chore(deps): bump js-yaml from 4.2.0 to 5.1.0

[dependabot]

Bumps js-yaml from 4.2.0 to 5.1.0.

Changelog

Sourced from js-yaml's changelog.

[5.1.0] - 2026-06-23

Added

• Collection tags can finalize an incrementally populated carrier into a different result value.

Changed

• [breaking] quoteStyle now selects the preferred quote style; use the restored forceQuotes option to force quoting non-key strings.

[5.0.0] - 2026-06-20

Added

• Added named exports for schemas, tags, parser events and AST utilities.
• Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution rules, and added YAML11_SCHEMA.
• Added realMapTag for lossless mappings with non-string and complex keys. Object-based mappings now reject complex keys instead of stringifying them.
• Added dump() transform option for changing the generated AST before rendering.
• Added dump() options seqInlineFirst, flowBracketPadding, flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and tagBeforeAnchor.
• Added formal data layers (events and AST) for modular data pipelines.
  • Added low-level parser (to events), presenter and visitor APIs.
• Added the YAML Test Suite to the test set.

Changed

• See the migration guide for upgrade notes.
• Rewritten in TypeScript and reorganized the public API around flat named exports.
• Reduced the set of exported schemas:
  • YAML 1.2 schemas: CORE_SCHEMA (loader default), JSON_SCHEMA, FAILSAFE_SCHEMA.
  • YAML11_SCHEMA, a combination of all YAML 1.1 tags (YAML 1.1 does not specify a schema, only "types").
• load/dump default behaviour is now specified exactly via schemas:
  • load uses CORE_SCHEMA, without !!merge by default.
  • dump uses YAML11_SCHEMA + CORE_SCHEMA for the quoting check, to guarantee backward compatibility by default.
• !!set is now loaded as a JavaScript Set.
• Replaced the Type API with a tags API. Similar, but more precise and simpler. See examples for details. Tags can be defined via defineScalarTag(), defineSequenceTag() and defineMappingTag(), or as a spread + override of an existing tag.
• Renamed Schema.extend() to Schema.withTags().
• Expanded YAML 1.2 conformance and improved handling of directives, document markers, block keys, multiline scalars, tag syntax and other things.
• load() now throws on empty input instead of returning undefined.
• Moved browser builds to the js-yaml/browser export.

... (truncated)

Commits

• f1e45cd 5.1.0 released
• 53b22be Fix constructor coverage
• a1eaa2b Fix quote style options and restore forceQuotes
• 0532e7d Add finalizers for immutable collection tags
• 9f00b91 tests: drop the rest of issues tests, move a small fraction of useful checks ...
• 6be5d46 tests: drop not actual or duplicating issue tests (covered in other places)
• a7c9766 Fix !!pairs coverage
• 75148bc 5.0.0 released
• 704b25d Quote document markers followed by whitespace
• 42dea28 Support complex !!pairs keys with realMapTag
• Additional commits viewable in compare view

[DeepDiver1975]

🤖 Automated code review by Claude Code review agent

Diff is manifest-only (package.json + package-lock.json); js-yaml is bumped 4.2.0 → 5.0.0 as a direct build dependency, no source/docs code changes. This is a major bump with real breaking changes (rewritten in TS, removed safeLoad/safeLoadAll/safeDump and DEFAULT_SCHEMA, Type API replaced by tags API, load() now throws on empty input) and it drops Node < 18.

Verdict: low-risk to merge provided this repo's CI docs-build job (and its Node version, must be ≥ 18) is green — that build is the real gate. js-yaml is used only by the Antora toolchain here, not by authored content, so a passing build is sufficient confidence. If CI is red, hold and check for a safeLoad/Type-API or Node-version regression.

[DeepDiver1975]

@dependabot rebase

[DeepDiver1975]

🤖 Automated review by Claude Code review agent.

Major version bump (js-yaml 4.2.0 → 5.1.0) — not a routine dependabot patch.

js-yaml is used directly in this repo's build toolchain, in ext-antora/load-global-site-attributes.js:

const yaml = require('js-yaml')
...
var d = yaml.load(data)   // parses the global attributes file (local path or URL)

js-yaml 5.x is a full rewrite (new API, new YAML implementation; 5.0.0 was released 2026-06-20, 5.1.0 today) with breaking changes that touch this exact call site. Per the v4→v5 migration guide:

1. Empty input now throws. load('') previously returned undefined; in 5.x it throws. The attributes file here can come from a URL or local file — if it ever resolves empty, convert_yaml now rejects and the extension calls this.stop(), aborting the whole Antora build instead of silently continuing. Behavior change.
2. Default schema changed to YAML 1.2 CORE_SCHEMA, dropping \!\!merge (<<) and the YAML 1.1 types (\!\!timestamp, \!\!binary, \!\!set, and 1.1 int/float/bool syntax). If the global attributes YAML uses merge keys/anchors or 1.1-style scalars, parsing now changes or fails. Restoring requires passing an explicit schema: option that this code does not.
3. Flat exports. The migration guide documents const { load } = require('js-yaml') but the code uses namespaced yaml.load; given "exports are now flat" and the bin entry moving to .mjs (ESM), the CommonJS yaml.load property access should be re-verified against 5.x.

CI does not de-risk this: the green checks are Build documentation (10s) and lint. The load-global-site-attributes extension only runs when attributefile is configured in the playbook (site.yml), so a passing build does not prove the new parser handles the real attributes file.

Required action before merge: confirm (a) yaml.load still resolves under js-yaml 5.x CommonJS, and (b) the actual global attributes file parses identically (no << merge keys / YAML 1.1 types relied upon), or pin to ^4.x until the extension is migrated. A major bump of a directly-consumed YAML parser is not a zero-reservation change.

Checks: all green (Build documentation, lint — but neither exercises the js-yaml call path). Mergeable: CLEAN. Changelog: n/a (repo has no changelog).