Bump js-yaml and mocha

[dependabot]

Bumps js-yaml to 4.1.1 and updates ancestor dependency mocha. These dependencies need to be updated together.

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates mocha from 10.2.0 to 10.8.2

Release notes

Sourced from mocha's releases.

v10.8.2

10.8.2 (2024-10-30)

🩹 Fixes

• support errors with circular dependencies in object values with --parallel (#5212) (ba0fefe)
• test link in html reporter (#5224) (f054acc)

📚 Documentation

• indicate 'exports' interface does not work in browsers (#5181) (14e640e)

🧹 Chores

• fix docs builds by re-adding eleventy and ignoring gitignore again (#5240) (881e3b0)

🤖 Automation

• deps: bump the github-actions group with 1 update (#5132) (e536ab2)

v10.8.1

10.8.1 (2024-10-29)

🩹 Fixes

• handle case of invalid package.json with no explicit config (#5198) (f72bc17)
• Typos on mochajs.org (#5237) (d8ca270)
• use accurate test links in HTML reporter (#5228) (68803b6)

v10.8.0

10.8.0 (2024-10-29)

🌟 Features

• highlight browser failures (#5222) (8ff4845)

🩹 Fixes

• remove :is() from mocha.css to support older browsers (#5225) (#5227) (0a24b58)

📚 Documentation

... (truncated)

Changelog

Sourced from mocha's changelog.

10.8.2 (2024-10-30)

🩹 Fixes

• support errors with circular dependencies in object values with --parallel (#5212) (ba0fefe)
• test link in html reporter (#5224) (f054acc)

📚 Documentation

• indicate 'exports' interface does not work in browsers (#5181) (14e640e)

🧹 Chores

• fix docs builds by re-adding eleventy and ignoring gitignore again (#5240) (881e3b0)

🤖 Automation

• deps: bump the github-actions group with 1 update (#5132) (e536ab2)

10.8.1 (2024-10-29)

🩹 Fixes

• handle case of invalid package.json with no explicit config (#5198) (f72bc17)
• Typos on mochajs.org (#5237) (d8ca270)
• use accurate test links in HTML reporter (#5228) (68803b6)

10.8.0 (2024-10-29)

🌟 Features

• highlight browser failures (#5222) (8ff4845)

🩹 Fixes

• remove :is() from mocha.css to support older browsers (#5225) (#5227) (0a24b58)

📚 Documentation

• add SECURITY.md pointing to Tidelift (#5210) (bd7e63a)
• adopt Collective Funds Guidelines 0.1 (#5199) (2b03d86)
• update README, LICENSE and fix outdated (#5197) (1203e0e)

🧹 Chores

• fix npm scripts on windows (#5219) (1173da0)
• remove trailing whitespace in SECURITY.md (7563e59)

10.7.3 (2024-08-09)

... (truncated)

Commits

• 05097db chore(main): release 10.8.2 (#5239)
• 14e640e docs: indicate 'exports' interface does not work in browsers (#5181)
• 881e3b0 chore: fix docs builds by re-adding eleventy and ignoring gitignore again (#5...
• f054acc fix: test link in html reporter (#5224)
• e536ab2 build(deps): bump the github-actions group with 1 update (#5132)
• ba0fefe fix: support errors with circular dependencies in object values with --parall...
• f44f71b chore(main): release 10.8.1 (#5238)
• f72bc17 fix: handle case of invalid package.json with no explicit config (#5198)
• 68803b6 fix: use accurate test links in HTML reporter (#5228)
• d8ca270 fix: Typos on mochajs.org (#5237)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by voxpelli, a new releaser for mocha since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	mocha@​10.2.0 ⏵ 10.8.2	+1		+1

