Update dependency js-yaml to v5

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
js-yaml	^4.1.0 → ^5.0.0

---

Release Notes

nodeca/js-yaml (js-yaml)

v5.0.0

Compare Source

Added

• Added named exports for schemas, tags, parser events and AST utilities.
• Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution
  rules, and added YAML11_SCHEMA.
• Added realMapTag for lossless mappings with non-string and complex keys.
  Object-based mappings now reject complex keys instead of stringifying them.
• Added dump() transform option for changing the generated AST before
  rendering.
• Added dump() options seqInlineFirst, flowBracketPadding,
  flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and
  tagBeforeAnchor.
• Added formal data layers (events and AST) for modular data pipelines.
  • Added low-level parser (to events), presenter and visitor APIs.
• Added the YAML Test Suite to the
  test set.

Changed

• See the migration guide for upgrade notes.
• Rewritten in TypeScript and reorganized the public API around flat named
  exports.
• Reduced the set of exported schemas:
  • YAML 1.2 schemas: CORE_SCHEMA (loader default), JSON_SCHEMA,
    FAILSAFE_SCHEMA.
  • YAML11_SCHEMA, a combination of all YAML 1.1 tags (YAML 1.1 does not
    specify a schema, only "types").
• load/dump default behaviour is now specified exactly via schemas:
  • load uses CORE_SCHEMA, without !!merge by default.
  • dump uses YAML11_SCHEMA + CORE_SCHEMA for the quoting check, to
    guarantee backward compatibility by default.
• !!set is now loaded as a JavaScript Set.
• Replaced the Type API with a tags API. Similar, but more precise and
  simpler. See examples for details. Tags can be defined via
  defineScalarTag(), defineSequenceTag() and defineMappingTag(), or as a
  spread + override of an existing tag.
• Renamed Schema.extend() to Schema.withTags().
• Expanded YAML 1.2 conformance and improved handling of directives, document
  markers, block keys, multiline scalars, tag syntax and other things.
• load() now throws on empty input instead of returning undefined.
• Moved browser builds to the js-yaml/browser export.
• Deprecated the loadAll signature with an iterator (still works, but is a
  candidate for removal).

Removed

• Removed deprecated safeLoad(), safeLoadAll() and safeDump() exports.
• Removed DEFAULT_SCHEMA and the nested types export.
• Removed loader options onWarning, legacy and listener.
• Removed dumper options styles, replacer, noCompatMode, condenseFlow,
  quotingType and forceQuotes. Renamed noArrayIndent to seqNoIndent.
  Formatting and representation are now configured through presenter options,
  schemas and tag definitions. See migration guide on how to replace.
• Removed support for importing internal files from lib/.

v4.2.0

Compare Source

Added

• Added docs/safety.md with notes about processing untrusted YAML.
• Added maxDepth (100) loader option. Not a problem, but gives a better
  exception instead of RangeError on stack overflow.
• Added maxMergeSeqLength (20) loader option. Not a problem after merge fix,
  but an additional restriction for safety.
• Added sourcemaps to dist/ builds.

Changed

• Stop resolving numbers with underscores as numeric scalars, #​627.
• Switched dev toolchains to Vite / neostandard.
• Updated demo.
• Reorganized tests.
• dist/ files are no longer kept in the repository.

Fixed

• Fix parsing of properties on the first implicit block mapping key, #​62.
• Fix trailing whitespace handling when folding flow scalar lines, #​307.
• Reject top-level block scalars without content indentation, #​280.
• Ensure numbers survive round-trip, #​737.
• Fix test coverage for issue #​221.
• Fix flow scalar trailing whitespace folding, #​307.
• Fix digits in YAML named tag handles.

