Skip to content

chore(deps-dev): bump js-yaml from 4.1.1 to 4.2.0#298

Open
dependabot[bot] wants to merge 21 commits into
mainfrom
dependabot/npm_and_yarn/js-yaml-4.2.0
Open

chore(deps-dev): bump js-yaml from 4.1.1 to 4.2.0#298
dependabot[bot] wants to merge 21 commits into
mainfrom
dependabot/npm_and_yarn/js-yaml-4.2.0

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 4, 2026

Copy link
Copy Markdown

Bumps js-yaml from 4.1.1 to 4.2.0.

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

  • Added docs/safety.md with notes about processing untrusted YAML.
  • Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
  • Added a loader option limiting merge sequence length. Not a problem after merge fix, but an additional restriction for safety.
  • Added sourcemaps to dist/ builds.

Changed

  • Stop resolving numbers with underscores as numeric scalars, #627.
  • Switched dev toolchains to Vite / neostandard.
  • Updated demo.
  • Reorganized tests.
  • dist/ files are no longer kept in the repository.

Fixed

  • Fix parsing of properties on the first implicit block mapping key, #62.
  • Fix trailing whitespace handling when folding flow scalar lines, #307.
  • Reject top-level block scalars without content indentation, #280.
  • Ensure numbers survive round-trip, #737.
  • Fix test coverage for issue #221.
  • Fix flow scalar trailing whitespace folding, #307.
  • Fix digits in YAML named tag handles.

Security

  • Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

  • Backported v4.1.1 fix to v3
Commits

Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

horner and others added 21 commits July 3, 2026 21:49
…, assessment & plan

Implements the concern/assertion condition model from the design doc
(Clinical-Med-Allergies-Conditions.md):

- ProblemList: patient-level concerns with assertion history timelines
  (refine/revise/progress lineage), ICD-10/ICD-11/SNOMED codings shown
  parenthetically with full background in tooltips, uncertainty badges,
  observations (quick progress notes), and an Unconfirmed group separate
  from Active/Resolved
- PresentingProblems: encounter-scoped relevant problem list fed by the
  patient problem list, with problem-focused vs comprehensive scope
  banner and relevance tagging on the encounter reference
- Assessment: visit A&P with orders nested under problems via the
  durable concernId link, inline add-order, unlinked-orders bucket
- ConditionEditor: add/observe/refine/revise/relate dialog with
  capture-first entry, coding rows, fuzzy onset, and three-state
  field uncertainty (unknown != blank, confidence levels)
- MedicationList: presenting-medications reconciliation list
- useDragReorder hook: shared HTML5 drag & drop reordering used by all
  lists (concerns, orders incl. cross-problem moves, medications), with
  full keyboard equivalents (Alt+arrows, Move menus, roving focus) and
  aria-live announcements for 508 compliance
…browser)

- scripts/codify/extract.mjs: dumps 770K MedicalCodify_search rows (12
  codetypes) from the dockerized rxdb MariaDB to TSV
- scripts/codify/build-index.mjs: builds binary .mcdx index shards per
  clinical domain (condition/med/lab/procedure/vaccine) with a sorted
  token dictionary, posting lists, and curated alias expansion
  (aliases.json: chf/lvhf, lasix<->furosemide, a1c/hba1c, brand<->generic)
- src/components/CodeLookup: shard parser + multi-word-prefix BM25-ish
  engine ('con hea fa' -> Congestive heart failure) with edit-distance-1
  typo fallback, Web Worker loader, and combobox component + stories
- Artifacts land in .storybook/public/codify/ (gitignored); pnpm
  codify:extract && pnpm codify:build to regenerate
- Verified: golden queries return in 0.6-30 ms locally over 770K entries

