Update dependency js-yaml to v4.1.1 [SECURITY]

[openverse-bot]

This PR contains the following updates:

Package	Type	Update	Change
js-yaml	dependencies	patch	4.1.0 -> 4.1.1

GitHub Vulnerability Alerts

CVE-2025-64718

Impact

In js-yaml 4.1.0, 4.0.0, and 3.14.1 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1 and 3.14.2.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

---

Release Notes

nodeca/js-yaml (js-yaml)

v4.1.1

Compare Source

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled because a matching PR was automerged previously.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[github-actions]

Latest k6 run output¹

     ✓ status was 200

     checks.........................: 100.00% ✓ 412      ✗ 0   
     data_received..................: 97 MB   403 kB/s
     data_sent......................: 131 kB  543 B/s
     http_req_blocked...............: avg=76.47µs  min=2.15µs  med=5.53µs   max=2.91ms   p(90)=158.28µs p(95)=467.61µs
     http_req_connecting............: avg=47.04µs  min=0s      med=0s       max=2.84ms   p(90)=95.75µs  p(95)=151.23µs
     http_req_duration..............: avg=161.19ms min=17.2ms  med=112.21ms max=957.83ms p(90)=350.74ms p(95)=429.61ms
       { expected_response:true }...: avg=161.19ms min=17.2ms  med=112.21ms max=957.83ms p(90)=350.74ms p(95)=429.61ms
   ✓ http_req_failed................: 0.00%   ✓ 0        ✗ 412 
     http_req_receiving.............: avg=177.69µs min=56.95µs med=158.29µs max=3.4ms    p(90)=245.65µs p(95)=294.3µs 
     http_req_sending...............: avg=29.63µs  min=9.44µs  med=25.47µs  max=126.88µs p(90)=48.7µs   p(95)=72.93µs 
     http_req_tls_handshaking.......: avg=0s       min=0s      med=0s       max=0s       p(90)=0s       p(95)=0s      
     http_req_waiting...............: avg=160.99ms min=17.07ms med=112.02ms max=957.6ms  p(90)=350.44ms p(95)=429.33ms
     http_reqs......................: 412     1.709164/s
     iteration_duration.............: avg=869.33ms min=348.8ms med=973.37ms max=1.69s    p(90)=1.17s    p(95)=1.22s   
     iterations.....................: 77      0.319431/s
     vus............................: 3       min=0      max=6 
     vus_max........................: 60      min=60     max=60

Footnotes

1. This comment will automatically update with new output each time k6 runs for this PR ↩

[Mahmoodyazdanpanah]

HaqNews

[Mahmoodyazdanpanah]

✅️🌹