0.1.4)
  - Locking php-parallel-lint/php-console-color (v1.0.1)
  - Locking php-parallel-lint/php-console-highlighter (v1.0.0)
  - Locking php-parallel-lint/php-parallel-lint (v1.4.0)
  - Locking phpcsstandards/phpcsextra (1.5.0)
  - Locking phpcsstandards/phpcsutils (1.2.2)
  - Locking phpdocumentor/reflection-common (2.2.0)
  - Locking phpdocumentor/reflection-docblock (6.0.3)
  - Locking phpdocumentor/type-resolver (2.0.0)
  - Locking phpstan/phpdoc-parser (2.3.2)
  - Locking pleonasm/bloom-filter (1.0.4)
  - Locking psr/container (2.0.2)
  - Locking psr/log (3.0.2)
  - Locking sabre/event (6.1.0)
  - Locking squizlabs/php_codesniffer (3.13.5)
  - Locking symfony/console (v8.1.1)
  - Locking symfony/deprecation-contracts (v3.7.1)
  - Locking symfony/polyfill-ctype (v1.37.0)
  - Locking symfony/polyfill-intl-grapheme (v1.38.1)
  - Locking symfony/polyfill-intl-normalizer (v1.38.0)
  - Locking symfony/polyfill-mbstring (v1.38.2)
  - Locking symfony/polyfill-php85 (v1.38.1)
  - Locking symfony/service-contracts (v3.7.1)
  - Locking symfony/string (v8.1.0)
  - Locking webmozart/assert (2.4.1)
Writing lock file
Installing dependencies from lock file (including require-dev)
Package operations: 39 installs, 0 updates, 0 removals
  - Downloading pleonasm/bloom-filter (1.0.4)
 0/1 [>---------------------------]   0%
 1/1 [============================] 100%
  - Installing squizlabs/php_codesniffer (3.13.5): Extracting archive
  - Installing dealerdirect/phpcodesniffer-composer-installer (v1.2.1): Extracting archive
  - Installing composer/pcre (3.4.0): Extracting archive
  - Installing phpcsstandards/phpcsutils (1.2.2): Extracting archive
  - Installing phpcsstandards/phpcsextra (1.5.0): Extracting archive
  - Installing symfony/polyfill-mbstring (v1.38.2): Extracting archive
  - Installing composer/spdx-licenses (1.6.0): Extracting archive
  - Installing composer/semver (3.4.4): Extracting archive
  - Installing mediawiki/mediawiki-codesniffer (v51.0.0): Extracting archive
  - Installing symfony/polyfill-intl-normalizer (v1.38.0): Extracting archive
  - Installing symfony/polyfill-intl-grapheme (v1.38.1): Extracting archive
  - Installing symfony/polyfill-ctype (v1.37.0): Extracting archive
  - Installing symfony/string (v8.1.0): Extracting archive
  - Installing symfony/deprecation-contracts (v3.7.1): Extracting archive
  - Installing psr/container (2.0.2): Extracting archive
  - Installing symfony/service-contracts (v3.7.1): Extracting archive
  - Installing symfony/polyfill-php85 (v1.38.1): Extracting archive
  - Installing symfony/console (v8.1.1): Extracting archive
  - Installing sabre/event (6.1.0): Extracting archive
  - Installing phan/var_representation_polyfill (0.1.4): Extracting archive
  - Installing phan/tolerant-php-parser (v0.2.0): Extracting archive
  - Installing netresearch/jsonmapper (v5.0.1): Extracting archive
  - Installing webmozart/assert (2.4.1): Extracting archive
  - Installing phpstan/phpdoc-parser (2.3.2): Extracting archive
  - Installing phpdocumentor/reflection-common (2.2.0): Extracting archive
  - Installing doctrine/deprecations (1.1.6): Extracting archive
  - Installing phpdocumentor/type-resolver (2.0.0): Extracting archive
  - Installing phpdocumentor/reflection-docblock (6.0.3): Extracting archive
  - Installing danog/advanced-json-rpc (v3.2.3): Extracting archive
  - Installing psr/log (3.0.2): Extracting archive
  - Installing composer/xdebug-handler (3.0.5): Extracting archive
  - Installing phan/phan (6.0.2): Extracting archive
  - Installing mediawiki/phan-taint-check-plugin (9.1.0): Extracting archive
  - Installing mediawiki/mediawiki-phan-config (0.20.0): Extracting archive
  - Installing mediawiki/minus-x (2.0.1): Extracting archive
  - Installing php-parallel-lint/php-console-color (v1.0.1): Extracting archive
  - Installing php-parallel-lint/php-console-highlighter (v1.0.0): Extracting archive
  - Installing php-parallel-lint/php-parallel-lint (v1.4.0): Extracting archive
  - Installing pleonasm/bloom-filter (1.0.4): Extracting archive
  0/37 [>---------------------------]   0%
 28/37 [=====================>------]  75%
 36/37 [===========================>]  97%
 37/37 [============================] 100%
1 package suggestions were added by new dependencies, use `composer suggest` to see details.
Generating autoload files
17 packages you are using are looking for funding.
Use the `composer fund` command to find out more!
--- stdout ---
PHP CodeSniffer Config installed_paths set to ../../mediawiki/mediawiki-codesniffer,../../phpcsstandards/phpcsextra,../../phpcsstandards/phpcsutils

