From 2864225e985037a775fdec3e770687dae3b9699f Mon Sep 17 00:00:00 2001
From: John Carmack <johncarmack@me.com>
Date: Wed, 17 Jun 2026 16:13:55 -0500
Subject: [PATCH] Add changeset for js-yaml DoS fix (patch)

---
 .changeset/js-yaml-merge-key-dos.md | 5 +++++
 1 file changed, 5 insertions(+)
 create mode 100644 .changeset/js-yaml-merge-key-dos.md

diff --git a/.changeset/js-yaml-merge-key-dos.md b/.changeset/js-yaml-merge-key-dos.md
new file mode 100644
index 0000000..5e84b40
--- /dev/null
+++ b/.changeset/js-yaml-merge-key-dos.md
@@ -0,0 +1,5 @@
+---
+"deck-wind-layer": patch
+---
+
+Resolve the `js-yaml` merge-key DoS advisory ([GHSA-h67p-54hq-rp68](https://github.com/advisories/GHSA-h67p-54hq-rp68)) by forcing the transitive dependency to the patched 4.2.0 via pnpm `overrides` (`read-yaml-file` → ^2.1.0, `js-yaml` → ^4.2.0). The vulnerable 3.14.2 came in only through the changesets release toolchain, so this is a dev-tooling fix — the published bundle is unchanged.