chore: update dependency js-yaml to v4 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
js-yaml	^3.14.2 -> ^4.0.0

GitHub Vulnerability Alerts

CVE-2025-64718

Impact

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

---

Release Notes

nodeca/js-yaml (js-yaml)

v4.1.1

Compare Source

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

v4.1.0

Compare Source

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were
  (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts
  (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

v4.0.0

Compare Source

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are
  moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump
  instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use
  yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal,
  0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #​470, #​557.
• Line and column in exceptions are now formatted as (X:Y) instead of
  at line X, column Y (also present in compact format), #​332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with
  undefined in mappings, #​571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #​576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #​258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure
  string literal style, #​290, #​529.
• Added styles: { '!!null': 'empty' } option for dumper
  (serializes { foo: null } as "foo: "), #​570.
• Added replacer option (similar to option in JSON.stringify), #​339.
• Custom Tag can now handle all tags or multiple tags with the same prefix, #​385.

Fixed

• Astral characters are no longer encoded by dump(), #​587.
• "duplicate mapping key" exception now points at the correct column, #​452.
• Extra commas in flow collections (e.g. [foo,,bar]) now throw an exception
  instead of producing null, #​321.
• __proto__ key no longer overrides object prototype, #​164.
• Removed bower.json.
• Tags are now url-decoded in load() and url-encoded in dump()
  (previously usage of custom non-ascii tags may have led to invalid YAML that can't be parsed).
• Anchors now work correctly with empty nodes, #​301.
• Fix incorrect parsing of invalid block mapping syntax, #​418.
• Throw an error if block sequence/mapping indent contains a tab, #​80.

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[netlify]

✅ Deploy Preview for new-eslint ready!

Name	Link
🔨 Latest commit	7336e43
🔍 Latest deploy log	https://app.netlify.com/projects/new-eslint/deploys/6942184876c3310008dd270e
😎 Deploy Preview	https://deploy-preview-843--new-eslint.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for zh-hans-eslint ready!

Name	Link
🔨 Latest commit	7336e43
🔍 Latest deploy log	https://app.netlify.com/projects/zh-hans-eslint/deploys/69421848bcfb430008d6f803
😎 Deploy Preview	https://deploy-preview-843--zh-hans-eslint.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for ja-eslint ready!

Name	Link
🔨 Latest commit	7336e43
🔍 Latest deploy log	https://app.netlify.com/projects/ja-eslint/deploys/6942184876c3310008dd2712
😎 Deploy Preview	https://deploy-preview-843--ja-eslint.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for pt-br-eslint ready!

Name	Link
🔨 Latest commit	7336e43
🔍 Latest deploy log	https://app.netlify.com/projects/pt-br-eslint/deploys/69421848a0c2ac0007ffa5b5
😎 Deploy Preview	https://deploy-preview-843--pt-br-eslint.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for hi-eslint ready!

Name	Link
🔨 Latest commit	7336e43
🔍 Latest deploy log	https://app.netlify.com/projects/hi-eslint/deploys/6942184813eda20008559be5
😎 Deploy Preview	https://deploy-preview-843--hi-eslint.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for es-eslint ready!

Name	Link
🔨 Latest commit	7336e43
🔍 Latest deploy log	https://app.netlify.com/projects/es-eslint/deploys/69421848c8729600080e5c6f
😎 Deploy Preview	https://deploy-preview-843--es-eslint.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for fr-eslint ready!

Name	Link
🔨 Latest commit	7336e43
🔍 Latest deploy log	https://app.netlify.com/projects/fr-eslint/deploys/69421848110835000844ee84
😎 Deploy Preview	https://deploy-preview-843--fr-eslint.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[netlify]

✅ Deploy Preview for de-eslint ready!

Name	Link
🔨 Latest commit	7336e43
🔍 Latest deploy log	https://app.netlify.com/projects/de-eslint/deploys/6942184836d8430008b1060a
😎 Deploy Preview	https://deploy-preview-843--de-eslint.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[github-actions]

Hi everyone, it looks like we lost track of this pull request. Please review and see what the next steps are. This pull request will auto-close in 7 days without an update.

[lumirlumir]

Marking it as a draft for now, since it's superseded by #874

[lumirlumir]

Closing this as #874 has been merged.

[renovate]

Renovate Ignore Notification

Because you closed this PR without merging, Renovate will ignore this update. You will not get PRs for any future 4.x releases. But if you manually upgrade to 4.x then Renovate will re-enable minor and patch updates automatically.

If you accidentally closed this PR, or if you changed your mind: rename this PR to get a fresh replacement PR.