Code Review: yaml 2.8.3 → 2.8.4 dependency bump

This is a clean, low-risk Renovate dependency update to the yaml package used in the docs/ site tooling.

What changed in yaml 2.8.4:

• Security/correctness: maxAliasCount:0 now properly disables alias resolution — fixes a potential YAML alias-bomb (DoS) vector when parsing untrusted input.
• Bug fix: Invalid unicode escapes are now handled gracefully instead of throwing.
• Bug fix: minFractionDigits correctly applied only to decimal strings.

Assessment:

The changes are isolated to docs/package.json and docs/yarn.lock — no impact on TUnit's core engine, source generator, or test infrastructure. The patch version bump follows semver (no breaking changes expected), and the release notes confirm only bug/correctness fixes.

The YAML alias resolution fix is the most notable change: if the docs build ever parses untrusted YAML input, this patch reduces risk. Even for trusted input it's a correctness improvement.

✅ No concerns. Safe to merge.

Updated Review: second commit added after initial review

The previous review (09:32) only covered the Renovate dep bump. A second commit was pushed at 14:36 — "test(aspnet): avoid shared factory order race" — that modifies FactoryMethodOrderTests.cs. This deserves its own review pass.

Scope concern

A test fix was pushed onto a Renovate dep-bump PR. The PR title/description still only mention the yaml update. Automerge is enabled on this PR — that means this test change goes in with less scrutiny than if it had its own PR. Not a blocker, but worth being explicit: if this intentional, the PR description should note the test change.

Test change: FactoryMethodOrderTests.cs

What changed: The test Factory_ConfigureWebHost_Runs_After_SetupAsync is renamed to ConfigureWebHostBuilder_Runs_After_SetupAsync, and its fragile conditional guard is replaced with unconditional assertions.

This is an improvement. The old code:

if (FactoryConfigureWebHostCalledOrder > 0)
{
    await Assert.That(FactoryConfigureWebHostCalledOrder)
        .IsGreaterThan(SetupCalledOrder)...
}

silently swallowed the entire assertion when the shared factory was already initialized from a previous test. A test that never asserts is worse than a skipped test — it gives a false green.

The new version correctly separates two distinct concerns:

1. Global factory initialization happened — verified via GlobalFactory.ConfigureWebHostCallCount > 0
2. Per-test configuration runs after SetupAsync — verified via ConfigureWebHostBuilderCalledOrder > SetupCalledOrder

This is a better abstraction: shared state and per-instance ordering are now tested independently rather than entangled behind a conditional.

One question: The class-level doc comment previously listed both Factory.ConfigureWebHost (order 3) and Factory.ConfigureStartupConfiguration (order 4). The update removes ConfigureStartupConfiguration from the list. Is that intentional? The test for ConfigureStartupCallCount still exists in the class (line 35 of the diff context), so if the ordering documentation was accurate before, it may now be incomplete.

Verdict

The test change is a genuine correctness improvement — unconditional assertions over a conditional no-op is always better. The rename more accurately reflects what's being tested. The only flag is the scope mismatch (test fix in a dep-bump PR) and the potentially incomplete doc comment.

✅ Safe to merge once the ConfigureStartupConfiguration doc omission is confirmed intentional.