fix: bump js-yaml to 4.1.1 to fix CVE-2025-64718

[lfarrel6]

CVE-2025-64718 - js-yaml Prototype Pollution

Issue: COM-188

Summary

Fixes CVE-2025-64718 in the js-yaml package (versions ≥ 4.0.0, < 4.1.1).

CVE: CVE-2025-64718 / GHSA-mh29-5h37-fv8m
CVSS Score: 5.3 (Medium)
Affected Package: npm-js-yaml >= 4.0.0, < 4.1.1
Fixed in: 4.1.1
SLA Deadline: 2026-05-29T18:11:52.722Z

Vulnerability Details

js-yaml versions ≥ 4.0.0 and < 4.1.1 allow an attacker who controls the content of a parsed YAML document to pollute Object.prototype via a __proto__ key. This can silently alter the behavior of all plain objects in the Node.js process — potentially enabling unauthorized property access, bypassing security checks, or causing denial of service.

Risk Assessment

Risk is low — js-yaml is a dev-only, transitive dependency with zero production surface. It is only installed as a transitive dependency of mocha (test runner) and eslint (linter). The vulnerability is only reachable during local development or CI when running tests or linting.

Changes

• Added overrides entry in package.json to pin js-yaml to version 4.1.1
• Updated package-lock.json with the patched version
• All tests pass successfully

References

• GHSA-mh29-5h37-fv8m
• Dependabot Alert
• NVD Entry

[changeset-bot]

⚠️ No Changeset found

Latest commit: 0018cf9

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR