Security: bump js-yaml dependency to >=4.1.1 (CVE chain)

[Patrikbjoh]

pnpm audit found js-yaml@3.14.1 in the dependency chain (via babel-plugin-istanbul -> @istanbuljs/load-nyc-config). This older js-yaml version has known vulnerabilities. Can you bump the dependency to js-yaml >= 4.1.1 and publish a patch release? Example vulnerable chain: babel-plugin-istanbul -> @istanbuljs/load-nyc-config (js-yaml@3.14.1). Happy to open a PR if you prefer.