Security Vulnerability: Transitive dependency on js-yaml@3.14.1

[ajamadar-mdsol]

Hello Team,
Security scanners (like Dependabot and npm audit) are flagging a prototype pollution vulnerability in js-yaml. The patched version is 4.1.1 or higher.
The latest version of codeceptjs (3.7.5) has transitive dependencies on two different vulnerable versions of js-yaml, which creates a conflict that cannot be automatically resolved.

Here is the dependency tree from npm ls js-yaml:

├─┬ codeceptjs@3.7.5
│ ├─┬ @codeceptjs/detox-helper@1.1.12
│ │ └─┬ react-native@0.81.4
│ │   └─┬ babel-jest@29.7.0
│ │     └─┬ babel-plugin-istanbul@6.1.1
│ │       └─┬ @istanbuljs/load-nyc-config@1.1.0
│ │         └── js-yaml@3.14.1  <-- VULNERABLE
│ └─┬ mocha@11.7.2
│   └── js-yaml@4.1.0 deduped   <-- VULNERABLE
└─┬ eslint@8.57.1
  ├─┬ @eslint/eslintrc@2.1.4
  │ └── js-yaml@4.1.0 deduped   <-- VULNERABLE
  └── js-yaml@4.1.0             <-- VULNERABLE

This conflict (one path requiring ^3.x and another ^4.x) prevents npm audit fix or Dependabot from applying the security patch. The only way for users to fix this currently is to manually add an override or resolution for js-yaml in their package.json.

Could these dependencies be updated to consolidate on a patched version of js-yaml (4.1.1 or higher) to resolve this security vulnerability?

Thank you!

[ajamadar-mdsol]

i have raise an PR. can maintainers approve the CI workflow and review the PR?