--- end ---
$ /usr/bin/npm audit --json
--- stdout ---
{
  "auditReportVersion": 2,
  "vulnerabilities": {
    "js-yaml": {
      "name": "js-yaml",
      "severity": "moderate",
      "isDirect": false,
      "via": [
        {
          "source": 1121859,
          "name": "js-yaml",
          "dependency": "js-yaml",
          "title": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases",
          "url": "https://github.com/advisories/GHSA-h67p-54hq-rp68",
          "severity": "moderate",
          "cwe": [
            "CWE-407"
          ],
          "cvss": {
            "score": 5.3,
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
          },
          "range": "<3.15.0"
        }
      ],
      "effects": [],
      "range": "<3.15.0",
      "nodes": [
        "node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml"
      ],
      "fixAvailable": true
    }
  },
  "metadata": {
    "vulnerabilities": {
      "info": 0,
      "low": 0,
      "moderate": 1,
      "high": 0,
      "critical": 0,
      "total": 1
    },
    "dependencies": {
      "prod": 1,
      "dev": 830,
      "optional": 3,
      "peer": 29,
      "peerOptional": 0,
      "total": 830
    }
  }
}

--- end ---
Attempting to npm audit fix
$ /usr/bin/npm audit fix --dry-run --only=dev --json
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@wikimedia/codex@2.6.0',
npm WARN EBADENGINE   required: { node: '>=20.20.2', npm: '>=10.8.2' },
npm WARN EBADENGINE   current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@wikimedia/codex-icons@2.6.0',
npm WARN EBADENGINE   required: { node: '>=20.20.2', npm: '>=10.8.2' },
npm WARN EBADENGINE   current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
--- stdout ---
{
  "added": 830,
  "removed": 0,
  "changed": 0,
  "audited": 831,
  "funding": 165,
  "audit": {
    "auditReportVersion": 2,
    "vulnerabilities": {
      "js-yaml": {
        "name": "js-yaml",
        "severity": "moderate",
        "isDirect": false,
        "via": [
          {
            "source": 1121859,
            "name": "js-yaml",
            "dependency": "js-yaml",
            "title": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases",
            "url": "https://github.com/advisories/GHSA-h67p-54hq-rp68",
            "severity": "moderate",
            "cwe": [
              "CWE-407"
            ],
            "cvss": {
              "score": 5.3,
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
            },
            "range": "<3.15.0"
          }
        ],
        "effects": [],
        "range": "<3.15.0",
        "nodes": [
          ""
        ],
        "fixAvailable": true
      }
    },
    "metadata": {
      "vulnerabilities": {
        "info": 0,
        "low": 0,
        "moderate": 1,
        "high": 0,
        "critical": 0,
        "total": 1
      },
      "dependencies": {
        "prod": 1,
        "dev": 830,
        "optional": 3,
        "peer": 29,
        "peerOptional": 0,
        "total": 830
      }
    }
  }
}

