Bump js-yaml, nuxt and cssnano

[dependabot]

Bumps js-yaml to 3.14.2 and updates ancestor dependencies js-yaml, nuxt and cssnano. These dependencies need to be updated together.

Updates js-yaml from 3.10.0 to 3.14.2

Changelog

Sourced from js-yaml's changelog.

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

[4.1.0] - 2021-04-15

Added

• Types are now exported as yaml.types.XXX.
• Every type now has options property with original arguments kept as they were (see yaml.types.int.options as an example).

Changed

• Schema.extend() now keeps old type order in case of conflicts (e.g. Schema.extend([ a, b, c ]).extend([ b, a, d ]) is now ordered as abcd instead of cbad).

[4.0.0] - 2021-01-03

Changed

• Check migration guide to see details for all breaking changes.
• Breaking: "unsafe" tags !!js/function, !!js/regexp, !!js/undefined are moved to js-yaml-js-types package.
• Breaking: removed safe* functions. Use load, loadAll, dump instead which are all now safe by default.
• yaml.DEFAULT_SAFE_SCHEMA and yaml.DEFAULT_FULL_SCHEMA are removed, use yaml.DEFAULT_SCHEMA instead.
• yaml.Schema.create(schema, tags) is removed, use schema.extend(tags) instead.
• !!binary now always mapped to Uint8Array on load.
• Reduced nesting of /lib folder.
• Parse numbers according to YAML 1.2 instead of YAML 1.1 (01234 is now decimal, 0o1234 is octal, 1:23 is parsed as string instead of base60).
• dump() no longer quotes :, [, ], (, ) except when necessary, #470, #557.
• Line and column in exceptions are now formatted as (X:Y) instead of at line X, column Y (also present in compact format), #332.
• Code snippet created in exceptions now contains multiple lines with line numbers.
• dump() now serializes undefined as null in collections and removes keys with undefined in mappings, #571.
• dump() with skipInvalid=true now serializes invalid items in collections as null.
• Custom tags starting with ! are now dumped as !tag instead of !<!tag>, #576.
• Custom tags starting with tag:yaml.org,2002: are now shorthanded using !!, #258.

Added

• Added .mjs (es modules) support.
• Added quotingType and forceQuotes options for dumper to configure string literal style, #290, #529.
• Added styles: { '!!null': 'empty' } option for dumper (serializes { foo: null } as "foo: "), #570.

... (truncated)

Commits

• 9963d36 3.14.2 released
• 10d3c8e dist rebuild
• 5278870 fix prototype pollution in merge (<<) (#731)
• 37caaad 3.14.1 released
• 094c0f7 dist rebuild
• 9586ebe Avoid calling hasOwnProperty of user-controlled objects
• 34e5072 3.14.0 released
• 7b25c83 Browser files rebuild
• 6f73473 Dev deps bump
• 0c29349 Travis-CI: drop old nodejs versions
• Additional commits viewable in compare view

Updates nuxt from 1.1.1 to 4.2.1

Release notes

Sourced from nuxt's releases.

v4.2.1

4.2.1 is the next patch release.

✅ Upgrading

Our recommendation for upgrading is to run:

npx nuxt upgrade --dedupe

This will deduplicate your lockfile as well, and help ensure that you pull in updates from other dependencies that Nuxt relies on, particularly in the unjs ecosystem.

👉 Changelog

compare changes

🩹 Fixes

• kit,nuxt,schema: Deprecate ImportPresetWithDeprecation (#33596)
• nuxt: Correct warning message for prefetch/noPrefetch conflict (#33617)
• nitro: Remove <nuxt-error-overlay> iframe border (#33625)
• vite: Use rolldown replace only in build (#33615)
• nitro: Use directory paths in moduleEntryPaths (#33628)
• nitro: Start error overlay minimized based on status code (#33658)
• vite: Ensure optimizeDeps config is applied before other plugins (#33586)
• nuxt: Respect layer priority order for scanned components (#33654)
• nuxt: Process prerender routes on pages:resolved (#33662)
• nuxt: Remove abort signal event listeners after render (#33665)
• nuxt: Cleanup event listener with cleanup signal (#33667)
• vite: Update vite-node (#33663)
• vite: Respect vite proxy in dev middleware (#33670)

💅 Refactors

• kit,nitro,nuxt,schema,vite: Explicitly import process/performance (#33650)

