fix(deps): update dependency js-yaml to v4.1.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
js-yaml	4.1.0 → 4.1.1

GitHub Vulnerability Alerts

CVE-2025-64718

Impact

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

---

Release Notes

nodeca/js-yaml (js-yaml)

v4.1.1

Compare Source

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[sentry]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 92.78%. Comparing base (0be8d6b) to head (ebcf2e5).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #1941   +/-   ##
=======================================
  Coverage   92.78%   92.78%           
=======================================
  Files          36       36           
  Lines        1358     1358           
  Branches      273      273           
=======================================
  Hits         1260     1260           
  Misses         68       68           
  Partials       30       30           

Flag	Coverage Δ
aarch64	92.56% <ø> (ø)
aarch64-without-git	92.56% <ø> (ø)
alpine	92.78% <ø> (ø)
alpine-proxy	92.56% <ø> (ø)
alpine-without-git	92.78% <ø> (ø)
linux	92.56% <ø> (ø)
linux-without-git	92.56% <ø> (ø)
macos	92.56% <ø> (ø)
macos-arm64	92.56% <ø> (ø)
macos-arm64-without-git	92.56% <ø> (ø)
macos-without-git	92.56% <ø> (ø)
macos-x64	92.56% <ø> (ø)
macos-x64-without-git	92.56% <ø> (ø)
windows	92.56% <ø> (ø)
windows-without-git	92.56% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.