chore(deps): bump js-yaml from 3.14.1 to 3.14.2

[dependabot]

Bumps js-yaml from 3.14.1 to 3.14.2.

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

• 9963d36 3.14.2 released
• 10d3c8e dist rebuild
• 5278870 fix prototype pollution in merge (<<) (#731)
• See full diff in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Preview	Comments	Updated (UTC)
vanity	Ready	Preview	Comment	Nov 17, 2025 6:56pm

[coderabbitai]

Important

Review skipped

Bot user detected.

To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[claude]

Claude encountered an error —— View job

---

I'll analyze this and get back to you.

[dependabot]

Dependabot doesn't support the 'updating transitive dependencies' feature for pnpm package_manager. Because of this, Dependabot cannot update this pull request.

[dependabot]

Dependabot doesn't support the 'updating transitive dependencies' feature for pnpm package_manager. Because of this, Dependabot cannot update this pull request.

[dependabot]

Dependabot doesn't support the 'updating transitive dependencies' feature for pnpm package_manager. Because of this, Dependabot cannot update this pull request.

[dependabot]

Dependabot doesn't support the 'updating transitive dependencies' feature for pnpm package_manager. Because of this, Dependabot cannot update this pull request.

[dependabot]

Dependabot doesn't support the 'updating transitive dependencies' feature for pnpm package_manager. Because of this, Dependabot cannot update this pull request.

[dependabot]

Dependabot doesn't support the 'updating transitive dependencies' feature for pnpm package_manager. Because of this, Dependabot cannot update this pull request.

[dependabot]

Dependabot doesn't support the 'updating transitive dependencies' feature for pnpm package_manager. Because of this, Dependabot cannot update this pull request.

[dependabot]

Dependabot doesn't support the 'updating transitive dependencies' feature for pnpm package_manager. Because of this, Dependabot cannot update this pull request.

[dependabot]

Dependabot doesn't support the 'updating transitive dependencies' feature for pnpm package_manager. Because of this, Dependabot cannot update this pull request.

[dependabot]

Dependabot doesn't support the 'updating transitive dependencies' feature for pnpm package_manager. Because of this, Dependabot cannot update this pull request.

[dependabot]

Dependabot doesn't support the 'updating transitive dependencies' feature for pnpm package_manager. Because of this, Dependabot cannot update this pull request.

[dependabot]

Dependabot doesn't support the 'updating transitive dependencies' feature for pnpm package_manager. Because of this, Dependabot cannot update this pull request.

[phrazzld]

🔧 kaylee here!

I took a look at the failing CI, but this one's beyond my wrench:

Why I can't fix it: with code changes.**

What I found

Root Cause

The CI failure is NOT a code issue - it's a missing GitHub Secrets configuration. The error is:

Error: Environment variable validation failed:
  - Either ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN is required when using direct Anthropic API.

Analysis

Looking at the CI logs, this is the claude-code-action GitHub Action failing because the repository doesn't have ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN configured as GitHub Secrets. This is happening in the claude-review workflow, not in the actual project CI.

The PR itself (bumping js-yaml from 3.14.1 to 3.14.2) is a simple dependency update that only changes pnpm-lock.yaml. The actual code change is valid - it's a security fix for prototype pollution in the yaml merge operator.

Fix

UNFIXABLE with code changes.

This CI failure cannot be fixed by editing code in this repository. The failure is in the Claude Code Action which requires API credentials that must be configured as GitHub Secrets by the repository owner.

To fix this, the repository owner needs to:

1. Go to the repository Settings → Secrets and variables → Actions
2. Add either ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN as a repository secret

Why this isn't a code fix:

• The error comes from the claude-code-action GitHub Action, not from the project's own code
• No amount of editing package.json, config files, or source code will provide the missing API credentials
• The secrets must be con

What needs to happen

This likely requires human intervention — maybe setting up secrets, configuring external services, or other non-code changes.

---

🤖 Generated by kaylee — I tried, Captain!

