chore(deps): bump js-yaml and @kitware/vtk.js

[dependabot]

Bumps js-yaml to 4.2.0 and updates ancestor dependency @kitware/vtk.js. These dependencies need to be updated together.

Updates js-yaml from 4.1.1 to 4.2.0

Changelog

Sourced from js-yaml's changelog.

[4.2.0] - 2026-06-01

Added

• Added docs/safety.md with notes about processing untrusted YAML.
• Added maxDepth (100) loader option. Not a problem, but gives a better exception instead of RangeError on stack overflow.
• Added maxMergeSeqLength (20) loader option. Not a problem after merge fix, but an additional restriction for safety.
• Added sourcemaps to dist/ builds.

Changed

• Stop resolving numbers with underscores as numeric scalars, #627.
• Switched dev toolchains to Vite / neostandard.
• Updated demo.
• Reorganized tests.
• dist/ files are no longer kept in the repository.

Fixed

• Fix parsing of properties on the first implicit block mapping key, #62.
• Fix trailing whitespace handling when folding flow scalar lines, #307.
• Reject top-level block scalars without content indentation, #280.
• Ensure numbers survive round-trip, #737.
• Fix test coverage for issue #221.
• Fix flow scalar trailing whitespace folding, #307.
• Fix digits in YAML named tag handles.

Security

• Fix potential DoS via quadratic complexity in merge - deduplicate repeated elements (makes sense for malformed files > 10K).

[3.14.2] - 2025-11-15

Security

• Backported v4.1.1 fix to v3

Commits

• See full diff in compare view

Updates @kitware/vtk.js from 32.14.0 to 36.2.0

Release notes

Sourced from @​kitware/vtk.js's releases.

v36.2.0

36.2.0 (2026-06-06)

Features

• property2d: add explicit culling API to vtkProperty2D (beea478)

v36.1.2

36.1.2 (2026-06-03)

Bug Fixes

• Rendering: do not report missing profile for widgets (b50da95), closes #3524

v36.1.1

36.1.1 (2026-05-29)

Bug Fixes

• build: upgrade xmlbuilder2 to v4.0.3 (3aff1e3)

v36.1.0

36.1.0 (2026-05-25)

Features

• Rendering: report missing view node profile imports (f611532), closes #3343

v36.0.1

36.0.1 (2026-05-22)

Bug Fixes

• vtkOpenGLImageCPRMapper: projectionScaledDirection should have vtkImageData direction matrix (7bfb552)
• vtkWebGPUImageCPRMapper: projection direction should use vtkImageData direction matrix (3659cda)

v36.0.0

36.0.0 (2026-05-21)

• feat(build)!: migrate build/test tooling to Vite, Vitest, oxlint, oxfmt (c0d9887)
• feat(macros)!: remove getStateArrayMapFunc (470034d)

BREAKING CHANGES

... (truncated)

Commits

• beea478 feat(property2d): add explicit culling API to vtkProperty2D
• b50da95 fix(Rendering): do not report missing profile for widgets
• 3aff1e3 fix(build): upgrade xmlbuilder2 to v4.0.3
• f611532 feat(Rendering): report missing view node profile imports
• dcf90b4 test: re-enable four tests skipped during past tooling migrations
• 3659cda fix(vtkWebGPUImageCPRMapper): projection direction should use vtkImageData di...
• 7bfb552 fix(vtkOpenGLImageCPRMapper): projectionScaledDirection should have vtkImageD...
• 470034d feat(macros)!: remove getStateArrayMapFunc
• c0d9887 feat(build)!: migrate build/test tooling to Vite, Vitest, oxlint, oxfmt
• cc715f8 test: add Renderer test with 3D, ImageSlice, and 2D actors
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​kitware/vtk.js since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[netlify]

❌ Deploy Preview for volview-dev failed.

Name	Link
🔨 Latest commit	f954538
🔍 Latest deploy log	https://app.netlify.com/projects/volview-dev/deploys/6a3466678066ca0008327930