[agentic] fix: update vite and js-yaml to resolve security vulnerabilities

[github-actions]

Summary

Updates two vulnerable devDependencies to resolve open Dependabot and npm audit security alerts.

Alerts Addressed

Dependabot Alerts (GitHub)

• Alert Bump ts-jest from 29.1.0 to 29.2.3 #57 — High severity: vite server.fs.deny bypass on Windows alternate paths
  Affected range: >= 8.0.0, <= 8.0.15 | Fixed in: 8.0.16

• Alert Bump ts-jest from 29.1.0 to 29.2.4 #58 — Medium severity: vite / launch-editor NTLMv2 hash disclosure via UNC path handling on Windows
  Affected range: >= 8.0.0, <= 8.0.15 | Fixed in: 8.0.16

npm audit finding (not yet in Dependabot)

• GHSA-h67p-54hq-rp68 — Moderate severity: js-yaml quadratic-complexity DoS in merge key handling via repeated aliases
  Affected range: <= 4.1.1 | Fixed in: 4.2.0

Alerts Not Fixed

• No open code scanning alerts found.
• No secret scanning alerts found.

Changes

File	Change
package.json	js-yaml minimum bumped from ^4.1.1 → ^4.2.0
package-lock.json	vite resolved 8.0.14 → 8.0.16; js-yaml resolved 4.1.1 → 4.2.0

Both packages are devDependencies used only during development (testing and tooling). No production runtime code is affected.

Validation

All commands run after the dependency update:

• npm ci — clean install, 0 vulnerabilities reported
• npm run build — TypeScript compilation successful
• npm run lint — ESLint passed (pre-existing module-type warning unrelated to these changes)
• npm test — 2/2 tests passed (pre-existing runner-env errors about missing GitHub Actions file paths are unrelated to these changes)
• npm run package — ncc bundle built successfully (1388 kB)

Generated by Security and Quality Alert Fixer · 226.6 AIC · ⌖ 27.2 AIC · ⊞ 19K · ◷

• expires on Jun 26, 2026, 9:54 AM UTC