Security

• Fix potential DoS via quadratic complexity in merge - deduplicate repeated
  elements (makes sense for malformed files > 10K).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	js-yaml@​4.1.1 ⏵ 5.0.0		+2

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Obfuscated code: npm js-yaml is 90.0% likely obfuscated Confidence: 0.90 Location: Package overview From: package-lock.json → npm/@eslint/eslintrc@3.3.5 → npm/mocha@11.7.5 → npm/js-yaml@4.2.0 ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.2.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ DOCKERFILE	hadolint	1		0	0	0.03s
✅ GROOVY	npm-groovy-lint	10	3	0	0	24.65s
✅ JAVASCRIPT	prettier	100	100	0	0	3.78s
✅ JSON	jsonlint	9		0	0	0.2s
✅ JSON	npm-package-json-lint	yes		no	no	0.58s
✅ JSON	prettier	9	4	0	0	1.76s
✅ JSON	v8r	9		0	0	14.48s
⚠️ MARKDOWN	markdownlint	8	3	3	0	2.92s
✅ MARKDOWN	markdown-table-formatter	8	6	0	0	0.84s
✅ REPOSITORY	checkov	yes		no	no	17.93s
✅ REPOSITORY	gitleaks	yes		no	no	8.07s
✅ REPOSITORY	git_diff	yes		no	no	0.09s
❌ REPOSITORY	grype	yes		6	no	44.64s
✅ REPOSITORY	secretlint	yes		no	no	0.97s
❌ REPOSITORY	trivy	yes		1	no	5.77s
✅ REPOSITORY	trufflehog	yes		no	no	2.66s
✅ SPELL	cspell	140		0	0	7.93s
⚠️ SPELL	lychee	20		16	0	23.47s
✅ XML	xmllint	1	0	0	0	0.22s
✅ YAML	prettier	3	0	0	0	0.79s
✅ YAML	v8r	3		0	0	7.23s
✅ YAML	yamllint	3		0	0	0.98s

Detailed Issues

❌ REPOSITORY / grype - 6 errors

[0000]  WARN no explicit name and version provided for directory source, deriving artifact ID from the given path (which is not ideal) from=syft
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
error purl scheme is not "pkg": ""
NAME             INSTALLED  FIXED IN  TYPE          VULNERABILITY        SEVERITY  EPSS         RISK   
form-data        4.0.5      4.0.6     npm           GHSA-hmw2-7cc7-3qxx  High      0.3% (24th)  0.3    
brace-expansion  5.0.5      5.0.6     npm           GHSA-jxxr-4gwj-5jf2  Medium    0.2% (10th)  0.1    
logback-core     1.5.18     1.5.19    java-archive  GHSA-25qh-j22f-pwp8  Medium    0.2% (4th)   < 0.1  
logback-core     1.5.18     1.5.25    java-archive  GHSA-qqpg-mvqg-649v  Low       0.2% (4th)   < 0.1  
jackson-core     2.19.0     2.21.1    java-archive  GHSA-72hv-8253-57qq  Medium    N/A          N/A    
tar              7.5.13     7.5.16    npm           GHSA-vmf3-w455-68vh  Medium    N/A          N/A
[0044] ERROR discovered vulnerabilities at or above the severity threshold

