chore(deps): bump js-yaml from 4.1.1 to 5.1.0

[dependabot]

Bumps js-yaml from 4.1.1 to 5.1.0.

Changelog

Sourced from js-yaml's changelog.

[5.1.0] - 2026-06-23

Added

• Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

• [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.

[5.0.0] - 2026-06-20

Added

• Added named exports for schemas, tags, parser events and AST utilities.
• Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
• Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
• Added dump() transform option for changing the generated AST before rendering.
• Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and tagBeforeAnchor.
• Added formal data layers (events and AST) for modular data pipelines.
  • Added low-level parser (to events), presenter and visitor APIs.
• Added the YAML Test Suite to the test set.

Changed

• See the migration guide for upgrade notes.
• Rewritten in TypeScript and reorganized the public API around flat named exports.
• Reduced the set of exported schemas:
  • YAML 1.2 schemas: CORE_SCHEMA (loader default), JSON_SCHEMA, FAILSAFE_SCHEMA.
  • YAML11_SCHEMA, a combination of all YAML 1.1 tags (YAML 1.1 does not specify a schema, only "types").
• load/dump default behaviour is now specified exactly via schemas:
  • load uses CORE_SCHEMA, without !!merge by default.
  • dump uses YAML11_SCHEMA + CORE_SCHEMA for the quoting check, to guarantee backward compatibility by default.
• !!set is now loaded as a JavaScript Set.
• Replaced the Type API with a tags API. Similar, but more precise and simpler. See examples for details. Tags can be defined via defineScalarTag(), defineSequenceTag() and defineMappingTag(), or as a spread + override of an existing tag.
• Renamed Schema.extend() to Schema.withTags().
• Expanded YAML 1.2 conformance and improved handling of directives, document markers, block keys, multiline scalars, tag syntax and other things.
• load() now throws on empty input instead of returning undefined.
• Moved browser builds to the js-yaml/browser export.

... (truncated)

Commits

• f1e45cd 5.1.0 released
• 53b22be Fix constructor coverage
• a1eaa2b Fix quote style options and restore forceQuotes
• 0532e7d Add finalizers for immutable collection tags
• 9f00b91 tests: drop the rest of issues tests, move a small fraction of useful checks ...
• 6be5d46 tests: drop not actual or duplicating issue tests (covered in other places)
• a7c9766 Fix !!pairs coverage
• 75148bc 5.0.0 released
• 704b25d Quote document markers followed by whitespace
• 42dea28 Support complex !!pairs keys with realMapTag
• Additional commits viewable in compare view

[DeepDiver1975]

🤖 Automated code review by Claude Code review agent

Diff is manifest-only (package.json + package-lock.json); js-yaml is bumped 4.2.0 → 5.0.0 as a direct build dependency, no source/docs code changes. This is a major bump with real breaking changes (rewritten in TS, removed safeLoad/safeLoadAll/safeDump and DEFAULT_SCHEMA, Type API replaced by tags API, load() now throws on empty input) and it drops Node < 18.

Verdict: low-risk to merge provided this repo's CI docs-build job (and its Node version, must be ≥ 18) is green — that build is the real gate. js-yaml is used only by the Antora toolchain here, not by authored content, so a passing build is sufficient confidence. If CI is red, hold and check for a safeLoad/Type-API or Node-version regression.

[DeepDiver1975]

@dependabot rebase

[dependabot]

Dependabot can't parse your package-lock.json. Because of this, Dependabot cannot update this pull request.

[DeepDiver1975]

@dependabot rebase

[dependabot]

Dependabot can't parse your package-lock.json. Because of this, Dependabot cannot update this pull request.

[DeepDiver1975]

@dependabot recreate

[dependabot]

Dependabot can't parse your package-lock.json. Because of this, Dependabot cannot update this pull request.

[DeepDiver1975]

🤖 Automated review by Claude Code review agent.

Dependabot: js-yaml 4.1.1 → 5.1.0 (MAJOR bump) — LOW RISK, approve-with-nits.

Diff (+52/-6): package.json (^4.1.1→^5.1.0) and the top-level js-yaml lockfile node (→5.1.0, bin bin/js-yaml.js→bin/js-yaml.mjs). The extra +46 lines are not conflict-marker cleanup — they are three nested node_modules/@antora/{content-aggregator,playbook-builder,ui-loader}/node_modules/js-yaml entries pinning Antora's transitive js-yaml@4.1.1 now that the top-level dep moves to 5.x. Lockfile is valid JSON, conflict-free; Antora keeps its own 4.1.1, only the repo's direct dep goes to 5.x.

Usage check: one direct use — ext-antora/load-global-site-attributes.js: const yaml = require('js-yaml') + yaml.load(data) (line 104). CommonJS require + yaml.load still work in 5.x.

5.x breaking changes vs. this call site (parsed file: owncloud/docs/master/global-attributes.yml, fetched remotely):

• Empty input throws — file is non-empty; an empty fetch is caught by the extension's existing reject path.
• Default schema → CORE_SCHEMA — file uses only true/false, no merge keys, no anchors/aliases, no \!\! tags, no YAML-1.1 implicit types (the one date-like value is a quoted string).
• Flat ESM exports — not used (CommonJS API unaffected).

CI: Build documentation (runs yaml.load) and lint both pass.

CHANGELOG: n/a (repo has no changelog).

Nit (pre-existing): the attributes file is fetched from a remote master branch at build time — external dependency that can change independently. Not a blocker.