Not exported from src/index.ts yet (worker bundling in tsup pending).
…down

- Results now render in a floating dropdown (combobox pattern): opens on
  results, closes on select/Esc/blur, hover highlight without clobbering
  keyboard navigation (mousemove, not mouseenter)
- Compact rows: label first, then codesystem + code right-aligned in
  small per-domain-tinted text (replaces the oversized badge)
- Medication rows drill into all forms & strengths with ArrowRight (or
  the chevron): re-searches the med shard by name, filters to dosed
  FDB/RxNORM entries, alphabetized; ArrowLeft/Back returns. Aliases make
  Lasix drill list furosemide forms (114 entries) and vice versa
- Selecting fills the input and suppresses the follow-up auto-search so
  the dropdown doesn't reopen
README covering the end-to-end design: extract/build pipeline, domain
sharding, the .mcdx binary format, the prefix+BM25-ish scoring algorithm
with alias and Damerau-Levenshtein-1 typo handling, worker loading,
component keyboard model incl. med forms/strengths drill-down, and the
production roadmap (RXCUI concept grouping, OPFS persistence, ranking
priors, licensing). Linked from the Storybook docs.
- Add order now uses a code lookup instead of free text: new
  renderOrderSearch prop (dependency-injected so the library build
  doesn't bundle the lookup worker; story wires CodeLookup)
- Order type defaults to 'Auto': the type is inferred from the picked
  code's system (RxNORM/FDB/NDC/CVX -> medication, LOINC/Quest/LabCorp
  -> lab, HCPCS/ICD10PCS -> procedure); selecting an explicit type
  filters the lookup to matching domains at query time
- CodeLookup: new searchDomains prop restricts searches per-query
  without reloading shards
- Picked orders carry code {fullid, codetype, fullcode}; the story shows
  it as the order detail
- Free-text entry remains the fallback when no lookup is provided
Dragging to select text in the embedded order search was hijacked by the
draggable problem block. The block now sets draggable=false (and drops
the grab cursor) while its add-order form is open, restoring normal text
selection; drag & drop resumes when the form closes.
- New bare prop renders just the input + dropdown (no card, no status
  line) for embedding in forms; loading progress and error state show in
  the placeholder instead
- Assessment add-order form uses bare mode: type filter, search, and
  Done now align at the same 40px height on one row
…s open

The block body yields to text selection/editing (draggable=false), but
the problem header row (number, name, codes) becomes the drag source, so
the block can still be reordered mid-entry — the open form travels with
it. The form itself is never inside a draggable ancestor.
New clearOnSelect prop, defaulting to true in bare mode: picking a
result clears the query and keeps focus so the user can type the next
order immediately. Standalone mode keeps the picked label in the input.
- New onAddAssessment prop + always-visible 'Add problem' search row
  (condition-domain code lookup): picking a dx adds a new problem to the
  assessment; the story creates the concern/assertion with the coding
- Unlinked bucket now renders whenever adding is possible and gains an
  'Add order' button opening the same type-filter + lookup form;
  onAddOrder's item param is null for unlinked orders (concernId unset),
  so they land in the bucket ready to be linked or dragged later
renderOrderSearch now receives a placeholder matched to the context:
'Search diagnoses… (try "chf"…)' for the add-problem row, and per
order-type hints ('Search medications… (try "lasix")', labs/a1c,
imaging/chest x, procedures, referrals) instead of one generic line.
The bottom row is now a single 'Add' search across all domains: picking
a diagnosis (ICD10/ICD9/SNOMED US via new isConditionCodetype) adds a
problem to the assessment, anything else becomes an (unlinked) order
typed by its coding system. The unlinked bucket's add button is gone and
the bucket only takes space once it actually contains orders.
- The unified add row gains a mode dropdown: Add (auto) / Add problem /
  Add order. Problem/order modes scope the search domains and route the
  pick directly; auto keeps codetype-based detection
- CodeLookup: new onFreeText prop - Enter with no highlighted result (or
  the new 'Use "..." as free text' footer row) submits the raw text
- Free text in problem/order mode adds directly; in auto mode an inline
  prompt asks 'Add "..." as: Problem / Order / Cancel' before adding.
  Free-text problems arrive uncoded and unconfirmed in the story
- onAddAssessment now takes AssessmentAddPick { label, code? } so coded
  and free-text problems share one callback
The toolbar actions previously only logged. They now open the editor
seeded from the concern; saving appends the new assertion (revision
refutes the prior) and repoints the visit item's assertionId so the
block header, plan, and link chips update immediately.
Security / correctness:
- extract.mjs no longer hardcodes the MariaDB password: reads
  RXDB_MYSQL_PASSWORD / MYSQL_PWD / --password, fails fast when missing,
  and passes it via the child environment instead of argv
- engine.ts: viaAlias is now tracked per-document (aliasBuf scratch
  buffer, reset with the other buffers) instead of one shard-level flag
- reorderIds() ignores dragged ids that aren't in the list (stale/cross-
  list payloads can no longer inject unknown ids)
- useDragReorder keeps the dragged id in a ref set synchronously in
  dragstart (dragover no longer races React state) and clears the stale
  drop indicator when hovering invalid targets