--- end ---
{"added": 830, "removed": 0, "changed": 0, "audited": 831, "funding": 165, "audit": {"auditReportVersion": 2, "vulnerabilities": {"js-yaml": {"name": "js-yaml", "severity": "moderate", "isDirect": false, "via": [{"source": 1121859, "name": "js-yaml", "dependency": "js-yaml", "title": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases", "url": "https://github.com/advisories/GHSA-h67p-54hq-rp68", "severity": "moderate", "cwe": ["CWE-407"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<3.15.0"}], "effects": [], "range": "<3.15.0", "nodes": [""], "fixAvailable": true}}, "metadata": {"vulnerabilities": {"info": 0, "low": 0, "moderate": 1, "high": 0, "critical": 0, "total": 1}, "dependencies": {"prod": 1, "dev": 830, "optional": 3, "peer": 29, "peerOptional": 0, "total": 830}}}}
$ /usr/bin/npm audit fix --only=dev
--- stderr ---
npm WARN invalid config only="dev" set in command line options
npm WARN invalid config Must be one of: null, prod, production
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@wikimedia/codex@2.6.0',
npm WARN EBADENGINE   required: { node: '>=20.20.2', npm: '>=10.8.2' },
npm WARN EBADENGINE   current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@wikimedia/codex-icons@2.6.0',
npm WARN EBADENGINE   required: { node: '>=20.20.2', npm: '>=10.8.2' },
npm WARN EBADENGINE   current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead
npm WARN deprecated glob@7.2.3: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated domexception@4.0.0: Use your platform's native DOMException instead
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---

added 829 packages, and audited 830 packages in 9s

165 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

--- end ---
Verifying that tests still pass
$ /usr/bin/npm ci
--- stderr ---
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@wikimedia/codex@2.6.0',
npm WARN EBADENGINE   required: { node: '>=20.20.2', npm: '>=10.8.2' },
npm WARN EBADENGINE   current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN EBADENGINE Unsupported engine {
npm WARN EBADENGINE   package: '@wikimedia/codex-icons@2.6.0',
npm WARN EBADENGINE   required: { node: '>=20.20.2', npm: '>=10.8.2' },
npm WARN EBADENGINE   current: { node: 'v20.19.2', npm: '9.2.0' }
npm WARN EBADENGINE }
npm WARN deprecated inflight@1.0.6: This module is not supported, and leaks memory. Do not use it. Check out lru-cache if you want a good and tested way to coalesce async requests by a key value, which is much more comprehensive and powerful.
npm WARN deprecated @humanwhocodes/config-array@0.13.0: Use @eslint/config-array instead
npm WARN deprecated rimraf@3.0.2: Rimraf versions prior to v4 are no longer supported
npm WARN deprecated abab@2.0.6: Use your platform's native atob() and btoa() methods instead
npm WARN deprecated glob@7.2.3: Old versions of glob are not supported, and contain widely publicized security vulnerabilities, which have been fixed in the current version. Please update. Support for old versions may be purchased (at exorbitant rates) by contacting i@izs.me
npm WARN deprecated @humanwhocodes/object-schema@2.0.3: Use @eslint/object-schema instead
npm WARN deprecated domexception@4.0.0: Use your platform's native DOMException instead
npm WARN deprecated eslint@8.57.1: This version is no longer supported. Please see https://eslint.org/version-support for other options.
--- stdout ---

