chore: update dependency js-yaml to v4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
js-yaml	^3.14.1 -> ^4.0.0

GitHub Vulnerability Alerts

CVE-2025-64718

Impact

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

---

Release Notes

nodeca/js-yaml (js-yaml)

v4.1.1

Compare Source

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

v4.1.0

Compare Source

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were
  (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts
  (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

v4.0.0

Compare Source

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are
  moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump
  instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use
  yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal,
  0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #​470, #​557.
• Line and column in exceptions are now formatted as (X:Y) instead of
  at line X, column Y (also present in compact format), #​332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with
  undefined in mappings, #​571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #​576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #​258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure
  string literal style, #​290, #​529.
• Added styles: { '!!null': 'empty' } option for dumper
  (serializes { foo: null } as "foo: "), #​570.
• Added replacer option (similar to option in JSON.stringify), #​339.
• Custom Tag can now handle all tags or multiple tags with the same prefix, #​385.

Fixed

• Astral characters are no longer encoded by dump(), #​587.
• "duplicate mapping key" exception now points at the correct column, #​452.
• Extra commas in flow collections (e.g. [foo,,bar]) now throw an exception
  instead of producing null, #​321.
• __proto__ key no longer overrides object prototype, #​164.
• Removed bower.json.
• Tags are now url-decoded in load() and url-encoded in dump()
  (previously usage of custom non-ascii tags may have led to invalid YAML that can't be parsed).
• Anchors now work correctly with empty nodes, #​301.
• Fix incorrect parsing of invalid block mapping syntax, #​418.
• Throw an error if block sequence/mapping indent contains a tab, #​80.

v3.14.2

Compare Source

Security

• Backported v4.1.1 fix to v3

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for new-eslint ready!

Name	Link
🔨 Latest commit	97bc674
🔍 Latest deploy log	https://app.netlify.com/projects/new-eslint/deploys/69307c6ae599b80008cb7596
😎 Deploy Preview	https://deploy-preview-843--new-eslint.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for zh-hans-eslint ready!

Name	Link
🔨 Latest commit	97bc674
🔍 Latest deploy log	https://app.netlify.com/projects/zh-hans-eslint/deploys/69307c6aa0b4800008300098
😎 Deploy Preview	https://deploy-preview-843--zh-hans-eslint.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for ja-eslint ready!

Name	Link
🔨 Latest commit	97bc674
🔍 Latest deploy log	https://app.netlify.com/projects/ja-eslint/deploys/69307c6a7d936900081fe3b0
😎 Deploy Preview	https://deploy-preview-843--ja-eslint.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for pt-br-eslint ready!

Name	Link
🔨 Latest commit	97bc674
🔍 Latest deploy log	https://app.netlify.com/projects/pt-br-eslint/deploys/69307c6b38b127000872a77d
😎 Deploy Preview	https://deploy-preview-843--pt-br-eslint.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for hi-eslint ready!

Name	Link
🔨 Latest commit	97bc674
🔍 Latest deploy log	https://app.netlify.com/projects/hi-eslint/deploys/69307c6ac0c07000083dfbac
😎 Deploy Preview	https://deploy-preview-843--hi-eslint.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for es-eslint ready!

Name	Link
🔨 Latest commit	97bc674
🔍 Latest deploy log	https://app.netlify.com/projects/es-eslint/deploys/69307c6a78c64e0008b8e338
😎 Deploy Preview	https://deploy-preview-843--es-eslint.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for fr-eslint ready!

Name	Link
🔨 Latest commit	97bc674
🔍 Latest deploy log	https://app.netlify.com/projects/fr-eslint/deploys/69307c6a6dade200080729cb
😎 Deploy Preview	https://deploy-preview-843--fr-eslint.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for de-eslint ready!

Name	Link
🔨 Latest commit	97bc674
🔍 Latest deploy log	https://app.netlify.com/projects/de-eslint/deploys/69307c6a8302fb0008a101ed
😎 Deploy Preview	https://deploy-preview-843--de-eslint.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.