Bump js-yaml, cosmiconfig, mocha, husky and lint-staged

[dependabot]

Bumps js-yaml to 4.1.1 and updates ancestor dependencies js-yaml, cosmiconfig, mocha, husky and lint-staged. These dependencies need to be updated together.

Updates js-yaml from 3.13.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.
• Added replacer option (similar to option in JSON.stringify), #339.
• Custom Tag can now handle all tags or multiple tags with the same prefix, #385.

Fixed

... (truncated)

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• 2cef47b 4.1.0 released
• 810b149 dist rebuild
• 2b5620e Export built-in types, type override now preserves order
• Additional commits viewable in compare view

Updates cosmiconfig from 5.2.0 to 9.0.0

Release notes

Sourced from cosmiconfig's releases.

cosmiconfig: v8.3.6

8.3.6 (2023-09-13)

Bug Fixes

• ignore search place if accessing it causes ENOTDIR (i.e. if access of a subpath of a file is attempted) (5bd915a)

cosmiconfig: v8.3.5

8.3.5 (2023-09-08)

Bug Fixes

• pass null to transform function for backwards compat (2b38510)

cosmiconfig: v8.3.4

8.3.4 (2023-09-04)

Bug Fixes

• remove node: prefix from imports (f76484a), closes #323

cosmiconfig: v8.3.3

8.3.3 (2023-09-03)

Bug Fixes

• add back node 14 compat (7392541), closes #320

cosmiconfig: v8.3.2

8.3.2 (2023-09-02)

Bug Fixes

• use .cjs extension for sync compiled typescript (0d76a9a)
• use default for async TS loader (5bed3e3)

cosmiconfig: v8.3.1

8.3.1 (2023-09-02)

Bug Fixes

• do not resolve stopDir when undefined (59082e2), closes #317

cosmiconfig: v8.3.0

... (truncated)

Changelog

Sourced from cosmiconfig's changelog.

9.0.0

• Added searchStrategy option:
  • The none value means that cosmiconfig does not traverse any directories upwards.
    • Breaking change: This is the default value if you don't pass a stopDir option, which means that cosmiconfig no longer traverses directories by default, and instead just looks in the current working directory.
      • If you want to achieve maximum backwards compatibility without adding an explicit stopDir, add the searchStrategy: 'global' option.
  • The project value means that cosmiconfig traverses upwards until it finds a package.json (or .yaml) file.
  • The global value means that cosmiconfig traverses upwards until the passed stopDir, or your home directory if no stopDir is given.
• Breaking change: Meta config files (i.e. config.js and similar) are not looked for in the current working directory anymore. Instead, it looks in the .config subfolder.
• Breaking change: When defining searchPlaces in a meta config file, the tool-defined searchPlaces are merged into this. Users may specify mergeSearchPlaces: false to disable this.
• Added support for a special $import key which will import another configuration file
  • The imported file will act as a base file - all properties from that file will be applied to the configuration, but can be overridden by the importing file
  • For more information, read the import section of the README
• Added searching in OS conventional folders (XDG compatible on Linux, %APPDATA% on Windows, Library/Preferences on macOS) for searchStrategy: 'global'
• Fixed crash when trying to load a file that is not readable due to file system permissions
• Fixed wrong ERR_REQUIRE_ESM error being thrown when there is an issue loading an ESM file

8.3.6

• Ignore search place if accessing it causes ENOTDIR (i.e. if access of a subpath of a file is attempted)

8.3.5

• Fixed regression in transform option

8.3.4

• Fixed crash in older node versions

8.3.3

• Added back node 14 compat to package.json

8.3.2

• Fixed some issues with TypeScript config loading

8.3.1

• Fixed crash when stopDir was given but undefined

8.3.0

• Add support for TypeScript configuration files

8.2.0

• Add support for ECMAScript modules (ESM) to the asynchronous API. End users running Node versions that support ESM can provide .mjs files, or .js files whose nearest parent package.json file contains "type": "module".
  • ${moduleName}rc.mjs and ${moduleName}.config.mjs are included in the default searchPlaces of the asynchronous API.
  • The synchronous API does not support ECMAScript modules, so does not look for .mjs files.

... (truncated)

Commits

• 006fc0b 9.0.0
• d4de473 update changelog for new version
• 8bf59fc make changelog leaner again
• 0555009 chore: remove release-please
• 5839d5e 9.0.0-alpha.3
• 7fcf489 chore: update lock file
• b8b412f chore: remove unnecessary dev packages
• bb3ebba chore: replace path-type package with own utility functions
• 76d26bd 9.0.0-alpha.2
• 559ed70 feat: load config from package.yaml
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by d-fischer, a new releaser for cosmiconfig since your current version.

Updates mocha from 6.0.2 to 11.7.5

Release notes

Sourced from mocha's releases.

v11.7.5

11.7.5 (2025-11-04)

🩹 Fixes

• swallow more require errors from *ts files (#5498) (d89dbaf)

🧹 Chores

• run tests on PRs for and pushes to v11.x (#5525) (8b21b38)
• setup release-please for v11 (#5522) (663fff4)

v11.7.4

11.7.4 (2025-10-01)

🩹 Fixes

• watch mode using chokidar v4 (#5379) (c2667c3)

📚 Documentation

• migrate remaining legacy wiki pages to main documentation (#5465) (bff9166)

🧹 Chores

• remove trailing spaces (#5475) (7f68e5c)

v11.7.3

11.7.3 (2025-09-30)

🩹 Fixes

• use original require() error for TS files if ERR_UNKNOWN_FILE_EXTENSION (#5408) (ebdbc48)

📚 Documentation

• add security escalation policy (#5466) (4122c7d)
• fix duplicate global leak documentation (#5461) (1164b9d)
• migrate third party UIs wiki page to docs (#5434) (6654704)
• update maintainer release notes for release-please (#5453) (185ae1e)

🤖 Automation

... (truncated)

Changelog

Sourced from mocha's changelog.

11.7.5 (2025-11-04)

🩹 Fixes

• swallow more require errors from *ts files (#5498) (d89dbaf)

🧹 Chores

• run tests on PRs for and pushes to v11.x (#5525) (8b21b38)
• setup release-please for v11 (#5522) (663fff4)

11.7.4 (2025-10-01)

🩹 Fixes

• watch mode using chokidar v4 (#5379) (c2667c3)

📚 Documentation

• migrate remaining legacy wiki pages to main documentation (#5465) (bff9166)

🧹 Chores

• remove trailing spaces (#5475) (7f68e5c)

11.7.3 (2025-09-30)

🩹 Fixes

• use original require() error for TS files if ERR_UNKNOWN_FILE_EXTENSION (#5408) (ebdbc48)

📚 Documentation

• add security escalation policy (#5466) (4122c7d)
• fix duplicate global leak documentation (#5461) (1164b9d)
• migrate third party UIs wiki page to docs (#5434) (6654704)
• update maintainer release notes for release-please (#5453) (185ae1e)

🤖 Automation

• deps: bump actions/setup-node in the github-actions group (#5459) (48c6f40)

... (truncated)

Commits

• 9a6a5db chore(v11.x): release 11.7.5 (#5523)
• 8b21b38 chore: run tests on PRs for and pushes to v11.x (#5525)
• 663fff4 chore: setup release-please for v11 (#5522)
• 8d97220 Update release-please to include v11.x and use Node ^22
• d89dbaf fix: swallow more require errors from *ts files (#5498)
• 8649f39 chore(main): release 11.7.4 (#5473)
• c2667c3 fix: watch mode using chokidar v4 (#5379)
• 7f68e5c chore: remove trailing spaces (#5475)
• bff9166 Docs: migrate remaining legacy wiki pages to main documentation (#5465)
• c805327 chore(main): release 11.7.3 (#5455)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by voxpelli, a new releaser for mocha since your current version.

Updates husky from 1.3.1 to 9.1.7

Release notes

Sourced from husky's releases.

v9.1.7

What's Changed

• fix: add husky label to deprecated warning by @​smackfu in typicode/husky#1538

New Contributors

• @​smackfu made their first contribution in typicode/husky#1538

Full Changelog: typicode/husky@v9.1.6...v9.1.7

v9.1.6

What's Changed

• Fix issue where example pre-commit file is generated incorrectly by @​dexmlee in typicode/husky#1519

New Contributors

• @​OlegKipchatov made their first contribution in typicode/husky#1495
• @​Byron2016 made their first contribution in typicode/husky#1499
• @​dexmlee made their first contribution in typicode/husky#1519

Full Changelog: typicode/husky@v9.1.5...v9.1.6

v9.1.5

What's Changed

• fixes #1494, support pre-merge-commit hook by @​RainMeoCat in typicode/husky#1497

New Contributors

• @​RainMeoCat made their first contribution in typicode/husky#1497

Full Changelog: typicode/husky@v9.1.4...v9.1.5

v9.1.4

• Improve deprecation notice

v9.1.3

• fix: better handle space in PATH

v9.1.2

Show a message instead of automatically removing deprecated code.

This only concerns projects that still have the following code in their hooks:

- #!/usr/bin/env sh # <- This is deprecated, remove it
- . "$(dirname -- "$0")/_/husky.sh"  # <- This is deprecated, remove it
Rest of your hook code

Hooks with these lines will fail in v10.0.0

v9.1.1

... (truncated)

Commits

• 799e84b 9.1.7
• 30f2049 fix: add husky label to deprecated warning (#1538)
• a2d942a 9.1.6
• b4465ed fix: add parens around the null coalescing operator to fix issues when npm_co...
• 3b3e7f1 docs(spanish): improve spanish translation (#1504)
• dcf3aed dosc: repair support Spanish sponsors links (#1500)
• c3afd5f docs: support Spanish documentation (#1499)
• c5f4f48 docs: support Russian documentation (#1495)
• 2fee8d2 9.1.5
• 397e7f0 fixes #1494 support pre-merge-commit hook
• Additional commits viewable in compare view

Updates lint-staged from 8.1.5 to 16.2.6

Release notes

Sourced from lint-staged's releases.

v16.2.6

Patch Changes

• #1693 33d4502 Thanks @​Adrian-Baran-GY! - Fix problems with --continue-on-error option, where tasks might have still been killed (SIGINT) when one of them failed.

v16.2.5

Patch Changes

• #1687 9e02d9d Thanks @​iiroj! - Fix unhandled promise rejection when spawning tasks (instead of the tasks themselves failing). Previously when a task failed to spawn, lint-staged also failed and the backup stash might not have been automatically restored.

v16.2.4

Patch Changes

• #1682 0176038 Thanks @​iiroj! - Update dependencies, including [email protected] with bug fixes.

• #1671 581a54e Thanks @​iiroj! - Speed up execution by only importing the yaml depedency if using YAML configuration files.

v16.2.3

Patch Changes

• #1669 27cd541 Thanks @​iiroj! - When using --fail-on-changes, automatically hidden (partially) unstaged changes are no longer counted to make lint-staged fail.

v16.2.2

Patch Changes

• #1667 699f95d Thanks @​iiroj! - The backup stash will not be dropped when using --fail-on-changes and there are errors. When reverting to original state is disabled (via --no-revert or --fail-on-changes), hidden (partially) unstaged changes are still restored automatically so that it's easier to resolve the situation manually.

  Additionally, the example for using the backup stash manually now uses the correct backup hash, if available:

  % npx lint-staged --fail-on-changes
  ✔ Backed up original state in git stash (c18d55a3)
  ✔ Running tasks for staged files...
  ✖ Tasks modified files and --fail-on-changes was used!
  ↓ Cleaning up temporary files...
  ✖ lint-staged failed because --fail-on-changes was used.
  Any lost modifications can be restored from a git stash:
  > git stash list --format="%h %s"
  c18d55a3 On main: lint-staged automatic backup
  > git apply --index c18d55a3

v16.2.1

Patch Changes

• #1664 8277b3b Thanks @​iiroj! - The built-in TypeScript types have been updated to more closely match the implementation. Notably, the list of staged files supplied to task functions is readonly string[] and can't be mutated. Thanks @​outslept!

... (truncated)

Changelog

Sourced from lint-staged's changelog.

16.2.6

Patch Changes

• #1693 33d4502 Thanks @​Adrian-Baran-GY! - Fix problems with --continue-on-error option, where tasks might have still been killed (SIGINT) when one of them failed.

16.2.5

Patch Changes

• #1687 9e02d9d Thanks @​iiroj! - Fix unhandled promise rejection when spawning tasks (instead of the tasks themselves failing). Previously when a task failed to spawn, lint-staged also failed and the backup stash might not have been automatically restored.

16.2.4

Patch Changes

• #1682 0176038 Thanks @​iiroj! - Update dependencies, including [email protected] with bug fixes.

• #1671 581a54e Thanks @​iiroj! - Speed up execution by only importing the yaml depedency if using YAML configuration files.

16.2.3

Patch Changes

• #1669 27cd541 Thanks @​iiroj! - When using --fail-on-changes, automatically hidden (partially) unstaged changes are no longer counted to make lint-staged fail.

16.2.2

Patch Changes

• #1667 699f95d Thanks @​iiroj! - The backup stash will not be dropped when using --fail-on-changes and there are errors. When reverting to original state is disabled (via --no-revert or --fail-on-changes), hidden (partially) unstaged changes are still restored automatically so that it's easier to resolve the situation manually.

  Additionally, the example for using the backup stash manually now uses the correct backup hash, if available:

  % npx lint-staged --fail-on-changes
  ✔ Backed up original state in git stash (c18d55a3)
  ✔ Running tasks for staged files...
  ✖ Tasks modified files and --fail-on-changes was used!
  ↓ Cleaning up temporary files...
  ✖ lint-staged failed because --fail-on-changes was used.
  Any lost modifications can be restored from a git stash:
  > git stash list --format="%h %s"
  c18d55a3 On main: lint-staged automatic backup
  > git apply --index c18d55a3

... (truncated)

Commits

• a1ec972 chore(changeset): release
• ddd5340 build(deps): regenerate package-lock.json
• ceb253a build(deps): update Vitest 4
• 58cc126 build(deps): update listr2
• 33d4502 fix: run all tasks when --continue-on-error=true
• 54ba9eb test: fix test usage for --continue-on-error
• b1715d9 test: fix test assertions for --continue-on-error to reveal incorrect behavior
• 1f6a326 chore(changeset): release
• 6ab937c ci: use separate caches for MSYS2 and Cygwin
• 6d71384 fix: catch errors when calling spawn
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for lint-staged since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.