Bump js-yaml from 3.14.1 to 3.14.2 in the npm_and_yarn group across 1 directory

[dependabot]

Bumps the npm_and_yarn group with 1 update in the / directory: js-yaml.

Updates js-yaml from 3.14.1 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

• 9963d36 3.14.2 released
• 10d3c8e dist rebuild
• 5278870 fix prototype pollution in merge (<<) (#731)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
• @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
• @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
• @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
• @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
❌ COPYPASTE	jscpd	yes		5	no	2.26s
✅ EDITORCONFIG	editorconfig-checker	1		0	0	0.24s
✅ JSON	jsonlint	1		0	0	0.4s
✅ JSON	npm-package-json-lint	yes		no	no	0.49s
✅ JSON	prettier	1	0	0	0	0.48s
✅ JSON	v8r	1		0	0	2.19s
❌ REPOSITORY	checkov	yes		1	no	12.45s
✅ REPOSITORY	gitleaks	yes		no	no	1.6s
✅ REPOSITORY	git_diff	yes		no	no	0.0s
✅ REPOSITORY	grype	yes		no	no	34.11s
✅ REPOSITORY	secretlint	yes		no	no	0.46s
✅ REPOSITORY	syft	yes		no	no	1.75s
❌ REPOSITORY	trivy	yes		1	no	7.13s
✅ REPOSITORY	trivy-sbom	yes		no	no	3.36s
✅ REPOSITORY	trufflehog	yes		no	no	2.35s
✅ SPELL	cspell	2		0	0	2.53s
❌ SPELL	lychee	1		2	0	21.74s

Detailed Issues

❌ REPOSITORY / checkov - 1 error

github_actions scan results:

Passed checks: 247, Failed checks: 1, Skipped checks: 0

Check: CKV2_GHA_1: "Ensure top-level permissions are not set to write-all"
	FAILED for resource: on(MegaLinter)
	File: /.github/workflows/mega-linter.yml:45-46

❌ COPYPASTE / jscpd - 5 errors

Clone found (typescript):
 - packages/create-awesome-node-app/src/list.ts [76:16 - 87:2] (11 lines, 82 tokens)
   packages/create-awesome-node-app/src/list.ts [21:24 - 32:10]

Clone found (typescript):
 - packages/create-node-app-core/loaders.ts [143:21 - 155:6] (12 lines, 80 tokens)
   packages/create-node-app-core/loaders.ts [80:19 - 92:32]

Clone found (typescript):
 - packages/create-node-app-core/loaders.ts [186:9 - 201:19] (15 lines, 115 tokens)
   packages/create-node-app-core/loaders.ts [161:9 - 176:17]

Clone found (markdown):
 - packages/create-awesome-node-app/CHANGELOG.md [21:1 - 33:8] (12 lines, 327 tokens)
   packages/create-node-app-core/CHANGELOG.md [13:1 - 29:4]

Clone found (url):
 - README.md [218:1 - 232:70] (14 lines, 88 tokens)
   packages/create-awesome-node-app/README.md [286:1 - 300:70]

┌────────────┬────────────────┬─────────────┬──────────────┬──────────────┬──────────────────┬───────────────────┐
│ Format     │ Files analyzed │ Total lines │ Total tokens │ Clones found │ Duplicated lines │ Duplicated tokens │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ typescript │ 16             │ 2835        │ 22977        │ 3            │ 38 (1.34%)       │ 277 (1.21%)       │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ json       │ 23             │ 558         │ 3477         │ 0            │ 0 (0%)           │ 0 (0%)            │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ markdown   │ 12             │ 1229        │ 7706         │ 1            │ 12 (0.98%)       │ 327 (4.24%)       │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ javascript │ 5              │ 81          │ 458          │ 0            │ 0 (0%)           │ 0 (0%)            │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ url        │ 2              │ 32          │ 200          │ 1            │ 14 (43.75%)      │ 88 (44%)          │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ yaml       │ 1              │ 22          │ 45           │ 0            │ 0 (0%)           │ 0 (0%)            │
├────────────┼────────────────┼─────────────┼──────────────┼──────────────┼──────────────────┼───────────────────┤
│ Total:     │ 59             │ 4757        │ 34863        │ 5            │ 64 (1.35%)       │ 692 (1.98%)       │
└────────────┴────────────────┴─────────────┴──────────────┴──────────────┴──────────────────┴───────────────────┘
Found 5 clones.
HTML report saved to megalinter-reports/copy-paste/html/
ERROR: jscpd found too many duplicates (1.35%) over threshold (0%)
Error: ERROR: jscpd found too many duplicates (1.35%) over threshold (0%)
    at ThresholdReporter.report (/node-deps/node_modules/@jscpd/finder/dist/index.js:612:13)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:110:18
    at Array.forEach (<anonymous>)
    at /node-deps/node_modules/@jscpd/finder/dist/index.js:109:22
    at async /node-deps/node_modules/jscpd/dist/jscpd.js:351:5

