Bump js-yaml from 4.1.0 to 4.1.1

[dependabot]

Bumps js-yaml from 4.1.0 to 4.1.1.

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

---

🔒 This PR updates the js-yaml dependency from version 4.1.0 to 4.1.1 to address a critical security vulnerability. The update fixes a prototype pollution issue in the YAML merge (<<) operator that could potentially allow attackers to modify object prototypes.

🔍 Detailed Analysis

Key Changes

• Security Fix: Resolves prototype pollution vulnerability in js-yaml's merge operator (<<)
• Dependency Update: Bumps js-yaml from 4.1.0 to 4.1.1 as an indirect dependency
• Automated Update: Generated by Dependabot for security maintenance

Technical Implementation

flowchart TD
    A[js-yaml 4.1.0] --> B[Security Vulnerability Detected]
    B --> C[Prototype Pollution in Merge Operator]
    C --> D[js-yaml 4.1.1 Released]
    D --> E[Dependabot Creates PR]
    E --> F[Security Issue Resolved]

Loading

Impact

• Security Enhancement: Eliminates potential prototype pollution attacks through YAML parsing
• Minimal Breaking Changes: Patch version update maintains backward compatibility
• Maintenance Improvement: Keeps dependencies current with latest security fixes

Created with Palmier

---

Summary by cubic

Upgrade js-yaml from 4.1.0 to 4.1.1 to patch a security issue (prototype pollution via the YAML merge << operator). Only the lockfile is updated; no app code changes or breaking changes.

^{Written for commit b0fe418. Summary will update automatically on new commits.}

---

EntelligenceAI PR Summary

This PR updates the js-yaml dev dependency to patch version 4.1.1.

• Bumped js-yaml from 4.1.0 to 4.1.1 in package-lock.json
• Updated package resolved URL and integrity hash
• No changes to dependency tree or license (MIT)
• Remains as a dev dependency

[bolt-new-by-stackblitz]

Run & review this pull request in StackBlitz Codeflow.

[codesherlock-ai]

We could not run your PR Review. We noticed that you are part of an Org. We require everyone who is part of an Org to SignUp via GitHub so we can track your individual usage and maximize on your usage capacity. Enroll into CodeSherlock system by signing up via GitHub using the SignUp link. Also, please note — every user pays for their own usage.

[jazzberry-ai]

This repository is associated with RectiFlex whose free trial has ended. Subscribe at jazzberry.ai.
_{If this is an error contact us at support@jazzberry.ai.}

[ellipsis-dev]

Skipped PR review on b0fe418 because no changed files had a supported extension. If you think this was in error, please contact us and we'll fix it right away.

[entelligence-ai-pr-reviews]

🔒 Entelligence AI Vulnerability Scanner

✅ No security vulnerabilities found!

Your code passed our comprehensive security analysis.

---

[entelligence-ai-pr-reviews]

Walkthrough

This pull request performs a routine dependency maintenance update by bumping the js-yaml package from version 4.1.0 to 4.1.1. This is a patch-level update that modifies only the package-lock.json file to reflect the new version's resolved URL and integrity hash. The package remains as a development dependency with an MIT license, and no changes to its dependency tree are included. This type of update typically includes bug fixes, security patches, or minor improvements from the upstream js-yaml library without introducing breaking changes or new features.

Changes

File(s)	Summary
package-lock.json	Updated js-yaml dependency from version 4.1.0 to 4.1.1, including updated resolved URL and integrity hash.

Sequence Diagram

This diagram shows the interactions between components:

sequenceDiagram
    participant Dev as Developer
    participant NPM as NPM Registry
    participant Project as Project Dependencies
    
    Note over Dev,Project: Dependency Update: js-yaml 4.1.0 → 4.1.1
    
    Dev->>NPM: Request js-yaml@4.1.1
    NPM-->>Dev: Return package metadata
    Dev->>Project: Update package-lock.json
    Note over Project: Version: 4.1.0 → 4.1.1<br/>Integrity hash updated<br/>Patch-level update (bug fixes)

Loading

---

🔗 Cross-Repository Impact Analysis

Enable automatic detection of breaking changes across your dependent repositories. → Set up now

Learn more about Cross-Repository Analysis

What It Does

• Automatically identifies repositories that depend on this code
• Analyzes potential breaking changes across your entire codebase
• Provides risk assessment before merging to prevent cross-repo issues

How to Enable

1. Visit Settings → Code Management
2. Configure repository dependencies
3. Future PRs will automatically include cross-repo impact analysis!

Benefits

• 🛡️ Prevent breaking changes across repositories
• 🔍 Catch integration issues before they reach production
• 📊 Better visibility into your multi-repo architecture

---

▶️ ⚡ AI Code Reviews for VS Code, Cursor, Windsurf
Install the extension

Note for Windsurf

Please change the default marketplace provider to the following in the windsurf settings:

Marketplace Extension Gallery Service URL: https://marketplace.visualstudio.com/_apis/public/gallery

Marketplace Gallery Item URL: https://marketplace.visualstudio.com/items

Entelligence.ai can learn from your feedback. Simply add 👍 / 👎 emojis to teach it your preferences. More shortcuts below

Emoji Descriptions:

• ⚠️ Potential Issue - May require further investigation.
• 🔒 Security Vulnerability - Fix to ensure system safety.
• 💻 Code Improvement - Suggestions to enhance code quality.
• 🔨 Refactor Suggestion - Recommendations for restructuring code.
• ℹ️ Others - General comments and information.

Interact with the Bot:

• Send a message or request using the format:
  @entelligenceai + *your message*

Example: @entelligenceai Can you suggest improvements for this code?

• Help the Bot learn by providing feedback on its responses.
  @entelligenceai + *feedback*

Example: @entelligenceai Do not comment on `save_auth` function !

Also you can trigger various commands with the bot by doing
@entelligenceai command

The current supported commands are

1. config - shows the current config
2. retrigger_review - retriggers the review

More commands to be added soon.

[cubic-dev-ai]

No issues found across 1 file