❌ REPOSITORY / trivy - 1 error

2026-06-20T21:54:55Z	INFO	[vulndb] Need to update DB
2026-06-20T21:54:55Z	INFO	[vulndb] Downloading vulnerability DB...
2026-06-20T21:54:55Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
2.34 MiB / 97.03 MiB [->_____________________________________________________________] 2.41% ? p/s ?26.23 MiB / 97.03 MiB [---------------->____________________________________________] 27.04% ? p/s ?58.97 MiB / 97.03 MiB [------------------------------------->_______________________] 60.77% ? p/s ?92.00 MiB / 97.03 MiB [-------------------------------------------->__] 94.82% 149.63 MiB p/s ETA 0s97.03 MiB / 97.03 MiB [--------------------------------------------->] 100.00% 149.63 MiB p/s ETA 0s97.03 MiB / 97.03 MiB [--------------------------------------------->] 100.00% 149.63 MiB p/s ETA 0s97.03 MiB / 97.03 MiB [--------------------------------------------->] 100.00% 140.52 MiB p/s ETA 0s97.03 MiB / 97.03 MiB [--------------------------------------------->] 100.00% 140.52 MiB p/s ETA 0s97.03 MiB / 97.03 MiB [--------------------------------------------->] 100.00% 140.52 MiB p/s ETA 0s97.03 MiB / 97.03 MiB [--------------------------------------------->] 100.00% 131.45 MiB p/s ETA 0s97.03 MiB / 97.03 MiB [--------------------------------------------->] 100.00% 131.45 MiB p/s ETA 0s97.03 MiB / 97.03 MiB [--------------------------------------------->] 100.00% 131.45 MiB p/s ETA 0s97.03 MiB / 97.03 MiB [--------------------------------------------->] 100.00% 122.97 MiB p/s ETA 0s97.03 MiB / 97.03 MiB [--------------------------------------------->] 100.00% 122.97 MiB p/s ETA 0s97.03 MiB / 97.03 MiB [--------------------------------------------->] 100.00% 122.97 MiB p/s ETA 0s97.03 MiB / 97.03 MiB [--------------------------------------------->] 100.00% 115.04 MiB p/s ETA 0s97.03 MiB / 97.03 MiB [--------------------------------------------->] 100.00% 115.04 MiB p/s ETA 0s97.03 MiB / 97.03 MiB [-------------------------------------------------] 100.00% 29.37 MiB p/s 3.5s2026-06-20T21:54:58Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2026-06-20T21:54:58Z	INFO	[vuln] Vulnerability scanning is enabled
2026-06-20T21:54:58Z	INFO	[misconfig] Misconfiguration scanning is enabled
2026-06-20T21:54:58Z	INFO	[misconfig] Need to update the checks bundle
2026-06-20T21:54:58Z	INFO	[misconfig] Downloading the checks bundle...
165.46 KiB / 165.46 KiB [------------------------------------------------------] 100.00% ? p/s 100ms2026-06-20T21:55:00Z	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2026-06-20T21:55:00Z	INFO	Number of language-specific files	num=1
2026-06-20T21:55:00Z	INFO	[npm] Detecting vulnerabilities...
2026-06-20T21:55:00Z	INFO	Detected config files	num=1

Report Summary

┌───────────────────┬────────────┬─────────────────┬───────────────────┐
│      Target       │    Type    │ Vulnerabilities │ Misconfigurations │
├───────────────────┼────────────┼─────────────────┼───────────────────┤
│ package-lock.json │    npm     │        3        │         -         │
├───────────────────┼────────────┼─────────────────┼───────────────────┤
│ Dockerfile        │ dockerfile │        -        │         0         │
└───────────────────┴────────────┴─────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/v0.67/docs/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


package-lock.json (npm)
=======================
Total: 3 (UNKNOWN: 0, LOW: 0, MEDIUM: 2, HIGH: 1, CRITICAL: 0)

┌─────────────────┬────────────────┬──────────┬────────┬───────────────────┬─────────────────────┬────────────────────────────────────────────────────────────┐
│     Library     │ Vulnerability  │ Severity │ Status │ Installed Version │    Fixed Version    │                           Title                            │
├─────────────────┼────────────────┼──────────┼────────┼───────────────────┼─────────────────────┼────────────────────────────────────────────────────────────┤
│ brace-expansion │ CVE-2026-45149 │ MEDIUM   │ fixed  │ 5.0.5             │ 5.0.6               │ brace-expansion: brace-expansion: Denial of Service due to │
│                 │                │          │        │                   │                     │ excessive memory allocation when expanding...              │
│                 │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2026-45149                 │
├─────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────┼────────────────────────────────────────────────────────────┤
│ form-data       │ CVE-2026-12143 │ HIGH     │        │ 4.0.5             │ 2.5.6, 3.0.5, 4.0.6 │ form-data is a library for creating readable               │
│                 │                │          │        │                   │                     │ multipart/form-data strea ...                              │
│                 │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2026-12143                 │
├─────────────────┼────────────────┼──────────┤        ├───────────────────┼─────────────────────┼────────────────────────────────────────────────────────────┤
│ tar             │ CVE-2026-53655 │ MEDIUM   │        │ 7.5.13            │ 7.5.16              │ node-tar applies PAX size override to intermediary GNU     │
│                 │                │          │        │                   │                     │ long-name/long-link headers, causing tar...                │
│                 │                │          │        │                   │                     │ https://avd.aquasec.com/nvd/cve-2026-53655                 │
└─────────────────┴────────────────┴──────────┴────────┴───────────────────┴─────────────────────┴────────────────────────────────────────────────────────────┘

