fix(deps): update dependency js-yaml to v4.1.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
js-yaml	4.1.0 -> 4.1.1

GitHub Vulnerability Alerts

CVE-2025-64718

Impact

In js-yaml 4.1.0 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

---

Release Notes

nodeca/js-yaml (js-yaml)

v4.1.1

Compare Source

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

---

Configuration

📅 Schedule: Branch creation - "" in timezone America/Los_Angeles, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

🚨 Sizewatcher had a measurement error:

✅ git has no changes (553 kB)

Largest files:

Largest files in repository checkout:

 347KiB package-lock.json
  29KiB README.md
  11KiB LICENSE
 7.6KiB test/cli.test.js
 7.1KiB lib/checkout.js
 6.3KiB lib/compare.js
 5.0KiB test/mocha-capture-console.js
 4.5KiB lib/report.js
 4.3KiB test/config.test.js
 3.9KiB lib/render.js

Largest files among new changes:

 347KiB package-lock.json
 1.3KiB package.json

✅ node_modules has no changes (72.9 MB)

Largest production node modules:

@adobe/sizewatcher@1.4.0 (67 deps, 16.35mb, 1082 files, ©undefined)
╭───────────────────────┬──────────────┬──────────┬───────┬───────────┬────────────┬───────────╮
│ Name                  │ Dependencies │     Size │ Files │ Native    │ License    │ Deprec    │
├───────────────────────┼──────────────┼──────────┼───────┼───────────┼────────────┼───────────┤
│ @octokit/rest@19.0.3  │           25 │     11mb │   380 │           │ MIT        │           │
├───────────────────────┼──────────────┼──────────┼───────┼───────────┼────────────┼───────────┤
│ glob@10.3.5           │           27 │   3.09mb │   367 │           │ ISC        │           │
├───────────────────────┼──────────────┼──────────┼───────┼───────────┼────────────┼───────────┤
│ simple-git@3.22.0     │            4 │ 934.56kb │   142 │           │ MIT        │           │
├───────────────────────┼──────────────┼──────────┼───────┼───────────┼────────────┼───────────┤
│ js-yaml@4.1.1         │            1 │ 544.75kb │    39 │           │ MIT        │           │
├───────────────────────┼──────────────┼──────────┼───────┼───────────┼────────────┼───────────┤
│ xbytes@1.9.1          │              │  74.45kb │    11 │           │ Apache-2.0 │           │
├───────────────────────┼──────────────┼──────────┼───────┼───────────┼────────────┼───────────┤
│ debug@4.4.3           │            1 │  48.35kb │    11 │           │ MIT        │           │
├───────────────────────┼──────────────┼──────────┼───────┼───────────┼────────────┼───────────┤
│ tmp@0.2.5             │              │   38.3kb │     4 │           │ MIT        │           │
├───────────────────────┼──────────────┼──────────┼───────┼───────────┼────────────┼───────────┤
│ deepmerge@4.3.1       │              │  30.43kb │    11 │           │ MIT        │           │
├───────────────────────┼──────────────┼──────────┼───────┼───────────┼────────────┼───────────┤
│ require-dir@1.2.0     │              │  16.87kb │    40 │           │ MIT        │           │
├───────────────────────┼──────────────┼──────────┼───────┼───────────┼────────────┼───────────┤
│ get-folder-size@5.0.0 │              │  11.65kb │     5 │           │ MIT        │           │
├───────────────────────┼──────────────┼──────────┼───────┼───────────┼────────────┼───────────┤
│ pretty-bytes@5.6.0    │              │  11.27kb │     5 │           │ MIT        │           │
╰───────────────────────┴──────────────┴──────────┴───────┴───────────┴────────────┴───────────╯

   🚨 npm_package measurement error: Command failed: npm publish --dry-run
npm notice
npm notice 📦 @adobe/sizewatcher@1.4.0
npm notice Tarball Contents
npm notice 3.1kB CHANGELOG.md
npm notice 11.3kB LICENSE
npm notice 29.9kB README.md
npm notice 743B index.js
npm notice 7.3kB lib/checkout.js
npm notice 3.9kB lib/comparators/custom.js
npm notice 3.6kB lib/comparators/git.js
npm notice 3.0kB lib/comparators/node_modules.js
npm notice 2.3kB lib/comparators/npm_package.js
npm notice 6.4kB lib/compare.js
npm notice 1.7kB lib/config.js
npm notice 2.6kB lib/github.js
npm notice 4.0kB lib/render.js
npm notice 4.6kB lib/report.js
npm notice 2.1kB lib/size.js
npm notice 2.7kB lib/sizewatcher.js
npm notice 1.3kB package.json
npm notice Tarball Details
npm notice name: @adobe/sizewatcher
npm notice version: 1.4.0
npm notice filename: adobe-sizewatcher-1.4.0.tgz
npm notice package size: 23.2 kB
npm notice unpacked size: 90.6 kB
npm notice shasum: 807075dd689ce64930ebd55a2bf3a9e952dcfb29
npm notice integrity: sha512-eUgOkZAQeinUE[...]hcs4mp0DaIG/Q==
npm notice total files: 17
npm notice
npm warn This command requires you to be logged in to https://registry.npmjs.org/ (dry-run)
npm error You cannot publish over the previously published versions: 1.4.0.
npm error A complete log of this run can be found in: /home/runner/.npm/_logs/2025-11-14T20_46_18_560Z-debug-0.log

Notes

• PR branch: renovate-npm-js-yaml-vulnerability @ 147f583
• Base branch: main @ 06ec641
• Sizewatcher v1.4.0
• Effective Configuration:

limits:
  fail: 100%
  warn: 30%
  ok: '-10%'
report:
  githubComment: true
  githubStatus: false
comparators: {}

[coveralls]

coverage: 59.677%. remained the same
when pulling 147f583 on renovate-npm-js-yaml-vulnerability
into 06ec641 on main.