chore: add pnpm override to floor js-yaml at >=3.14.2 for CVE compliance

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>

Author: BPapp-MS

common/config/rush/pnpm-config.json

@@ -252,7 +252,13 @@
     "loader-utils@^2.0.0": "2.0.4",
 
     // `fast-xml-parser@5.3.3` has a vulnerability
-    "fast-xml-parser@^5.3.3": "5.3.5"
+    "fast-xml-parser@^5.3.3": "5.3.5",
+
+    // `js-yaml@<3.13.1` has multiple vulnerabilities (CVE-2019-7177, CVE-2023-2251).
+    // 3.x is EOL but still pulled in transitively by eslint 7.x and tslint 5.x.
+    // Cannot override to 4.x because safeLoad() was removed (breaking API change).
+    // This floor prevents regression to any vulnerable 3.x version.
+    "js-yaml@^3": ">=3.14.2"
   },
 
   /**

common/config/subspaces/build-tests-subspace/pnpm-lock.yaml

@@ -1,6 +1,6 @@
 // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush.
 {
-  "pnpmShrinkwrapHash": "ae06e3ff5f65c89fd6b5c88cb4bce597f4a5aa18",
+  "pnpmShrinkwrapHash": "c37cdad9db0f53fb5517605d84018e14f614bc3a",
   "preferredVersionsHash": "550b4cee0bef4e97db6c6aad726df5149d20e7d9",
   "packageJsonInjectedDependenciesHash": "fa90a0a032a0046e646e8751bbc6d0be86a4dda1"
 }

common/config/subspaces/build-tests-subspace/repo-state.json

@@ -1,5 +1,5 @@
 // DO NOT MODIFY THIS FILE MANUALLY BUT DO COMMIT IT. It is generated and used by Rush.
 {
-  "pnpmShrinkwrapHash": "c482c23c40b202ed750549c796c24b3550d0ba6e",
+  "pnpmShrinkwrapHash": "ea42860c463f2c0cdef95fc183bd65cd74fc62b1",
   "preferredVersionsHash": "029c99bd6e65c5e1f25e2848340509811ff9753c"
 }