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Potential code anomaly (AI signal): npm glob is 100.0% likely to have a medium risk anomaly Notes: The analyzed Glob library fragment implements standard, non-malicious filesystem globbing with proper asynchronous flow, error handling, and event emissions. It presents typical patterns for matching paths and optionally resolving real paths. Security risk is low to moderate as with any filesystem enumeration utility; no malicious activity detected in this fragment. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/mocha@10.8.2 → npm/glob@8.1.0 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/glob@8.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm js-yaml URLs: http://www.yaml.org/spec/1.2/spec.html#id2803231, https://mathiasbynens.be/notes/javascript-encoding#surrogate-formulae, https://en.wikipedia.org/wiki/UTF-16#Code_points_U.2B010000_to_U.2B10FFFF, https://github.com/nodeca/js-yaml/issues/164, http://www.yaml.org/spec/1.2/spec.html#id2799784, http://www.yaml.org/spec/1.2/spec.html#id2804923, http://www.yaml.org/spec/1.2/spec.html#id2802346 Location: Package overview From: package-lock.json → npm/eslint@8.40.0 → npm/mocha@10.8.2 → npm/js-yaml@4.1.1 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/js-yaml@4.1.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Embedded URLs or IPs: npm mocha URLs: https://npm.im/yargs-parser, 0.0.0.0, chokidar.watch, https://github.com/mochajs/mocha/wiki/compilers-deprecation, https://nodejs.org/api/errors.html#errors_error_stacktracelimit, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/toString, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Data_structures, github.com/rstacruz/mocha-clean, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Map#Custom_and_Null_objects, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/create#Custom_and_Null_objects, https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/assign#Custom_and_Null_objects, https://npm.im/serialize-javascript, http://feross.org, https://bugzilla.mozilla.org/show_bug.cgi?id=695438., http://msdn.microsoft.com/en-us/library/ie/dww52sbt, https://en.wikipedia.org/wiki/Latin_script_in_Unicode, https://www.artima.com/weblogs/viewpost.jsp?thread=164293, http://code.google.com/p/google-diff-match-patch/wiki/API, https://mathiasbynens.be/notes/ambiguous-ampersands:, http://html5sec.org/samliew#102,, http://html5sec.org/#108,, http://html5sec.org/samliew#133., https://mths.be/punycode., https://mathiasbynens.be/notes/javascript-encoding#surrogate-formulae, https://mths.be/notes/ambiguous-ampersands, http://stackoverflow.com/a/16459606/376773, https://github.com/facebook/react-native/pull/1632, http://stackoverflow.com/a/398120/376773, https://developer.mozilla.org/en-US/docs/Tools/Web_Console#Styling_messages, https://nodejs.org/api/process.html#process_process_emitwarning_warning_options, https://developer.mozilla.org/en-US/docs/Web/API/WindowOrWorkerGlobalScope/setTimeout#Maximum_delay_value, https://nodejs.org/api/events.html#events_class_eventemitter, https://testanything.org/tap-specification.html, https://testanything.org/tap-version-13-specification.html, https://mochajs.org/, https://ibin.co/4QuRuGjXvl36.png, https://github.com/mochajs/mocha/pull/916 Location: Package overview From: package-lock.json → npm/mocha@10.8.2 ℹ Read more on: This package | This alert | What are URL strings? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Review all remote URLs to ensure they are intentional, pointing to trusted sources, and not being used for data exfiltration or loading untrusted code at runtime. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/mocha@10.8.2. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm workerpool is 100.0% likely to have a medium risk anomaly Notes: The fragment represents a conventional and sound worker pool IPC model with proper asynchronous handling and Transfer-based data transfer. The principal security concern is the dynamic execution of stringified code via new Function, which could enable arbitrary code execution if untrusted input ever flows into worker.run. In trusted, closed-over environments, this remains a manageable risk, but it warrants strict enforcement of trusted inputs, tight coupling between host and worker, and preferably avoiding new Function where possible (or sandboxing). Overall, moderate risk with a clear mitigation path centered on input trust and function serialization safeguards. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/mocha@10.8.2 → npm/workerpool@6.5.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/workerpool@6.5.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm workerpool is 100.0% likely to have a medium risk anomaly Notes: The fragment is a standard worker pool implementation with a notable security sink: dynamic code execution through new Function in run. This is a legitimate capability of the library but introduces a high-risk vector if untrusted code can be passed as the function string. There are no clear malicious actions (no exfiltration, backdoors, or crypto mining) evident in this snippet, but the dynamic evaluation presents a potential supply-chain risk if used with untrusted inputs. Overall, the code is not inherently malicious, but the dynamic evaluation presents a significant risk requiring strict input validation and trusted usage to prevent remote code execution in downstream applications. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/mocha@10.8.2 → npm/workerpool@6.5.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/workerpool@6.5.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm workerpool is 100.0% likely to have a medium risk anomaly Notes: Overall, this is a conventional cross-environment worker implementation with a high-risk capability (dynamic function execution) that could be abused if untrusted input is ever passed to worker.methods.run. The eval-based shim contributes additional dynamic behavior risk. The module is not inherently malicious, but it requires strict input controls, sandboxing, and explicit security reviews before being deployed in supply chains. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/mocha@10.8.2 → npm/workerpool@6.5.1 ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/workerpool@6.5.1. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report