Bump js-yaml and node-red

[dependabot]

Bumps js-yaml to 4.1.1 and updates ancestor dependency node-red. These dependencies need to be updated together.

Updates js-yaml from 4.1.0 to 4.1.1

Changelog

Sourced from js-yaml's changelog.

[4.1.1] - 2025-11-12

Security

• Fix prototype pollution issue in yaml merge (<<) operator.

Commits

• cc482e7 4.1.1 released
• 50968b8 dist rebuild
• d092d86 lint fix
• 383665f fix prototype pollution in merge (<<)
• 0d3ca7a README.md: HTTP => HTTPS (#678)
• 49baadd doc: 'empty' style option for !!null
• ba3460e Fix demo link (#618)
• See full diff in compare view

Updates node-red from 3.1.15 to 4.1.6

Release notes

Sourced from node-red's releases.

4.1.6

What's Changed

• Add § as shortcut meta-key by @​gorenje in node-red/node-red#5482
• Support ctrl key to select configuration nodes by @​kazuhitoyokoi in node-red/node-red#5486
• Fix: allow middle-click panning over links and ports by @​lklivingstone in node-red/node-red#5496
• Add frontend pre and post debug message hooks by @​Steve-Mcl in node-red/node-red#5495
• Allow node-red integrator access to available updates by @​Steve-Mcl in node-red/node-red#5499
• Ensure config sidebar tooltip handles html content by @​knolleary in node-red/node-red#5501
• Allow palette.theme to be set via theme plugin and include icons by @​knolleary in node-red/node-red#5500
• Bump dependencies by @​knolleary in node-red/node-red#5502
• Bump for 4.1.6 release by @​knolleary in node-red/node-red#5503

New Contributors

• @​lklivingstone made their first contribution in node-red/node-red#5496

Full Changelog: node-red/node-red@4.1.5...4.1.6

4.1.5: Maintenance Release

What's Changed

• chore: bump tar to 7.5.7 by @​bryopsida in node-red/node-red#5472
• Update for 4.1.5 release by @​knolleary in node-red/node-red#5479
• Fix package versions by @​knolleary in node-red/node-red#5480

Full Changelog: node-red/node-red@4.1.4...4.1.5

4.1.4

What's Changed

• fix: prevent uncaught exceptions in core node event handlers by @​Dennis-SEG in node-red/node-red#5438
• fix: prevent incorrect array modification in delay node by @​Dennis-SEG in node-red/node-red#5457
• fix: prevent double resolve in node close callback by @​Dennis-SEG in node-red/node-red#5461
• fix: prevent race condition in localfilesystem context store during shutdown by @​Dennis-SEG in node-red/node-red#5462
• registry: fix importModule base dir for exports subpaths by @​yuan-cloud in node-red/node-red#5465
• Revert overflow fix in editableList by @​knolleary in node-red/node-red#5467
• Bump for 4.1.4 release by @​knolleary in node-red/node-red#5468

New Contributors

• @​yuan-cloud made their first contribution in node-red/node-red#5465

Full Changelog: node-red/node-red@4.1.3...4.1.4

4.1.3: Maintenance Release

What's Changed

• Reveal node in search results via mouseover by @​gorenje in node-red/node-red#5368
• Fix size and scrolling in Git config UI by @​kazuhitoyokoi in node-red/node-red#5396
• Stricter validator for flow file name in project feature by @​kazuhitoyokoi in node-red/node-red#5398
• Expand folder to avoid error in library by @​kazuhitoyokoi in node-red/node-red#5399
• Fix debug tab to copy displayed value by @​kazuhitoyokoi in node-red/node-red#5400
• Fix invalid node size in quick add dialog by @​kazuhitoyokoi in node-red/node-red#5403
• Decrement count of http requests after error by @​kazuhitoyokoi in node-red/node-red#5409

... (truncated)

Changelog

Sourced from node-red's changelog.

4.1.6: Maintenance Release

• Allow palette.theme to be set via theme plugin and include icons (#5500) @​knolleary
• Ensure config sidebar tooltip handles html content (#5501) @​knolleary
• Allow node-red integrator access to available updates (#5499) @​Steve-Mcl
• Add frontend pre and post debug message hooks (#5495) @​Steve-Mcl
• Fix: allow middle-click panning over links and ports (#5496) @​lklivingstone
• Support ctrl key to select configuration nodes (#5486) @​kazuhitoyokoi
• Add § as shortcut meta-key (#5482) @​gorenje
• Update dependencies (#5502) @​knolleary

4.1.5: Maintenance Release

• chore: bump tar to 7.5.7 (#5472) @​bryopsida
• Update node-red-admin dependency @​knolleary

4.1.4: Maintenance Release

• Update tar dependency @​knolleary
• Revert overflow fix in editableList (#5467) @​knolleary
• registry: fix importModule base dir for exports subpaths (#5465) @​yuan-cloud
• fix: prevent race condition in localfilesystem context store during shutdown (#5462) @​Dennis-SEG
• fix: prevent double resolve in node close callback (#5461) @​Dennis-SEG
• fix: prevent incorrect array modification in delay node (#5457) @​Dennis-SEG
• fix: prevent uncaught exceptions in core node event handlers (#5438) @​Dennis-SEG

4.1.3: Maintenance Release

Editor

• 5343/Editor/Bug: Node help tab resets focus when arrow keys are used to switch between nodes (#5406) @​piotrbogun
• Ensure quick-add filter is applied properly when retriggering add (#5427) @​knolleary
• TreeList: Fix widget treeList keyboard navigation scroll behavior (#5421) @​piotrbogun
• Editor: Flow & subflow names are changed to all lowercase in search dialog #5348 (#5401) @​n-lark
• Allow actions show-next-tab and previous to loop (#5355) @​GogoVega
• 5404/Editor/Bug: Junction error in Quick Add dialog (#5407) @​piotrbogun
• Add tooltip to delete button in node property UI (#5410) @​kazuhitoyokoi
• Fix invalid node size in quick add dialog (#5403) @​kazuhitoyokoi
• Expand folder to avoid error in library (#5399) @​kazuhitoyokoi
• Stricter validator for flow file name in project feature (#5398) @​kazuhitoyokoi
• Fix size and scrolling in Git config UI (#5396) @​kazuhitoyokoi
• Reveal node in search results via mouseover (#5368) @​gorenje

Runtime

• Add package-lock.json for reproducible dependency chains (#5426) @​dimitrieh
• Readme markdown refactor for legibility in IDE's (#5423) @​dimitrieh
• Update body-parser (#5418) @​knolleary

Nodes

... (truncated)

Commits

• f78e6b6 Merge pull request #5503 from node-red/rel416
• 0ea90f5 Merge branch 'master' into rel416
• b9d997c Merge pull request #5502 from node-red/update-deps
• b671813 Bump for 4.1.6 release
• 35e3034 Bump dependencies
• f049a33 Merge pull request #5500 from node-red/5487-support-palette-theme-plugin
• 5e83d10 Merge pull request #5501 from node-red/5497-config-tooltip-text
• 4cf4817 Merge pull request #5499 from node-red/palette-updates
• ae81bc1 Merge branch 'master' into palette-updates
• 97f9ed4 Ensure config sidebar tooltip handles html content
• Additional commits viewable in compare view

You can trigger a rebase of this PR by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

Note
Automatic rebases have been disabled on this pull request as it has been open for over 30 days.