chore(deps): update dependency js-yaml to v3.14.2 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
js-yaml	3.14.1 → 3.14.2

GitHub Vulnerability Alerts

CVE-2025-64718

Impact

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

---

Release Notes

nodeca/js-yaml (js-yaml)

v3.14.2

Compare Source

Security

• Backported v4.1.1 fix to v3

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

➤ YN0000: ┌ Resolution step
➤ YN0000: └ Completed in 0s 217ms
➤ YN0000: ┌ Fetch step
➤ YN0001: │ Error [ERR_STREAM_PREMATURE_CLOSE]: js-yaml@npm:3.14.2: Premature close
    at PassThrough.onclose (node:internal/streams/end-of-stream:166:30)
    at PassThrough.emit (node:events:508:28)
    at emitCloseNT (node:internal/streams/destroy:148:10)
    at process.processTicksAndRejections (node:internal/process/task_queues:89:21)
➤ YN0013: │ 784 packages were already cached, one had to be fetched
➤ YN0000: └ Completed in 0s 634ms
➤ YN0000: Failed with errors in 0s 873ms