From 7ec23a3e4c811f6e489d5df429bce5d8b77503f8 Mon Sep 17 00:00:00 2001
From: Karen Stepanyan <karen.stepanyan@smartcontract.com>
Date: Fri, 6 Feb 2026 20:19:51 +0400
Subject: [PATCH 1/2] fix js-yaml vulnerability (transitive dependency)

---
 package.json |  3 +++
 yarn.lock    | 15 ++++-----------
 2 files changed, 7 insertions(+), 11 deletions(-)

diff --git a/package.json b/package.json
index 915ba2d6..e11d9466 100644
--- a/package.json
+++ b/package.json
@@ -64,6 +64,9 @@
     "trailingComma": "all",
     "arrowParens": "always"
   },
+  "resolutions": {
+    "**/js-yaml": "3.14.2"
+  },
   "ava": {
     "files": [
       "test/**/*.test.ts"
diff --git a/yarn.lock b/yarn.lock
index a0096653..4240915e 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2004,21 +2004,14 @@ js-string-escape@^1.0.1:
   resolved "https://registry.npmjs.org/js-string-escape/-/js-string-escape-1.0.1.tgz"
   integrity sha512-Smw4xcfIQ5LVjAOuJCvN/zIodzA/BBSsluuoSykP+lUvScIi4U6RJLfwHet5cxFnCswUjISV8oAXaqaJDY3chg==
 
-js-yaml@^3.14.1:
-  version "3.14.1"
-  resolved "https://registry.npmjs.org/js-yaml/-/js-yaml-3.14.1.tgz"
-  integrity sha512-okMH7OXXJ7YrN9Ok3/SXrnu4iX9yOk+25nqX4imS2npuvTYDmo/QEZoqwZkYaIDk3jVvBOTOIEgEhaLOynBS9g==
+js-yaml@3.14.2, js-yaml@^3.14.1, js-yaml@^4.1.0:
+  version "3.14.2"
+  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-3.14.2.tgz#77485ce1dd7f33c061fd1b16ecea23b55fcb04b0"
+  integrity sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==
   dependencies:
     argparse "^1.0.7"
     esprima "^4.0.0"
 
-js-yaml@^4.1.0:
-  version "4.1.0"
-  resolved "https://registry.npmjs.org/js-yaml/-/js-yaml-4.1.0.tgz"
-  integrity sha512-wpxZs9NoxZaJESJGIZTyDEaYpl0FKSA+FB9aJiyemKhMwkxQg63h4T1KJgUGHpTqPDNRcmmYLugrRjJlBtWvRA==
-  dependencies:
-    argparse "^2.0.1"
-
 json-buffer@3.0.1:
   version "3.0.1"
   resolved "https://registry.npmjs.org/json-buffer/-/json-buffer-3.0.1.tgz"

From 056e9c2e5ed8e29e4541f8acb4dbdc533f0e7592 Mon Sep 17 00:00:00 2001
From: Karen Stepanyan <karen.stepanyan@smartcontract.com>
Date: Fri, 6 Feb 2026 20:30:27 +0400
Subject: [PATCH 2/2] lock with supertap/js-yaml

---
 package.json | 2 +-
 yarn.lock    | 9 ++++++++-
 2 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/package.json b/package.json
index e11d9466..d5ee29af 100644
--- a/package.json
+++ b/package.json
@@ -65,7 +65,7 @@
     "arrowParens": "always"
   },
   "resolutions": {
-    "**/js-yaml": "3.14.2"
+    "supertap/js-yaml": "3.14.2"
   },
   "ava": {
     "files": [
diff --git a/yarn.lock b/yarn.lock
index 4240915e..4f69ef03 100644
--- a/yarn.lock
+++ b/yarn.lock
@@ -2004,7 +2004,7 @@ js-string-escape@^1.0.1:
   resolved "https://registry.npmjs.org/js-string-escape/-/js-string-escape-1.0.1.tgz"
   integrity sha512-Smw4xcfIQ5LVjAOuJCvN/zIodzA/BBSsluuoSykP+lUvScIi4U6RJLfwHet5cxFnCswUjISV8oAXaqaJDY3chg==
 
-js-yaml@3.14.2, js-yaml@^3.14.1, js-yaml@^4.1.0:
+js-yaml@3.14.2, js-yaml@^3.14.1:
   version "3.14.2"
   resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-3.14.2.tgz#77485ce1dd7f33c061fd1b16ecea23b55fcb04b0"
   integrity sha512-PMSmkqxr106Xa156c2M265Z+FTrPl+oxd/rgOQy2tijQeK5TxQ43psO1ZCwhVOSdnn+RzkzlRz/eY4BgJBYVpg==
@@ -2012,6 +2012,13 @@ js-yaml@3.14.2, js-yaml@^3.14.1, js-yaml@^4.1.0:
     argparse "^1.0.7"
     esprima "^4.0.0"
 
+js-yaml@^4.1.0:
+  version "4.1.1"
+  resolved "https://registry.yarnpkg.com/js-yaml/-/js-yaml-4.1.1.tgz#854c292467705b699476e1a2decc0c8a3458806b"
+  integrity sha512-qQKT4zQxXl8lLwBtHMWwaTcGfFOZviOJet3Oy/xmGk2gZH677CJM9EvtfdSkgWcATZhj/55JZ0rmy3myCT5lsA==
+  dependencies:
+    argparse "^2.0.1"
+
 json-buffer@3.0.1:
   version "3.0.1"
   resolved "https://registry.npmjs.org/json-buffer/-/json-buffer-3.0.1.tgz"