❌ SPELL / lychee - 2 errors

[404] https://opencollective.com/unts/projects/eslint-import-resolver-ts | Network error: Not Found
[403] https://www.patreon.com/feross | Network error: Forbidden
📝 Summary
---------------------
🔍 Total..........626
✅ Successful.....624
⏳ Timeouts.........0
🔀 Redirected.......0
👻 Excluded.........0
❓ Unknown..........0
🚫 Errors...........2

Errors in package-lock.json
[403] https://www.patreon.com/feross | Network error: Forbidden
[404] https://opencollective.com/unts/projects/eslint-import-resolver-ts | Network error: Not Found

❌ REPOSITORY / trivy - 1 error

2025-11-17T20:02:06Z	INFO	[vulndb] Need to update DB
2025-11-17T20:02:06Z	INFO	[vulndb] Downloading vulnerability DB...
2025-11-17T20:02:06Z	INFO	[vulndb] Downloading artifact...	repo="mirror.gcr.io/aquasec/trivy-db:2"
7.42 MiB / 75.20 MiB [------>________________________________________________________] 9.87% ? p/s ?35.59 MiB / 75.20 MiB [---------------------------->________________________________] 47.33% ? p/s ?63.89 MiB / 75.20 MiB [--------------------------------------------------->_________] 84.96% ? p/s ?75.20 MiB / 75.20 MiB [--------------------------------------------->] 100.00% 112.91 MiB p/s ETA 0s75.20 MiB / 75.20 MiB [--------------------------------------------->] 100.00% 112.91 MiB p/s ETA 0s75.20 MiB / 75.20 MiB [--------------------------------------------->] 100.00% 112.91 MiB p/s ETA 0s75.20 MiB / 75.20 MiB [--------------------------------------------->] 100.00% 105.63 MiB p/s ETA 0s75.20 MiB / 75.20 MiB [--------------------------------------------->] 100.00% 105.63 MiB p/s ETA 0s75.20 MiB / 75.20 MiB [--------------------------------------------->] 100.00% 105.63 MiB p/s ETA 0s75.20 MiB / 75.20 MiB [---------------------------------------------->] 100.00% 98.81 MiB p/s ETA 0s75.20 MiB / 75.20 MiB [---------------------------------------------->] 100.00% 98.81 MiB p/s ETA 0s75.20 MiB / 75.20 MiB [---------------------------------------------->] 100.00% 98.81 MiB p/s ETA 0s75.20 MiB / 75.20 MiB [---------------------------------------------->] 100.00% 92.44 MiB p/s ETA 0s75.20 MiB / 75.20 MiB [-------------------------------------------------] 100.00% 30.94 MiB p/s 2.6s2025-11-17T20:02:11Z	INFO	[vulndb] Artifact successfully downloaded	repo="mirror.gcr.io/aquasec/trivy-db:2"
2025-11-17T20:02:11Z	INFO	[vuln] Vulnerability scanning is enabled
2025-11-17T20:02:11Z	INFO	[misconfig] Misconfiguration scanning is enabled
2025-11-17T20:02:11Z	INFO	[misconfig] Need to update the checks bundle
2025-11-17T20:02:11Z	INFO	[misconfig] Downloading the checks bundle...
165.46 KiB / 165.46 KiB [---------------------------------------------------------] 100.00% ? p/s 0s2025-11-17T20:02:13Z	INFO	[npm] To collect the license information of packages, "npm install" needs to be performed beforehand	dir="node_modules"
2025-11-17T20:02:13Z	INFO	[npm] To collect the license information of packages, "npm install" needs to be performed beforehand	dir="tools/danger/node_modules"
2025-11-17T20:02:13Z	INFO	Suppressing dependencies for development and testing. To display them, try the '--include-dev-deps' flag.
2025-11-17T20:02:13Z	INFO	Number of language-specific files	num=2
2025-11-17T20:02:13Z	INFO	[npm] Detecting vulnerabilities...
2025-11-17T20:02:13Z	INFO	Detected config files	num=2