added 829 packages, and audited 830 packages in 12s

165 packages are looking for funding
  run `npm fund` for details

found 0 vulnerabilities

--- end ---
$ /usr/bin/npm test
--- stderr ---
12 sources checked
  /src/repo/resources/ext.readingLists.bookmark.anonymous/CtaDialog.vue
  /src/repo/resources/ext.readingLists.bookmark.anonymous/pulsatingDot.less
  /src/repo/resources/ext.readingLists.bookmark.confirmPopover/ConfirmUnsavePopover.vue
  /src/repo/resources/ext.readingLists.onboarding.desktop/OnboardingPopover.vue
  /src/repo/resources/ext.readingLists.onboarding.mobile/MobileOnboardingPopover.vue
  /src/repo/resources/ext.readingLists.special/styles.less
  /src/repo/resources/ext.readingLists.special.importDialog/styles.less
  /src/repo/resources/ext.readingLists.special/components/EmptyList.vue
  /src/repo/resources/ext.readingLists.special/components/EntryItem.vue
  /src/repo/resources/ext.readingLists.special/components/Survey.vue
  /src/repo/resources/ext.readingLists.special/pages/Entries.vue
  /src/repo/resources/ext.readingLists.special.importDialog/components/ImportDialog.vue

0 problems found

PASS tests/jest/ext.readingLists.bookmark/index.test.js
  ext.readingLists.bookmark index
    ✓ shows onboarding on the current article read view (84 ms)
    ✓ shows mobile onboarding on Minerva article read view (8 ms)
    ✓ does not show onboarding on saved page (9 ms)
    ✓ does not show onboarding on main page (5 ms)
    ✓ does not show onboarding on edit action (7 ms)
    ✓ does not show onboarding on submit action (5 ms)
    ✓ does not show onboarding on history action (5 ms)
    ✓ does not show onboarding on visual editor (10 ms)
    ✓ does not show onboarding on visual editor source mode (5 ms)
    ✓ does not show onboarding on diff view (4 ms)
    ✓ does not show onboarding on old revision (9 ms)

PASS tests/jest/ext.readingLists.api/index.test.js
  setup
    ✓ returns inserted list (6 ms)
  getLists
    ✓ returns array of multiple lists (1 ms)
    ✓ paginates with continue token (1 ms)
    ✓ sets up default list if missing (1 ms)
    ✓ throws on unhandled error (1 ms)
  getList
    ✓ returns metadata of one list
    ✓ translates default list name/description (1 ms)
    ✓ sets up default list if missing (1 ms)
    ✓ throws on unhandled error
  getEntries
    ✓ returns array of list entries (2 ms)
    ✓ paginates with continue token (1 ms)
    ✓ sets up default list if missing (1 ms)
    ✓ throws on unhandled error (1 ms)
  getPagesFromManifest
    ✓ returns array of page metadata (1 ms)
    ✓ transforms language code to url (1 ms)
    ✓ resolves page ids to titles (1 ms)
    ✓ matches entries by title when API response has no normalized or redirects data (8 ms)
    ✓ resolves entry title through normalization and redirect
    ✓ returns fallback on error (1 ms)
  createEntry
    ✓ returns inserted entry (1 ms)
  deleteEntry
    ✓ returns success message
  deleteEntryByPageTitle
    ✓ returns success message (1 ms)
  fromBase64
    ✓ returns entries with resolved pages (2 ms)
    ✓ returns error message (1 ms)
    ✓ preserves name when already present in encoded data (1 ms)
  toBase64
    ✓ returns a base64 string that decodes to the original values (1 ms)
    ✓ throws on characters outside Latin-1 range in name (3 ms)
    ✓ produces output that fromBase64 can parse back (1 ms)

PASS tests/jest/ext.readingLists.onboarding.desktop/OnboardingPopover.test.js
  OnboardingPopover
    rendering behavior
      ✓ matches the snapshot (102 ms)
      ✓ renders with custom title, body message keys, and banner image (20 ms)
      ✓ renders close button with aria-label (11 ms)
    popover dismiss behavior
      ✓ closes popover and calls onDismiss when close button is clicked (16 ms)
      ✓ calls onDismiss when popover is closed externally (12 ms)

