Use safe yaml.JSON_SCHEMA to prevent code execution vulnerabilities

Co-authored-by: syuilo <4439005+syuilo@users.noreply.github.com>

packages/backend/scripts/compile_config.js

@@ -28,7 +28,7 @@ if (!fs.existsSync(configYmlPath)) {
 }
 
 const yamlContent = fs.readFileSync(configYmlPath, 'utf-8');
-const config = yaml.load(yamlContent);
+const config = yaml.load(yamlContent, { schema: yaml.JSON_SCHEMA });
 fs.writeFileSync(configJsonPath, JSON.stringify(config, null, '\t'), 'utf-8');
 
 console.log(`Compiled config: ${configYmlPath} -> ${configJsonPath}`);

packages/i18n/build.ts

@@ -70,7 +70,7 @@ function compileLocales(): void {
 	const files = fs.readdirSync(srcDir).filter(f => f.endsWith('.yml'));
 	for (const file of files) {
 		const yamlContent = clean(fs.readFileSync(resolve(srcDir, file), 'utf-8'));
-		const jsonContent = yaml.load(yamlContent);
+		const jsonContent = yaml.load(yamlContent, { schema: yaml.JSON_SCHEMA });
 		const jsonFile = file.replace(/\.yml$/, '.json');
 		fs.writeFileSync(resolve(destDir, jsonFile), JSON.stringify(jsonContent), 'utf-8');
 	}

packages/i18n/scripts/generateLocaleInterface.ts

@@ -62,7 +62,7 @@ function createMembers(record: LocaleRecord): ts.TypeElement[] {
 }
 
 export async function generateLocaleInterface(localesDir: string): Promise<void> {
-	const locale = yaml.load(fs.readFileSync(`${localesDir}/ja-JP.yml`, 'utf-8').toString()) as LocaleRecord;
+	const locale = yaml.load(fs.readFileSync(`${localesDir}/ja-JP.yml`, 'utf-8').toString(), { schema: yaml.JSON_SCHEMA }) as LocaleRecord;
 	const members = createMembers(locale);
 
 	const elements: ts.Statement[] = [