📖 Documentation

• Fix typo in eslint flat config description (#33569)
• Add signal support to useAsyncData examples (#33601)
• Document pending as alias of status === 'pending' (#33221)
• Note that cookieStore is true by default (#33572)
• Add information on types for server context (#33511)
• Mark webstorm issue resolved (#33608)
• Clarify route middleware doesn't affect API routes (#33643)
• Improve docs for useHead/useHydration/useLazy* (#33626)
• Update link to nitro source to v2 branch (08018af4f)
• Add typescript documentation for module authors (#33637)
• Typo (#33655)

🏡 Chore

• Update URLs (#33567)
• Add verifyDepsBeforeRun: install (#33603)
• Reduce redirects in docs links (1cc539325)
• Lint docs (0b5fa5dea)

... (truncated)

Commits

• 67ec213 v4.2.1
• b2ec7c5 chore(deps): update all non-major dependencies (main) (#33673)
• a1b6753 fix(nuxt): cleanup event listener with cleanup signal (#33667)
• 3e1eb66 fix(nuxt): remove abort signal event listeners after render (#33665)
• 0014826 fix(nuxt): process prerender routes on pages:resolved (#33662)
• 6b6ea5f fix(nuxt): respect layer priority order for scanned components (#33654)
• 26aaf83 refactor(kit,nitro,nuxt,schema,vite): explicitly import process/performance (...
• 95518af chore(deps): update all non-major dependencies (main) (#33639)
• 1cc5393 chore: reduce redirects in docs links
• 456cc36 fix(nuxt): correct warning message for prefetch/noPrefetch conflict (#33617)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for nuxt since your current version.

Updates cssnano from 3.10.0 to 7.1.2

Release notes

Sourced from cssnano's releases.

v7.1.2

What's Changed

• fix: enhanced recognition of css comments by @​Nirvana-Jie in cssnano/cssnano#1730
• chore: use npm trusted publishing by @​ludofischer in cssnano/cssnano#1731
• fix: update browserslist by @​ludofischer in cssnano/cssnano#1733

Full Changelog: https://github.com/cssnano/cssnano/compare/cssnano@7.1.1...cssnano@7.1.2

v71.1.1

Bug Fixes

• fix(convert-values): exclude linear() from stripping % from value 0 by @​cernymatej in cssnano/cssnano#1720

Full Changelog: https://github.com/cssnano/cssnano/compare/cssnano@7.1.0...cssnano@7.1.1

cssnano@7.1.0

Changes

• Update to SVGO 4.0
• Update browserslist

cssnano@7.0.7

What's Changed

• fix: update browserslist by @​ludofischer in cssnano/cssnano#1675
• fix: update postcss peer dependency to version without vulnerabilities by @​ludofischer in cssnano/cssnano#1676
• fix: update TypeScript declarations by @​ludofischer in cssnano/cssnano#1685
• perf: load default preset in startup by @​43081j in cssnano/cssnano#1691
• Add support for selector order preservation to postcss-minify-selectors by @​ezzak in cssnano/cssnano#1688
• fix(postcss-convert-values): preserve percent sign in percentage values in at-rules with double quotes by @​aramikuto in cssnano/cssnano#1695

Full Changelog: https://github.com/cssnano/cssnano/compare/cssnano@7.0.6...cssnano@7.0.7

v7.0.6

What's Changed

• Update postcss-calc and selector-parser by @​ludofischer in cssnano/cssnano#1663
• fix(postcss-convert-values): convert 0ms to 0s by @​btea in cssnano/cssnano#1665

Full Changelog: https://github.com/cssnano/cssnano/compare/cssnano@7.0.5...cssnano@7.0.6

v7.0.5

Bug Fixes

• Fix layer rule deduping cssnano/cssnano#1656

v7.0.4

... (truncated)

Commits

• c847b6b Publish cssnano 7.1.2
• 72dd9c9 fix: update browserslist
• 19849ba chore: update dev dependencies
• ad02c7c chore: use npm trusted publishing
• f31273c fix: enhanced recognition of css comments (#1730)
• bd3b251 chore: update GitHub actions
• bba3b5f chore: update development deps
• 53c4033 test: switch to built-in Node.js test coverage
• ff17fd3 chore: update development dependencies
• c9e493c chore: update pnpm
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for cssnano since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.