Istanbul plugin reported as vulnerable to CVE-2025-64718 due to load-nyc-config -> js-yaml

[stevenschlansker]

We use babel-plugin-istanbul and recently started getting flagged for CVE-2025-64718 / CWE-1321

This is coming in from js-yaml 3.x, which is unmaintained, used by load-nyc-config, which hasn't seen much activity in the last 5 years.

This issue could be resolved by upgrading js-yaml (istanbuljs/load-nyc-config#22)
or maybe by selecting a different parser (istanbuljs/load-nyc-config#13)
but as of right now there seems to not actually be any way to resolve this vulnerability.

[TulioPintoNeto]

@SimenB I believe we have PRs as proposals to fix this issue in load-nyc-config, but I'm not sure there's a person responsible for maintaining that package. It's currently described as feature complete, although will receive security updates (which is the case).

As an active person from istanbuljs, could you helps us getting a solution for load-nyc-config?

istanbuljs/load-nyc-config#22

[SimenB]

I don't have push access in that repo unfortunately 😔

[TulioPintoNeto]

@SimenB do you know someone besides @bcoe and @coreyfarrell that have permission? Otherwise, should we consider replacing load-nyc-config by an updated fork on istanbul/ umbrella?

Edit: Nevermind, just saw your reply on load-nyc-config, appreciate the help, thank you!