PASS tests/jest/ext.readingLists.bookmark.confirmPopover/ConfirmUnsavePopover.test.js
  ConfirmUnsavePopover
    ConfirmUnsavePopover rendering
      ✓ matches the snapshot (82 ms)
    ConfirmUnsavePopover props
      ✓ primaryAction has a destructive action type (21 ms)
      ✓ placement is bottom-start when isMinerva is true (5 ms)
    ConfirmUnsavePopover actions
      ✓ calls onConfirm when the primary action is clicked (28 ms)
      ✓ calls onCancel when the default action is clicked (15 ms)
      ✓ calls onCancel when the popover is closed externally (18 ms)
      ✓ does not call onCancel when the popover emits open (7 ms)

PASS tests/jest/ext.readingLists.bookmark/bookmark.test.js
  initBookmark
    initialization
      Vector skin initBookmark
        ✓ sets outline icon and add bookmark label for unsaved page (600 ms)
        ✓ sets solid icon and remove bookmark label for saved page (9 ms)
      Minerva skin initBookmark
        ✓ uses Minerva icon classes (8 ms)
        ✓ sets solid icon and remove bookmark label for saved page (7 ms)
    click bookmark button to save page
      Vector skin bookmark click to save
        ✓ calls createEntry, updates icon, fires hook (12 ms)
        ✓ triggers onboarding popover on first save when not yet seen (805 ms)
        ✓ shows notify success when onboarding already seen (7 ms)
      Minerva skin bookmark button click to save
        ✓ calls createEntry, updates icon, fires hook (11 ms)
        ✓ triggers onboarding popover on first save when not yet seen (130 ms)
        ✓ shows notify success when onboarding already seen (22 ms)
    click bookmark button to unsave page
      ✓ calls deleteEntryByPageTitle, updates icon, fires hook on Vector skin (11 ms)
      ✓ calls deleteEntryByPageTitle, updates icon, fires hook on Minerva skin (6 ms)
      ✓ loads confirm popover before removing page from a custom list (6 ms)
      ✓ does not remove page when custom list confirmation is cancelled (6 ms)
    ReadingLists list setup flow
      ✓ calls api.setup() first when no listId, then calls createEntry on Vector skin (8 ms)
    error handling
      ✓ shows error notification when createEntry rejects on Vector skin (12 ms)
      ✓ shows error notification when deleteEntryByPageTitle rejects with unexpected error on Vector skin (7 ms)
  initOnboardingPopover
    ✓ returns early if anchor element not found in DOM (7 ms)
    ✓ returns early if storage key already set (4 ms)
    ✓ loads onboarding popover module after timer and idle callback (37 ms)
    ✓ defers loading onboarding popover if the homepage tour hasn't been seen yet (15 ms)

PASS tests/jest/ext.readingLists.onboarding.mobile/MobileOnboardingPopover.test.js
  MobileOnboardingPopover
    rendering behavior
      ✓ matches the snapshot (21 ms)
      ✓ renders popover content when the popover is open (10 ms)
    popover dismiss behavior
      ✓ closes popover and calls onDismiss when user clicks the primary action (7 ms)
      ✓ calls onDismiss when user clicks outside the popover (7 ms)

PASS tests/jest/ext.readingLists.special/Survey.test.js
  Survey
    ✓ matches the snapshot (19 ms)
    when the positive button is clicked
      ✓ opens the dialog and renders dialog content (44 ms)
    when the negative button is clicked
      ✓ opens the dialog (24 ms)
    when the dialog is closed
      via the primary action button
        ✓ closes the dialog and shows the thank you message (27 ms)
      via the close button
        ✓ closes the dialog and shows the thank you message (49 ms)
    when the survey is completed
      ✓ contains the correct (43 ms)

PASS tests/jest/ext.readingLists.onboarding/mountApp.test.js
  mountApp
    onboarding popover mounting
      ✓ mounts the popover with correct component and props and sets local storage key (6 ms)
      ✓ bannerImagePath is passed as prop when provided (2 ms)
    popover not in viewport
      ✓ does not mount when target is above the viewport (1 ms)

