security(deps): resolve js-yaml and @babel/core alerts

[BYK]

Summary

Resolves the 2 remaining open Dependabot alerts (both transitive in pnpm-lock.yaml).

Alert	Package	Severity	Fix	GHSA
#289	js-yaml	medium	→4.2.0	GHSA-h67p-54hq-rp68
#288	@babel/core	low	→7.29.7	GHSA-4x5r-pxfx-6jf8

• js-yaml GHSA-h67p-54hq-rp68: quadratic-complexity DoS in merge key handling via repeated aliases.
• @babel/core GHSA-4x5r-pxfx-6jf8: arbitrary file read via sourceMappingURL comment.

Changes

• js-yaml override >=4.1.1 → >=4.2.0 <5
• Added @babel/core override >=7.29.6 <8

Notes

• Both overrides are bounded to the current major (js-yaml <5, @babel/core <8). An unbounded js-yaml >=4.2.0 pulled 5.1.0 (a major jump with breaking changes); capping keeps the minimal patch within 4.x.

Verification

• pnpm build (full turbo build) ✓
• pnpm --filter @spotlightjs/spotlight build:sea ✓
• Test suite ✓ (188/188)

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
spotlightjs	Ready	Preview, Comment	Jun 23, 2026 3:21pm

[github-actions]

Codecov Results 📊

✅ Patch coverage is 100.00%. Project has 678 uncovered lines.
✅ Project coverage is 57.62%. Comparing base (base) to head (head).

Coverage diff

@@            Coverage Diff             @@
##          main       #PR       +/-##
==========================================
+ Coverage    57.62%    57.62%        —%
==========================================
  Files           49        49         —
  Lines         1602      1602         —
  Branches      1153      1153         —
==========================================
+ Hits           924       924         —
- Misses         678       678         —
- Partials       123       123         —

---

Generated by Codecov Action