fix: upgrade yaml to 1.10.3 to address CVE-2026-33532

[cf-ckuru]

Summary

Upgrades the transitive yaml dependency from 1.10.2 to 1.10.3 to fix CVE-2026-33532 (stack overflow via deeply nested YAML collections).

Details

• CVE: CVE-2026-33532
• Severity: Moderate (CVSS 4.3)
• Affected package: yaml 1.0.0–1.10.2
• Fixed in: yaml 1.10.3

The yaml package is a transitive dependency pulled in by cosmiconfig and postcss-load-config. The vulnerability allows a small (~2–10 KB) deeply nested YAML payload to trigger a stack overflow (RangeError: Maximum call stack size exceeded).

Changes

• Added "yaml": "^1.10.3" to resolutions in root package.json
• Ran yarn upgrade yaml@^1.10.3 to update yarn.lock

No source code changes. This is a patch-level bump (1.10.2 -> 1.10.3) within existing semver ranges.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 783eb45

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.