Security Vulnerability: Transitive dependency on [email protected]

[ajamadar-mdsol]

Hello Team, Security scanners (like Dependabot and npm audit) are flagging a prototype pollution vulnerability in js-yaml. The patched version is 4.1.1 or higher. The latest version of codeceptjs (3.7.5) has transitive dependencies on two different vulnerable versions of js-yaml, which creates a conflict that cannot be automatically resolved.

Here is the dependency tree from npm ls js-yaml:

├─┬ [email protected]
│ ├─┬ @codeceptjs/[email protected]
│ │ └─┬ [email protected]
│ │   └─┬ [email protected]
│ │     └─┬ [email protected]
│ │       └─┬ @istanbuljs/[email protected]
│ │         └── [email protected]  <-- VULNERABLE
│ └─┬ [email protected]
│   └── [email protected] deduped   <-- VULNERABLE
└─┬ [email protected]
  ├─┬ @eslint/[email protected]
  │ └── [email protected] deduped   <-- VULNERABLE
  └── [email protected]             <-- VULNERABLE

This conflict (one path requiring ^3.x and another ^4.x) prevents npm audit fix or Dependabot from applying the security patch. The only way for users to fix this currently is to manually add an override or resolution for js-yaml in their package.json.

Could these dependencies be updated to consolidate on a patched version of js-yaml (4.1.1 or higher) to resolve this security vulnerability?

Thank you!

[ajamadar-mdsol]

i have raise an PR. can maintainers approve the CI workflow and review the PR?