[phrazzld]

🔧 kaylee here!

I took a look at the failing CI, but this one's beyond my wrench:

Why I can't fix it: - This requires repository administrator action:

What I found

Now I understand the issue completely. The workflow file references ${{ secrets.CLAUDE_CODE_OAUTH_TOKEN }} but that secret hasn't been configured in the repository settings.

Root Cause

This CI failure is NOT fixable with code changes. The claude-code-review.yml workflow requires the CLAUDE_CODE_OAUTH_TOKEN secret to be configured in the repository's GitHub Settings → Secrets and variables → Actions, but it hasn't been set up.

Fix

UNFIXABLE - This requires repository administrator action:

1. Go to repository Settings → Secrets and variables → Actions
2. Add a new secret named CLAUDE_CODE_OAUTH_TOKEN with a valid Claude Code OAuth token
3. OR add ANTHROPIC_API_KEY secret with a valid Anthropic API key

The actual PR itself (bumping js-yaml from 3.14.1 to 3.14.2) is a valid security patch for prototype pollution - the PR changes only touch pnpm-lock.yaml and are auto-generated by Dependabot. The CI failure is unrelated to the actual code changes in this PR.

The dependency update itself is fine - this is a security fix backporting the v4.1.1 prototype pollution fix to v3. The lockfile changes are just formatting differences in how pnpm serializes the YAML (expanded vs compact resolution blocks).

What needs to happen

This likely requires human intervention — maybe setting up secrets, configuring external services, or other non-code changes.

---

🤖 Generated by kaylee — I tried, Captain!

[phrazzld]

🔧 kaylee here!

I took a look at the failing CI, but this one's beyond my wrench:

Why I can't fix it: with code changes.** This is a repository configuration issue that requires the repository owner to:

What I found

The diff is massive but looking at the original PR description and the actual failure - this is a Dependabot PR that only changes pnpm-lock.yaml to bump js-yaml from 3.14.1 to 3.14.2. The CI failure is NOT related to the code change at all.

The failure is:

##[error]Action failed with error: Error: Environment variable validation failed:
  - Either ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN is required when using direct Anthropic API.

This is the claude-code-review workflow failing because it's trying to run Claude Code to review the PR, but the repository doesn't have the required API keys configured as secrets.

Root Cause

The claude-code-review GitHub Action workflow requires ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN secrets to be configured, but they are missing from the repository's secrets configuration.

Fix

UNFIXABLE with code changes. This is a repository configuration issue that requires the repository owner to:

1. Go to repository Settings → Secrets and variables → Actions
2. Add either ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN as a repository secret

The actual PR (bumping js-yaml from 3.14.1 to 3.14.2 in pnpm-lock.yaml) is a simple dependency update that has no code issues. The CI failure is due to the Claude Code review workflow being configured but missing the required API credentials - this is an infrastructure/secrets configuration problem, not something I can fix by editing code.

What needs to happen

This likely requires human intervention — maybe setting up secrets, configuring external services, or other non-code changes.

---

🤖 Generated by kaylee — I tried, Captain!

[phrazzld]

🔧 kaylee here!

I took a look at the failing CI, but this one's beyond my wrench:

Why I can't fix it: with code changes.** This is an external configuration issue.

What I found

Now I understand the full picture. Looking at the logs:

1. The failing workflow is claude-code-review.yml (the "Claude Code Review" job)
2. The error is: Either ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN is required when using direct Anthropic API
3. The workflow expects secrets.CLAUDE_CODE_OAUTH_TOKEN but it appears to not be configured in the repository

This is NOT fixable with code changes. The CI failure is due to a missing repository secret (CLAUDE_CODE_OAUTH_TOKEN). This is an external configuration issue that requires the repository owner to:

1. Get a Claude Code OAuth token from Anthropic
2. Add it as a repository secret named CLAUDE_CODE_OAUTH_TOKEN

Root Cause

Missing CLAUDE_CODE_OAUTH_TOKEN secret in GitHub repository settings - the Claude Code Action requires authentication credentials that aren't configured.