PASS tests/jest/ext.readingLists.bookmark.confirmPopover/index.test.js
  confirmUnsaveFromCustomList
    ✓ mounts the app with the anchor element and isMinerva prop (3 ms)
    ✓ resolves with true and unmounts when onConfirm is called (1 ms)
    ✓ resolves with false and unmounts when onCancel is called (1 ms)

PASS tests/jest/ext.readingLists.special/Entries.test.js
  Entries
    ✓ renders with toolbar disabled (467 ms)
    ✓ renders all items from all lists on special page (21 ms)
    ✓ renders import dialog slot content (19 ms)

PASS tests/jest/ext.readingLists.bookmark.anonymous/CtaDialog.test.js
  CtaDialog
    ✓ matches the snapshot (33 ms)

PASS tests/jest/ext.readingLists.bookmark.anonymous/index.test.js
  Anonymous bookmark button
    ✓ throws error when bookmark element is not found (306 ms)
    ✓ mounts CtaDialog when bookmark is clicked (5 ms)

Test Suites: 12 passed, 12 total
Tests:       94 passed, 94 total
Snapshots:   7 passed, 7 total
Time:        5.941 s
Ran all test suites.
--- stdout ---

> test
> npm run lint && npm run test:unit


> lint
> npm run lint:i18n && npm run lint:scripts && npm run lint:scripts:tests && npm run lint:styles


> lint:i18n
> banana-checker i18n/ i18n/api/

Checked 2 message directories.

> lint:scripts
> eslint --cache --ignore-pattern tests/api-testing .


> lint:scripts:tests
> eslint --cache --no-ignore --config tests/api-testing/.eslintrc.json tests/api-testing


> lint:styles
> stylelint --cache -f verbose "resources/**/*.{css,less,vue}"


> test:unit
> jest --verbose

--------------------------------------------------|---------|----------|---------|---------|-----------------------------------------------------
File                                              | % Stmts | % Branch | % Funcs | % Lines | Uncovered Line #s                                   
--------------------------------------------------|---------|----------|---------|---------|-----------------------------------------------------
All files                                         |   84.11 |    72.75 |   79.14 |   83.57 |                                                     
 ext.readingLists.api                             |     100 |    93.75 |     100 |     100 |                                                     
  index.js                                        |     100 |    93.75 |     100 |     100 | 108,251-263                                         
 ext.readingLists.bookmark                        |   91.58 |    85.48 |     100 |    91.5 |                                                     
  bookmark.js                                     |   91.58 |    85.48 |     100 |    91.5 | 13-17,88,164,245,270-275,374                        
 ext.readingLists.bookmark.anonymous              |   77.27 |    44.82 |   58.06 |      75 |                                                     
  CtaDialog.vue                                   |   81.25 |    38.88 |      65 |    77.5 | 54-55,66-76,115,128-134                             
  index.js                                        |   85.71 |       75 |      60 |   85.71 | 23,28-29                                            
  pulsatingDot.js                                 |   57.89 |    42.85 |   33.33 |   57.89 | 13-24,38-43                                         
 ext.readingLists.bookmark.confirmPopover         |     100 |      100 |     100 |     100 |                                                     
  ConfirmUnsavePopover.vue                        |     100 |      100 |     100 |     100 |                                                     
  index.js                                        |     100 |      100 |     100 |     100 |                                                     
 ext.readingLists.onboarding                      |   64.28 |    66.66 |   42.85 |   64.28 |                                                     
  index.js                                        |     100 |      100 |     100 |     100 |                                                     
  mountApp.js                                     |   63.63 |    66.66 |   42.85 |   63.63 | 15,23,45,49,53,57,61,65,69,73,104-105,112-126       
 ext.readingLists.onboarding.desktop              |   97.29 |       75 |    90.9 |   97.14 |                                                     
  OnboardingPopover.vue                           |   96.96 |       75 |      90 |   96.77 | 93                                                  
  index.js                                        |     100 |      100 |     100 |     100 |                                                     
 ext.readingLists.onboarding.mobile               |   96.66 |       75 |      90 |   96.29 |                                                     
  MobileOnboardingPopover.vue                     |   96.15 |       75 |   88.88 |   95.65 | 68                                                  
  index.js                                        |     100 |      100 |     100 |     100 |                                                     
 ext.readingLists.special.importDialog/components |       0 |        0 |       0 |       0 |                                                     
  ImportDialog.vue                                |       0 |        0 |       0 |       0 | 3-92                                                
 ext.readingLists.special/components              |   96.87 |    91.66 |   89.47 |   96.87 |                                                     
  EmptyList.vue                                   |     100 |      100 |     100 |     100 |                                                     
  EntryItem.vue                                   |   91.66 |      100 |      75 |   91.66 | 13                                                  
  Survey.vue                                      |   97.56 |     87.5 |    92.3 |   97.56 | 66                                                  
 ext.readingLists.special/pages                   |   72.52 |    61.42 |    64.7 |   73.33 |                                                     
  Entries.vue                                     |   72.52 |    61.42 |    64.7 |   73.33 | 62-67,76,86,101,105,117,124-125,136-137,148-164,207 
--------------------------------------------------|---------|----------|---------|---------|-----------------------------------------------------