Accessibility:
- CodeLookup ids are per-instance via React.useId (aria-controls /
  aria-activedescendant survive multiple instances); aria-expanded now
  mirrors actual dropdown visibility (incl. drill mode / free-text row)
- Keyboard reordering (Alt+arrows + roving focus) added to
  MedicationList rows and PresentingProblems selected rows; Assessment
  unlinked orders now render via OrderRow (focusable + Move menu),
  replacing the pointer-only chip row
- Pointer drag & drop now announces via the aria-live regions in
  ProblemList, MedicationList, and Assessment (reorder, move-to-problem)
- ProblemList: Alt+arrow reordering and its aria-label hint are disabled
  in readOnly mode (canReorder follows drag.enabled)

Styling / misc:
- ProblemList timeline dot uses -left-5 (valid on Tailwind 3 + 4)
- Drag indicator classes (opacity-40, inset shadows, cursor-grab) added
  to miewebUISafelist for Tailwind 3 consumers
- ConditionEditor: seed effect depends on open/mode/prior (no stale form
  when switching while open); coding values are trimmed on save
- PresentingProblems: unselected rows are only dimmed/badged out-of-
  scope in problem-focused encounters, not comprehensive ones
- Prettier pass over all touched component files
…-fields file

The MedicationListField import referenced a file that isn't part of this
PR (removed in 923a7c1), which broke pnpm typecheck in CI.
- New useLiveAnnouncement hook: clears the aria-live region before
  setting the message (after a tick), so repeated identical
  announcements (e.g. two 'moved down' reorders in a row) are announced
  every time instead of being swallowed by React state bailout. Adopted
  by ProblemList, MedicationList, PresentingProblems, and Assessment
- CodeLookup: domains/searchDomains now distinguish 'prop not provided'
  (undefined = all domains) from an explicit empty array (= none); the
  keys use null for absent and pass [] through to the worker
- ConditionEditor: fields marked explicitly unknown no longer persist
  contradictory values on save - coding/severity/onset are cleared when
  their unknown toggle is set (unknown wins over a seeded value)
…, git-lfs shard distribution; move pipeline to packages/codify submodule

- Build pipeline moved to the new packages/codify submodule (also hosts
  the SQLite FTS5 build + codify-mcp stdio server for agent loops)
- .mcdx v2: docPrior u8 section (log-quantized usage; simulated top-200
  meds/ICD-10 diagnoses/SNOMED procedures until a production export is
  wired in) + meta.locale; engine still reads v1 (prior=0)
- engine: final score x= (1 + 0.5*prior/255) - common codes outrank rare
  ones at equal text relevance (hypertension -> I10 first)
- Shards now per locale ({indexUrl}/{locale}/); es is a curated sample
  (common diagnoses + med ingredient INNs) with its own alias set (hta,
  dm2, ic...); CodeLookup gains a locale prop
- Worker: OPFS persistence - network-first manifest check, cached shards
  reused only when builtAt/version/bytes match, torn-cache-safe manifest
  write-after, full offline fallback when the network is down
- Storybook: Language toolbar global (en/es) wired to CodeLookup stories;
  shards committed via git-lfs and served from .storybook/public/codify/
  (no longer gitignored)
Bumps [js-yaml](https://github.com/nodeca/js-yaml) from 4.1.1 to 4.2.0.
- [Changelog](https://github.com/nodeca/js-yaml/blob/master/CHANGELOG.md)
- [Commits](nodeca/js-yaml@4.1.1...4.2.0)

---
updated-dependencies:
- dependency-name: js-yaml
  dependency-version: 4.2.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 4, 2026
Copilot AI review requested due to automatic review settings July 4, 2026 10:56
@dependabot dependabot Bot added the dependencies Pull requests that update a dependency file label Jul 4, 2026
@cloudflare-workers-and-pages

cloudflare-workers-and-pages Bot commented Jul 4, 2026

Copy link
Copy Markdown

Deploying ui with  Cloudflare Pages  Cloudflare Pages

Latest commit: e76dc79
Status:🚫  Build failed.

View logs

@dependabot dependabot Bot added the javascript Pull requests that update javascript code label Jul 4, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copilot can't review bot-authored pull requests automatically. A user with Copilot access can request a review manually.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants