chore: npm-js-yaml vulnerability

[alexchavez1]

Description of this change

see title

Why is this change being made?

• Chore (non-functional changes)
• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

How was this tested? How can the reviewer verify your testing?

locally

Related issues

Checklist

• I have added tests to cover my changes.
• All new and existing tests passed.
• I have evaluated the security impact of this change, and OWASP Secure Coding Practices have been observed.
• I have informed stakeholders of my changes.

---

Note

Addresses dependency policy by enforcing js-yaml@^3.14.2 and aligning the lockfile.

• Adds js-yaml@^3.14.2 to resolutions and overrides in example/package.json and package/package.json
• Updates yarn.lock to resolve js-yaml to 3.14.2 (removes ^4.1.0 path and related argparse@^2 entry), and refreshes the local package file hash

^{Written by Cursor Bugbot for commit 348d91f. Configure here.}

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	npm/​@​types/​react@​18.3.27
	npm/​@​release-it/​conventional-changelog@​8.0.1 ⏵ 8.0.2				+3
	npm/​prettier@​3.6.2 ⏵ 3.7.4	-3		+1
	npm/​react-native@​0.83.1
	npm/​@​evilmartians/​lefthook@​1.12.3 ⏵ 1.13.6	+9			+1
	npm/​@​types/​node@​24.2.1 ⏵ 24.10.8	+1		+20	+5

View full report

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Trivial package: npm hermes-compiler has 7 lines of code Location: Package overview From: ? → npm/react-native@0.83.1 → npm/hermes-compiler@0.14.0 ℹ Read more on: This package | This alert | What are trivial packages? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: Removing this package as a dependency and implementing its logic will reduce supply chain risk. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/hermes-compiler@0.14.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential vulnerability: npm node-gyp with risk level "medium" Location: Package overview From: ? → npm/react-native@0.83.1 → npm/jest@29.7.0 → npm/node-gyp@12.1.0 ℹ Read more on: This package | This alert | Navigating potential vulnerabilities Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev. Suggestion: It is advisable to proceed with caution. Engage in a review of the package's security aspects and consider reaching out to the package maintainer for the latest information or patches. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/node-gyp@12.1.0. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report