fix(deps): update dependency js-yaml to v5

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
js-yaml	^4.1.1 → ^5.0.0

---

Release Notes

nodeca/js-yaml (js-yaml)

v5.2.0

Compare Source

Added

• Added maxTotalMergeKeys (10000) loader option to limit the total number of
  keys processed by YAML merge (<<) across one load() / loadAll() call.
• Added maxAliases (-1) loader option to limit the number of YAML aliases per
  document.

Removed

• maxMergeSeqLength replaced with maxTotalMergeKeys for limiting YAML merge
  processing.

Fixed

• Round-trip of integers with exponential form (>= 1e21)

v5.1.0

Compare Source

Added

• Collection tags can finalize an incrementally populated carrier into a
  different result value.

Changed

• [breaking] quoteStyle now selects the preferred quote style; use the
  restored forceQuotes option to force quoting non-key strings.

v5.0.0

Compare Source

Added

• Added named exports for schemas, tags, parser events and AST utilities.
• Reworked JSON_SCHEMA and CORE_SCHEMA with spec-compliant scalar resolution
  rules, and added YAML11_SCHEMA.
• Added realMapTag for lossless mappings with non-string and complex keys.
  Object-based mappings now reject complex keys instead of stringifying them.
• Added dump() transform option for changing the generated AST before
  rendering.
• Added dump() options seqInlineFirst, flowBracketPadding,
  flowSkipCommaSpace, flowSkipColonSpace, quoteFlowKeys, quoteStyle and
  tagBeforeAnchor.
• Added formal data layers (events and AST) for modular data pipelines.
  • Added low-level parser (to events), presenter and visitor APIs.
• Added the YAML Test Suite to the
  test set.

Changed

• See the migration guide for upgrade notes.
• Rewritten in TypeScript and reorganized the public API around flat named
  exports.
• Reduced the set of exported schemas:
  • YAML 1.2 schemas: CORE_SCHEMA (loader default), JSON_SCHEMA,
    FAILSAFE_SCHEMA.
  • YAML11_SCHEMA, a combination of all YAML 1.1 tags (YAML 1.1 does not
    specify a schema, only "types").
• load/dump default behaviour is now specified exactly via schemas:
  • load uses CORE_SCHEMA, without !!merge by default.
  • dump uses YAML11_SCHEMA + CORE_SCHEMA for the quoting check, to
    guarantee backward compatibility by default.
• !!set is now loaded as a JavaScript Set.
• Replaced the Type API with a tags API. Similar, but more precise and
  simpler. See examples for details. Tags can be defined via
  defineScalarTag(), defineSequenceTag() and defineMappingTag(), or as a
  spread + override of an existing tag.
• Renamed Schema.extend() to Schema.withTags().
• Expanded YAML 1.2 conformance and improved handling of directives, document
  markers, block keys, multiline scalars, tag syntax and other things.
• load() now throws on empty input instead of returning undefined.
• Moved browser builds to the js-yaml/browser export.
• Deprecated the loadAll signature with an iterator (still works, but is a
  candidate for removal).

Removed

• Removed deprecated safeLoad(), safeLoadAll() and safeDump() exports.
• Removed DEFAULT_SCHEMA and the nested types export.
• Removed loader options onWarning, legacy and listener.
• Removed dumper options styles, replacer, noCompatMode, condenseFlow,
  quotingType and forceQuotes. Renamed noArrayIndent to seqNoIndent.
  Formatting and representation are now configured through presenter options,
  schemas and tag definitions. See migration guide on how to replace.
• Removed support for importing internal files from lib/.

v4.3.0

Compare Source

v4.2.0

Compare Source

Added

• Added docs/safety.md with notes about processing untrusted YAML.
• Added maxDepth (100) loader option. Not a problem, but gives a better
  exception instead of RangeError on stack overflow.
• Added maxMergeSeqLength (20) loader option. Not a problem after merge fix,
  but an additional restriction for safety.
• Added sourcemaps to dist/ builds.

Changed

• Stop resolving numbers with underscores as numeric scalars, #​627.
• Switched dev toolchains to Vite / neostandard.
• Updated demo.
• Reorganized tests.
• dist/ files are no longer kept in the repository.

Fixed

• Fix parsing of properties on the first implicit block mapping key, #​62.
• Fix trailing whitespace handling when folding flow scalar lines, #​307.
• Reject top-level block scalars without content indentation, #​280.
• Ensure numbers survive round-trip, #​737.
• Fix test coverage for issue #​221.
• Fix flow scalar trailing whitespace folding, #​307.
• Fix digits in YAML named tag handles.

Security

• Fix potential DoS via quadratic complexity in merge - deduplicate repeated
  elements (makes sense for malformed files > 10K).

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: f765b6559e

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[chatgpt-codex-connector]

Preserve YAML merge parsing for model allowlists

With configs that use YAML merge anchors (<<) in litellm_config.yaml to DRY model_list entries, especially when model_name or litellm_params.model is supplied by the merge, js-yaml v5's default load() no longer expands those merges. getAllowedModels() can then return an empty list, and isModelAllowed() treats empty as fail-open, so any requested model is accepted; preserve the v4 schema here (for example by enabling mergeTag/YAML11_SCHEMA) or migrate the loader before bumping.

Useful? React with 👍 / 👎.