[Deps] fix js-yaml prototype pollution vulnerability (CVE-2024-6869)

[github-actions]

Automated Security Fix

This PR updates js-yaml from 3.14.1 to 3.14.2 to address a moderate severity prototype pollution vulnerability.

Security Advisory

CVE: GHSA-mh29-5h37-fv8m
Severity: Moderate
CVSS Score: 5.3
Package: js-yaml (transitive dependency via @istanbuljs/load-nyc-config)
Affected Versions: < 3.14.2
Fixed Version: 3.14.2

Vulnerability Details

The vulnerability involves prototype pollution through the merge function when using the << merge operator in YAML files. While js-yaml is only used as a dev dependency for test coverage reporting in this project, patching this vulnerability follows security best practices.

Changes

Package	Previous	Updated	Type
js-yaml	3.14.1	3.14.2	patch

Files Changed: package-lock.json (transitive dependency update)

Verification

• Build passes (npm run build)
• All 572 tests pass (npm test)
• No breaking changes detected
• npm audit shows 0 vulnerabilities after fix

Testing

# Before fix
$ npm audit
1 moderate severity vulnerability

# After fix
$ npm audit
found 0 vulnerabilities

# Full test suite
$ npm test
Test Suites: 18 passed, 18 total
Tests:       572 passed, 572 total

Impact

✅ Low risk change: This is a patch-level update to a transitive dev dependency used only for test coverage reporting. The vulnerability does not affect production code or runtime behavior.

---

Generated by: Dependency Security Monitor Workflow
Detection Time: 2026-01-19T13:36:36Z
Source: npm audit

AI generated by Dependency Security Monitor