chore(deps): update dependency yaml to v2.8.4

[thomhurst]

This PR contains the following updates:

Package	Type	Update	Change
yaml (source)	resolutions	patch	2.8.3 → 2.8.4

---

Release Notes

eemeli/yaml (yaml)

v2.8.4

Compare Source

• Disable alias resolution with maxAliasCount:0 (#​677)
• Handle invalid unicode escapes (e1a1a77)
• Apply minFractionDigits only to decimal strings (#​676)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate.

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity

Metric	Results
Complexity	0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[claude]

Code Review: yaml 2.8.3 → 2.8.4 dependency bump

This is a clean, low-risk Renovate dependency update to the yaml package used in the docs/ site tooling.

What changed in yaml 2.8.4:

• Security/correctness: maxAliasCount:0 now properly disables alias resolution — fixes a potential YAML alias-bomb (DoS) vector when parsing untrusted input.
• Bug fix: Invalid unicode escapes are now handled gracefully instead of throwing.
• Bug fix: minFractionDigits correctly applied only to decimal strings.

Assessment:

The changes are isolated to docs/package.json and docs/yarn.lock — no impact on TUnit's core engine, source generator, or test infrastructure. The patch version bump follows semver (no breaking changes expected), and the release notes confirm only bug/correctness fixes.

The YAML alias resolution fix is the most notable change: if the docs build ever parses untrusted YAML input, this patch reduces risk. Even for trusted input it's a correctness improvement.

✅ No concerns. Safe to merge.

[claude]

Code Review: yaml 2.8.3 → 2.8.4 dependency bump

This is a clean, low-risk Renovate dependency update to the yaml package used in the docs/ site tooling.

What changed in yaml 2.8.4:

• Security/correctness: maxAliasCount:0 now properly disables alias resolution — fixes a potential YAML alias-bomb (DoS) vector when parsing untrusted input.
• Bug fix: Invalid unicode escapes are now handled gracefully instead of throwing.
• Bug fix: minFractionDigits correctly applied only to decimal strings.

Assessment:

The changes are isolated to docs/package.json and docs/yarn.lock — no impact on TUnit's core engine, source generator, or test infrastructure. The patch version bump follows semver (no breaking changes expected), and the release notes confirm only bug/correctness fixes.

The YAML alias resolution fix is the most notable change: if the docs build ever parses untrusted YAML input, this patch reduces risk. Even for trusted input it's a correctness improvement.

✅ No concerns. Safe to merge.

[claude]

Updated Review: second commit added after initial review

The previous review (09:32) only covered the Renovate dep bump. A second commit was pushed at 14:36 — "test(aspnet): avoid shared factory order race" — that modifies FactoryMethodOrderTests.cs. This deserves its own review pass.

---

Scope concern

A test fix was pushed onto a Renovate dep-bump PR. The PR title/description still only mention the yaml update. Automerge is enabled on this PR — that means this test change goes in with less scrutiny than if it had its own PR. Not a blocker, but worth being explicit: if this intentional, the PR description should note the test change.

---

Test change: FactoryMethodOrderTests.cs

What changed: The test Factory_ConfigureWebHost_Runs_After_SetupAsync is renamed to ConfigureWebHostBuilder_Runs_After_SetupAsync, and its fragile conditional guard is replaced with unconditional assertions.

This is an improvement. The old code:

if (FactoryConfigureWebHostCalledOrder > 0)
{
    await Assert.That(FactoryConfigureWebHostCalledOrder)
        .IsGreaterThan(SetupCalledOrder)...
}

silently swallowed the entire assertion when the shared factory was already initialized from a previous test. A test that never asserts is worse than a skipped test — it gives a false green.

The new version correctly separates two distinct concerns:

1. Global factory initialization happened — verified via GlobalFactory.ConfigureWebHostCallCount > 0
2. Per-test configuration runs after SetupAsync — verified via ConfigureWebHostBuilderCalledOrder > SetupCalledOrder

This is a better abstraction: shared state and per-instance ordering are now tested independently rather than entangled behind a conditional.

One question: The class-level doc comment previously listed both Factory.ConfigureWebHost (order 3) and Factory.ConfigureStartupConfiguration (order 4). The update removes ConfigureStartupConfiguration from the list. Is that intentional? The test for ConfigureStartupCallCount still exists in the class (line 35 of the diff context), so if the ordering documentation was accurate before, it may now be incomplete.

---

Verdict

The test change is a genuine correctness improvement — unconditional assertions over a conditional no-op is always better. The rename more accurately reflects what's being tested. The only flag is the scope mismatch (test fix in a dep-bump PR) and the potentially incomplete doc comment.

✅ Safe to merge once the ConfigureStartupConfiguration doc omission is confirmed intentional.

[thomhurst]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.