--- end ---
{"1121859": {"source": 1121859, "name": "js-yaml", "dependency": "js-yaml", "title": "JS-YAML: Quadratic-complexity DoS in merge key handling via repeated aliases", "url": "https://github.com/advisories/GHSA-h67p-54hq-rp68", "severity": "moderate", "cwe": ["CWE-407"], "cvss": {"score": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}, "range": "<3.15.0"}}
Upgrading n:js-yaml from 3.14.2, 4.2.0 -> 3.15.0, 4.2.0
$ package-lock-lint /src/repo/package-lock.json
--- stdout ---
Checking /src/repo/package-lock.json

--- end ---
build: Updating js-yaml to 3.15.0, 4.2.0

* https://github.com/advisories/GHSA-h67p-54hq-rp68

$ git add .
--- stdout ---

--- end ---
$ git commit -F /tmp/tmpn4egkek1
--- stdout ---
[master 11280cf] build: Updating js-yaml to 3.15.0, 4.2.0
 1 file changed, 3 insertions(+), 3 deletions(-)

--- end ---
$ git format-patch HEAD~1 --stdout
--- stdout ---
From 11280cf4aa93028154dd6d9a82343c1ffb0d1a8b Mon Sep 17 00:00:00 2001
From: libraryupgrader <tools.libraryupgrader@tools.wmflabs.org>
Date: Fri, 3 Jul 2026 21:40:56 +0000
Subject: [PATCH] build: Updating js-yaml to 3.15.0, 4.2.0

* https://github.com/advisories/GHSA-h67p-54hq-rp68

Change-Id: I040d196e114093f4913863c3fbf86c980a053f55
---
 package-lock.json | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index a1bb239..7d78160 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -2336,9 +2336,9 @@
 			}
 		},
 		"node_modules/@istanbuljs/load-nyc-config/node_modules/js-yaml": {
-			"version": "3.14.2",
-			"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.2.tgz",
-			"integrity": "sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==",
+			"version": "3.15.0",
+			"resolved": "https://registry.npmjs.org/js-yaml/-/js-yaml-3.15.0.tgz",
+			"integrity": "sha512-ttBQIIQPDeLjpPOohtUdXuXUVoA2uIB6fEH9HyJ7234s5mBJ5wTx20njxplLZQgLaOfpmPQA7X2t5AX6tIPbog==",
 			"dev": true,
 			"dependencies": {
 				"argparse": "^1.0.7",
-- 
2.47.3


--- end ---
Source code is licensed under the AGPL.