📣 Notices:
  - Version 0.71.2 of Trivy is now available, current version is 0.67.2

To suppress version checks, run Trivy scans with the --skip-version-check flag

⚠️ SPELL / lychee - 16 errors

[WARN ] Error creating request: InvalidPathToUri("/lib/java/logback.xml")
[403] https://www.npmjs.com/package/insight | Network error: Forbidden
[403] https://www.npmjs.com/package/analytics | Network error: Forbidden
[403] https://www.npmjs.com/package/java-caller | Network error: Forbidden
[403] https://www.npmjs.com/package/java-caller | Network error: Forbidden
[403] https://www.npmjs.com/package/amplitude | Network error: Forbidden
[403] https://nicolas.vuillamy.fr/a-groovy-journey-to-open-source-during-covid-19-npm-groovy-lint-8d88c7eecebc | Network error: Forbidden
[403] https://www.npmjs.com/package/insight | Error (cached)
[403] https://www.npmjs.com/package/analytics | Error (cached)
[403] https://www.npmjs.com/package/java-caller | Error (cached)
[403] https://www.npmjs.com/package/java-caller | Error (cached)
[403] https://nicolas.vuillamy.fr/a-groovy-journey-to-open-source-during-covid-19-npm-groovy-lint-8d88c7eecebc | Error (cached)
[403] https://www.npmjs.com/package/amplitude | Error (cached)
[403] https://npmjs.org/package/npm-groovy-lint | Network error: Forbidden
[403] https://npmjs.org/package/npm-groovy-lint | Network error: Forbidden
[404] https://github.com/vafgoettlich | Network error: Not Found
[IGNORED] git+https://github.com/nvuillam/npm-groovy-lint.git | Unsupported: Error creating request client: builder error for url (git+https://github.com/nvuillam/npm-groovy-lint.git)
[404] https://github.com/vafgoettlich/checkmk | Network error: Not Found
📝 Summary
---------------------
🔍 Total..........455
✅ Successful.....430
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........8
❓ Unknown..........0
🚫 Errors..........16

Errors in CHANGELOG.md
[403] https://www.npmjs.com/package/analytics | Network error: Forbidden
[403] https://www.npmjs.com/package/java-caller | Network error: Forbidden
[403] https://www.npmjs.com/package/insight | Network error: Forbidden

Errors in docs/CHANGELOG.md
[403] https://www.npmjs.com/package/analytics | Error (cached)
[403] https://www.npmjs.com/package/java-caller | Error (cached)
[403] https://www.npmjs.com/package/insight | Error (cached)

Errors in docs/github-dependents-info.md
[404] https://github.com/vafgoettlich | Network error: Not Found
[404] https://github.com/vafgoettlich/checkmk | Network error: Not Found

Errors in docs/index.md
[403] https://www.npmjs.com/package/java-caller | Error (cached)
[403] https://www.npmjs.com/package/amplitude | Error (cached)
[403] https://nicolas.vuillamy.fr/a-groovy-journey-to-open-source-during-covid-19-npm-groovy-lint-8d88c7eecebc | Error (cached)
[403] https://npmjs.org/package/npm-groovy-lint | Network error: Forbidden

Errors in README.md
[403] https://nicolas.vuillamy.fr/a-groovy-journey-to-open-source-during-covid-19-npm-groovy-lint-8d88c7eecebc | Network error: Forbidden
[403] https://www.npmjs.com/package/java-caller | Network error: Forbidden
[403] https://www.npmjs.com/package/amplitude | Network error: Forbidden
[403] https://npmjs.org/package/npm-groovy-lint | Network error: Forbidden

⚠️ MARKDOWN / markdownlint - 3 errors

docs/github-dependents-info.md:11:3 MD051/link-fragments Link fragments should be valid [Context: "[github.com/nvuillam/npm-groovy-lint](#package-github.comnvuillamnpm-groovy-lint)"]
docs/index.md:39:65 MD059/descriptive-link-text Link text should be descriptive [Context: "[**here**]"]
README.md:39:65 MD059/descriptive-link-text Link text should be descriptive [Context: "[**here**]"]

See detailed reports in MegaLinter artifacts