Report Summary

┌───────────────────────────────┬────────────┬─────────────────┬───────────────────┐
│            Target             │    Type    │ Vulnerabilities │ Misconfigurations │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ package-lock.json             │    npm     │        1        │         -         │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ .devcontainer/Dockerfile      │ dockerfile │        -        │         2         │
├───────────────────────────────┼────────────┼─────────────────┼───────────────────┤
│ .devcontainer/base.Dockerfile │ dockerfile │        -        │         2         │
└───────────────────────────────┴────────────┴─────────────────┴───────────────────┘
Legend:
- '-': Not scanned
- '0': Clean (no security findings detected)


For OSS Maintainers: VEX Notice
--------------------------------
If you're an OSS maintainer and Trivy has detected vulnerabilities in your project that you believe are not actually exploitable, consider issuing a VEX (Vulnerability Exploitability eXchange) statement.
VEX allows you to communicate the actual status of vulnerabilities in your project, improving security transparency and reducing false positives for your users.
Learn more and start using VEX: https://trivy.dev/v0.67/docs/supply-chain/vex/repo#publishing-vex-documents

To disable this notice, set the TRIVY_DISABLE_VEX_NOTICE environment variable.


package-lock.json (npm)
=======================
Total: 1 (UNKNOWN: 0, LOW: 0, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

┌─────────┬────────────────┬──────────┬────────┬───────────────────┬───────────────┬───────────────────────────────────────────────────────────┐
│ Library │ Vulnerability  │ Severity │ Status │ Installed Version │ Fixed Version │                           Title                           │
├─────────┼────────────────┼──────────┼────────┼───────────────────┼───────────────┼───────────────────────────────────────────────────────────┤
│ glob    │ CVE-2025-64756 │ HIGH     │ fixed  │ 10.4.5            │ 11.1.0        │ glob CLI: Command injection via -c/--cmd executes matches │
│         │                │          │        │                   │               │ with shell:true                                           │
│         │                │          │        │                   │               │ https://avd.aquasec.com/nvd/cve-2025-64756                │
└─────────┴────────────────┴──────────┴────────┴───────────────────┴───────────────┴───────────────────────────────────────────────────────────┘

.devcontainer/Dockerfile (dockerfile)
=====================================
Tests: 27 (SUCCESSES: 25, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────


AVD-DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds026
────────────────────────────────────────



.devcontainer/base.Dockerfile (dockerfile)
==========================================
Tests: 27 (SUCCESSES: 25, FAILURES: 2)
Failures: 2 (UNKNOWN: 0, LOW: 1, MEDIUM: 0, HIGH: 1, CRITICAL: 0)

AVD-DS-0002 (HIGH): Specify at least 1 USER command in Dockerfile with non-root user as argument
════════════════════════════════════════
Running containers with 'root' user can lead to a container escape situation. It is a best practice to run containers as non-root users, which can be done by adding a 'USER' statement to the Dockerfile.

See https://avd.aquasec.com/misconfig/ds002
────────────────────────────────────────


AVD-DS-0026 (LOW): Add HEALTHCHECK instruction in your Dockerfile
════════════════════════════════════════
You should add HEALTHCHECK instruction in your docker container images to perform the health check on running containers.

See https://avd.aquasec.com/misconfig/ds026
────────────────────────────────────────

See detailed reports in MegaLinter artifacts
Set VALIDATE_ALL_CODEBASE: true in mega-linter.yml to validate all sources, not only the diff