From baf4a799a986f7b67545327b74cac4f249196edf Mon Sep 17 00:00:00 2001
From: David Rudduck <47308254+davidrudduck@users.noreply.github.com>
Date: Thu, 19 Feb 2026 21:15:36 +1000
Subject: [PATCH] fix(security): use YAML core schema to prevent type coercion
 (#20857)

YAML 1.1 default schema silently coerces values like "on" to true and
"off" to false, which can cause unexpected behavior in frontmatter
parsing. Explicitly set schema: "core" to use YAML 1.2 rules that
only recognize true/false/null literals.
---
 src/markdown/frontmatter.ts | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/markdown/frontmatter.ts b/src/markdown/frontmatter.ts
index 0994a76875..44f497524b 100644
--- a/src/markdown/frontmatter.ts
+++ b/src/markdown/frontmatter.ts
@@ -34,7 +34,7 @@ function coerceFrontmatterValue(value: unknown): string | undefined {
 
 function parseYamlFrontmatter(block: string): ParsedFrontmatter | null {
   try {
-    const parsed = YAML.parse(block) as unknown;
+    const parsed = YAML.parse(block, { schema: "core" }) as unknown;
     if (!parsed || typeof parsed !== "object" || Array.isArray(parsed)) {
       return null;
     }