Fix

UNFIXABLE with code changes. This is an external configuration issue.

The repository owner needs to:

1. Obtain a Claude Code OAuth token (or Anthropic API key)
2. Go to Repository Settings → Secrets and variables → Actions
3. Add a new repository secret named CLAUDE_CODE_OAUTH_TOKEN with the token value

Alternatively, if they don't want Claude code reviews on Dependabot PRs, they could modify .github/workflows/claude-code-review.yml to exclude bot-created PRs, but that would be changing the intended behavior rather than fixing the underlying issue.

The actual PR itself (bumping js-yaml from 3.14.1 to 3.14.2) is a s

What needs to happen

This likely requires human intervention — maybe setting up secrets, configuring external services, or other non-code changes.

---

🤖 Generated by kaylee — I tried, Captain!

[phrazzld]

🔧 kaylee here!

I took a look at the failing CI, but this one's beyond my wrench:

Why I can't fix it: with code changes.**

What I found

Now I understand the situation completely. The CI failure is in the claude-code-review.yml workflow which requires a CLAUDE_CODE_OAUTH_TOKEN secret that isn't configured in the repository.

Root Cause

The CI failure is due to a missing CLAUDE_CODE_OAUTH_TOKEN secret in the repository settings. This is not a code issue - it's a repository configuration/secrets issue.

Fix

UNFIXABLE with code changes.

This requires the repository owner to:

1. Go to the repository Settings → Secrets and variables → Actions
2. Add a repository secret named CLAUDE_CODE_OAUTH_TOKEN with a valid Claude Code OAuth token

OR alternatively, if they want to use an API key instead:

• Add ANTHROPIC_API_KEY secret and update the workflow to use anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}

The actual PR (bumping js-yaml from 3.14.1 to 3.14.2) is just a lockfile update from Dependabot for a security fix. The code change itself is fine - it's a security patch for prototype pollution in the js-yaml merge operator. The CI failure is unrelated to the PR's content.

This CI failure cannot be fixed with a code commit - it requires the repository administrator to configure the missing secret in GitHub's repository settings.

What needs to happen

This likely requires human intervention — maybe setting up secrets, configuring external services, or other non-code changes.

---

🤖 Generated by kaylee — I tried, Captain!

[phrazzld]

🔧 kaylee here!

I took a look at the failing CI, but this one's beyond my wrench:

Why I can't fix it: with code changes.** This is a repository configuration issue that requires:

What I found

Now I understand the issue completely. The CI failure is in the claude-code-review.yml workflow, which requires the CLAUDE_CODE_OAUTH_TOKEN secret to be configured in the repository. The error message is:

Either ANTHROPIC_API_KEY or CLAUDE_CODE_OAUTH_TOKEN is required when using direct Anthropic API.

This is NOT a code issue - the PR itself only changes pnpm-lock.yaml to update js-yaml from 3.14.1 to 3.14.2 (a security fix for prototype pollution).

Root Cause

The CI failure is due to a missing repository secret (CLAUDE_CODE_OAUTH_TOKEN or ANTHROPIC_API_KEY) required by the claude-code-review.yml workflow - not the PR's code changes.

Fix

UNFIXABLE with code changes. This is a repository configuration issue that requires:

1. The repository owner to add the CLAUDE_CODE_OAUTH_TOKEN secret in GitHub repository settings (Settings → Secrets and variables → Actions), OR
2. Add ANTHROPIC_API_KEY as an alternative secret

The actual PR (bumping js-yaml from 3.14.1 to 3.14.2 for a security fix) is valid and the lockfile changes are legitimate. The CI workflow for Claude Code Review is simply not properly configured with the required API credentials.

This cannot be fixed by editing code - it requires the repository administrator to configure the required secrets in GitHub's repository settings.

What needs to happen

This likely requires human intervention — maybe setting up secrets, configuring external services, or other non-code changes.

---

🤖 Generated by kaylee — I tried, Captain!