fix: CVE-2025-64718 - update js-yaml to >=4.1.1 [cari]

[s0nny78]

Updates js-yaml to >=4.1.1 to fix prototype pollution vulnerability (CVE-2025-64718).

---

Note

Addresses security by pinning js-yaml to ^4.1.1 via resolutions and updates related lockfile entries.

• Add "resolutions": { "js-yaml": "^4.1.1" } in package.json (prototype pollution fix)
• Update yarn.lock: js-yaml@4.1.1, argparse@2.x, remove esprima references, refresh checksums
• Simplify package.json bin from object to string pointing to ./dist/index.js

^{Written by Cursor Bugbot for commit 7d464ba. Configure here.}

[linear]

SQD-1034 CVE-2025-64718: js-yaml prototype pollution vulnerability

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7d464ba

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[cursor]

Comment @cursor review or bugbot run to trigger another review on this PR

[cursor]

js-yaml 4.x resolution may break 3.x-dependent packages

Medium Severity

The resolutions field forces all js-yaml dependencies to use ^4.1.1, but packages @changesets/parse and read-yaml-file in the dependency tree require js-yaml 3.x and likely use APIs that were removed in 4.x (e.g., safeLoad() was renamed to load()). This could cause runtime errors when using @changesets/cli. The CVE is also fixed in js-yaml 3.14.2, which would be API-compatible with these packages.

 

[s0nny78]

Hey @timgent - Could you please review this PR when you get a chance? Let me know if you have any questions. Thanks!