vscode-yaml-sort chore(deps): update dependency js-yaml to v4.1.1 [security]

This PR contains the following updates:

Package	Change	Age	Confidence
js-yaml	`4.1.0` -> `4.1.1`

GitHub Vulnerability Alerts

CVE-2025-64718

Impact

In js-yaml 4.1.0 and below, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution (__proto__). All users who parse untrusted yaml documents may be impacted.

Patches

Problem is patched in js-yaml 4.1.1.

Workarounds

You can protect against this kind of attack on the server by using node --disable-proto=delete or deno (in Deno, pollution protection is on by default).

References

https://cheatsheetseries.owasp.org/cheatsheets/Prototype_Pollution_Prevention_Cheat_Sheet.html

Release Notes

nodeca/js-yaml (js-yaml)

`v4.1.1`

Compare Source

Security

Fix prototype pollution issue in yaml merge (<<) operator.

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

[ ] If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

Nov 14 '25 15:11 renovate[bot]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	js-yaml@4.1.0 ⏵ 4.1.1	⁺¹	⁺⁸	⁺¹

View full report

Nov 14 '25 15:11 socket-security[bot]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

Nov 17 '25 22:11 sonarqubecloud[bot]