Build(deps): bump yaml from 2.8.2 to 2.9.0

[dependabot]

Bumps yaml from 2.8.2 to 2.9.0.

Release notes

Sourced from yaml's releases.

v2.9.0

The changes here are really only patches, but I'm releasing this as a minor version to note a small change to the documentation of parseDocument() and parseAllDocuments(): I've removed the claim that they'll "never throw".

It remains the case that practically all non-malicious inputs will be handled without emitting an error, but there is a decent chance that code paths remain where e.g. a RangeError due to call stack exhaustion can be triggered by malicious inputs. Up to now, I've considered these as security vulnerabilities, and in fact it's the only category of error for which yaml CVEs have been issued so far.

Starting from this release, I'll be considering such errors as bugs, but not vulnerabilities. I do welcome people and/or LLMs looking for them, but please report them as normal issues rather than suspected security vulnerabilities. This also applies to previously undiscovered bugs in earlier releases.

• fix: Avoid calling Array.prototype.push.apply() with large source array
• fix(lexer): Avoid recursive calls that may exhaust the call stack

v2.8.4

• Disable alias resolution with maxAliasCount:0 (#677)
• Handle invalid unicode escapes (e1a1a77)
• Apply minFractionDigits only to decimal strings (#676)

v2.8.3

• Add trailingComma ToString option for multiline flow formatting (#670)
• Catch stack overflow during node composition (1e84ebb)

Commits

• ddb21b0 2.9.0
• 167365b docs: Clarify that not all errors can be avoided
• 6eca2a7 fix: Avoid calling Array.prototype.push.apply() with large source array
• 0543cd5 fix(lexer): Avoid recursive calls that may exhaust the call stack
• ccdf743 2.8.4
• f625789 fix: Disable alias resolution with maxAliasCount:0 (#677)
• e1a1a77 fix: Handle invalid unicode escapes
• a163ea0 style: Satify Prettier
• b2a5a6c fix: Apply minFractionDigits only to decimal strings (#676)
• 93c951b chore: Bump JSR version to v2.8.3 (#673)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[github-actions]

❌MegaLinter analysis: Error

Descriptor	Linter	Files	Fixed	Errors	Warnings	Elapsed time
✅ ACTION	actionlint	5		0	0	0.04s
❌ ACTION	zizmor	5		1	0	0.22s
✅ JSON	jsonlint	21		0	0	0.13s
✅ JSON	npm-package-json-lint	yes		no	no	0.56s
✅ JSON	prettier	21		0	0	0.92s
✅ JSON	v8r	21		0	0	11.68s
✅ MARKDOWN	markdownlint	1		0	0	1.01s
✅ REPOSITORY	checkov	yes		no	no	21.97s
✅ REPOSITORY	gitleaks	yes		no	no	1.52s
✅ REPOSITORY	git_diff	yes		no	no	0.02s
❌ REPOSITORY	osv-scanner	yes		28	no	2.52s
✅ REPOSITORY	secretlint	yes		no	no	1.07s
✅ REPOSITORY	syft	yes		no	no	11.2s
✅ REPOSITORY	trivy-sbom	yes		no	no	3.06s
✅ REPOSITORY	trufflehog	yes		no	no	27.65s
✅ TYPESCRIPT	eslint	6		0	0	11.3s
✅ TYPESCRIPT	prettier	6		0	0	1.01s
✅ YAML	prettier	20		0	0	1.1s
✅ YAML	v8r	20		0	0	7.77s
✅ YAML	yamllint	20		0	0	0.77s

Detailed Issues

❌ REPOSITORY / osv-scanner - 28 errors

Scanning dir .
Starting filesystem walk for root: /
Scanned package-lock.json file and found 824 packages
End status: 42 dirs visited, 152 inodes visited, 1 Extract calls, 22.738244ms elapsed, 22.738364ms wall time

Total 11 packages affected by 28 known vulnerabilities (1 Critical, 13 High, 13 Medium, 1 Low, 0 Unknown) from 1 ecosystem.
28 vulnerabilities can be fixed.

+-------------------------------------+------+-----------+------------------------+---------+---------------+-------------------+
| OSV URL                             | CVSS | ECOSYSTEM | PACKAGE                | VERSION | FIXED VERSION | SOURCE            |
+-------------------------------------+------+-----------+------------------------+---------+---------------+-------------------+
| https://osv.dev/GHSA-f886-m6hf-6m8v | 6.5  | npm       | brace-expansion (dev)  | 1.1.12  | 1.1.13        | package-lock.json |
| https://osv.dev/GHSA-f886-m6hf-6m8v | 6.5  | npm       | brace-expansion (dev)  | 2.0.2   | 2.0.3         | package-lock.json |
| https://osv.dev/GHSA-f886-m6hf-6m8v | 6.5  | npm       | brace-expansion (dev)  | 5.0.4   | 5.0.5         | package-lock.json |
| https://osv.dev/GHSA-jxxr-4gwj-5jf2 | 6.5  | npm       | brace-expansion (dev)  | 5.0.4   | 5.0.6         | package-lock.json |
| https://osv.dev/GHSA-5wm8-gmm8-39j9 | 8.7  | npm       | fast-xml-builder (dev) | 1.1.4   | 1.1.7         | package-lock.json |
| https://osv.dev/GHSA-gh4j-gqv2-49f6 | 6.1  | npm       | fast-xml-parser (dev)  | 5.5.7   | 5.7.0         | package-lock.json |
| https://osv.dev/GHSA-2qvq-rjwj-gvw9 | 4.7  | npm       | handlebars (dev)       | 4.7.8   | 4.7.9         | package-lock.json |
| https://osv.dev/GHSA-2w6w-674q-4c4q | 9.8  | npm       | handlebars (dev)       | 4.7.8   | 4.7.9         | package-lock.json |
| https://osv.dev/GHSA-3mfm-83xf-c92r | 8.1  | npm       | handlebars (dev)       | 4.7.8   | 4.7.9         | package-lock.json |
| https://osv.dev/GHSA-442j-39wm-28r2 | 3.7  | npm       | handlebars (dev)       | 4.7.8   | 4.7.9         | package-lock.json |
| https://osv.dev/GHSA-7rx3-28cr-v5wh | 4.8  | npm       | handlebars (dev)       | 4.7.8   | 4.7.9         | package-lock.json |
| https://osv.dev/GHSA-9cx6-37pm-9jff | 7.5  | npm       | handlebars (dev)       | 4.7.8   | 4.7.9         | package-lock.json |
| https://osv.dev/GHSA-xhpv-hc6g-r9c6 | 8.1  | npm       | handlebars (dev)       | 4.7.8   | 4.7.9         | package-lock.json |
| https://osv.dev/GHSA-xjpj-3mr7-gcpf | 8.2  | npm       | handlebars (dev)       | 4.7.8   | 4.7.9         | package-lock.json |
| https://osv.dev/GHSA-f23m-r3pf-42rh | 6.5  | npm       | lodash (dev)           | 4.17.23 | 4.18.0        | package-lock.json |
| https://osv.dev/GHSA-r5fr-rjxr-66jc | 8.1  | npm       | lodash (dev)           | 4.17.23 | 4.18.0        | package-lock.json |
| https://osv.dev/GHSA-23c5-xmqv-rm74 | 7.5  | npm       | minimatch (dev)        | 9.0.3   | 9.0.7         | package-lock.json |
| https://osv.dev/GHSA-3ppc-4f35-3m26 | 8.7  | npm       | minimatch (dev)        | 9.0.3   | 9.0.6         | package-lock.json |
| https://osv.dev/GHSA-7r86-cg39-jmmj | 7.5  | npm       | minimatch (dev)        | 9.0.3   | 9.0.7         | package-lock.json |
| https://osv.dev/GHSA-3v7f-55p6-f55p | 5.3  | npm       | picomatch (dev)        | 2.3.1   | 2.3.2         | package-lock.json |
| https://osv.dev/GHSA-c2c7-rcm5-vvqj | 7.5  | npm       | picomatch (dev)        | 2.3.1   | 2.3.2         | package-lock.json |
| https://osv.dev/GHSA-3v7f-55p6-f55p | 5.3  | npm       | picomatch (dev)        | 4.0.3   | 4.0.4         | package-lock.json |
| https://osv.dev/GHSA-c2c7-rcm5-vvqj | 7.5  | npm       | picomatch (dev)        | 4.0.3   | 4.0.4         | package-lock.json |
| https://osv.dev/GHSA-2mjp-6q6p-2qxm | 6.5  | npm       | undici (dev)           | 5.29.0  | 6.24.0        | package-lock.json |
| https://osv.dev/GHSA-4992-7rv2-5pvq | 4.6  | npm       | undici (dev)           | 5.29.0  | 6.24.0        | package-lock.json |
| https://osv.dev/GHSA-g9mf-h72j-4rw9 | 5.9  | npm       | undici (dev)           | 5.29.0  | 6.23.0        | package-lock.json |
| https://osv.dev/GHSA-v9p9-hfj2-hcw8 | 7.5  | npm       | undici (dev)           | 5.29.0  | 6.24.0        | package-lock.json |
| https://osv.dev/GHSA-vrm6-8vpv-qv8q | 7.5  | npm       | undici (dev)           | 5.29.0  | 6.24.0        | package-lock.json |
+-------------------------------------+------+-----------+------------------------+---------+---------------+-------------------+

❌ ACTION / zizmor - 1 error

INFO zizmor: 🌈 zizmor v1.25.0
fatal: no audit was performed
'ref-confusion' audit failed on file://.github/workflows/check-dist.yml

Caused by:
    0: error in 'ref-confusion' audit
    1: couldn't list branches for actions/checkout
    2: request error while accessing GitHub API
    3: HTTP status client error (401 Unauthorized) for url (https://github.com/actions/checkout.git/git-upload-pack)


[ZizmorLinter] Zizmor failed to reach the GitHub API.
To allow zizmor to use GITHUB_TOKEN, add the following to your .mega-linter.yml:
ACTION_ZIZMOR_UNSECURED_ENV_VARIABLES:
  - GITHUB_TOKEN

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

Your project could benefit from a custom flavor, which would allow you to run only the linters you need, and thus improve runtime performances. (Skip this info by defining FLAVOR_SUGGESTIONS: false)

• Documentation: Custom Flavors
• Command: npx mega-linter-runner@9.5.0 --custom-flavor-setup --custom-flavor-linters ACTION_ACTIONLINT,ACTION_ZIZMOR,JSON_JSONLINT,JSON_V8R,JSON_PRETTIER,JSON_NPM_PACKAGE_JSON_LINT,MARKDOWN_MARKDOWNLINT,REPOSITORY_CHECKOV,REPOSITORY_GIT_DIFF,REPOSITORY_GITLEAKS,REPOSITORY_OSV_SCANNER,REPOSITORY_SECRETLINT,REPOSITORY_SYFT,REPOSITORY_TRIVY_SBOM,REPOSITORY_TRUFFLEHOG,TYPESCRIPT_ES,TYPESCRIPT_PRETTIER,YAML_PRETTIER,YAML_YAMLLINT,YAML_V8R

Show us your support by starring ⭐ the repository