build(deps-dev): bump @yao-pkg/pkg from 6.11.0 to 6.14.0

[dependabot]

Bumps @yao-pkg/pkg from 6.11.0 to 6.14.0.

Release notes

Sourced from @​yao-pkg/pkg's releases.

Release 6.14.0

6.14.0 (2026-02-16)

Features

• bump eslint and its deps to latest (#212) (9fee672)

Bug Fixes

• remove downlevelIteration option from tsconfig.json (#210) (1737d03)
• resolve security vulnerabilities in dependencies (#211) (1715693)

Chores

• update dependencies, drop Node.js 18, add Node.js 22/24 support, and fix test compatibility (#214) (0f43831)

Release 6.13.1

6.13.1 (2026-02-11)

Features

• comprehensive ESM support with top-level await and import.meta polyfills (#206) (332c188), closes #208 #208 #208 #208

Bug Fixes

• add import.meta polyfill for ESM to CJS transformation (#208) (731b014)

Release 6.13.0

6.13.0 (2026-02-10)

Features

• detect and warn about unsupported ESM features (#202) (40e71c6)
• esm support (#192) (45cbc2c)

Bug Fixes

• bump tar to 7.5.6 to fix security vulnerabilities (#200) (1f160ac)

Chores

• change tsconfig target to es2022 (#198) (b72fee9)

Release 6.12.0

6.12.0 (2026-01-15)

... (truncated)

Changelog

Sourced from @​yao-pkg/pkg's changelog.

6.14.0 (2026-02-16)

Features

• bump eslint and its deps to latest (#212) (9fee672)

Bug Fixes

• remove downlevelIteration option from tsconfig.json (#210) (1737d03)
• resolve security vulnerabilities in dependencies (#211) (1715693)

Chores

• update dependencies, drop Node.js 18, add Node.js 22/24 support, and fix test compatibility (#214) (0f43831)

6.13.1 (2026-02-11)

Features

• comprehensive ESM support with top-level await and import.meta polyfills (#206) (332c188), closes #208 #208 #208 #208

Bug Fixes

• add import.meta polyfill for ESM to CJS transformation (#208) (731b014)

6.13.0 (2026-02-10)

Features

• detect and warn about unsupported ESM features (#202) (40e71c6)
• esm support (#192) (45cbc2c)

Bug Fixes

• bump tar to 7.5.6 to fix security vulnerabilities (#200) (1f160ac)

Chores

• change tsconfig target to es2022 (#198) (b72fee9)

6.12.0 (2026-01-15)

Features

• bump fetch with node 22.20.0 22.22.0 24.13.0 (#199) (5807ed2)

Commits

• 3d80721 Release 6.14.0
• 0f43831 chore: update dependencies, drop Node.js 18, add Node.js 22/24 support, and f...
• 1715693 fix: resolve security vulnerabilities in dependencies (#211)
• 9fee672 feat: bump eslint and its deps to latest (#212)
• 1737d03 fix: remove downlevelIteration option from tsconfig.json (#210)
• 44ddf20 Release 6.13.1
• 332c188 feat: comprehensive ESM support with top-level await and import.meta polyfill...
• 731b014 fix: add import.meta polyfill for ESM to CJS transformation (#208)
• 8ecf801 Release 6.13.0
• 645b0e8 perf: replace Babel with esbuild for ESM to CJS transformation and update dep...
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[dependabot]

Labels

The following labels could not be found: Changed. Please create it before Dependabot can add it to a pull request.

Please fix the above issues or remove invalid values from dependabot.yml.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	tar@​7.5.2 ⏵ 7.5.9	+1	+40		+42
	@​yao-pkg/​pkg@​6.11.0 ⏵ 6.14.0			+1	+3

View full report

[socket-security]

Caution

Review the following alerts detected in dependencies.

According to your organization's Security Policy, you must resolve all "Block" alerts before proceeding. It is recommended to resolve "Warn" alerts too. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Block		Install-time scripts: npm esbuild during postinstall Install script: postinstall Source: node install.js From: package-lock.json → npm/@yao-pkg/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an install script? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not be running non-essential scripts during install and there are often solutions to problems people solve with install scripts that can be run at publish time instead. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm @yao-pkg/pkg is 90.0% likely to have a medium risk anomaly Notes: This module is a legitimate-looking build tool that downloads Node binaries, verifies checksums, generates a SEA blob from a provided entrypoint, and injects that blob into Node executables for distribution. The code itself does not contain clear malware (no data exfiltration, no hard-coded credentials, no reverse shell). However it performs high-impact actions: downloading and extracting executables, executing shell commands with interpolated, potentially unescaped paths, and injecting arbitrary blobs into binaries. These behaviors present supply-chain and command-injection risks if inputs (targets, nodePath, entryPoint, opts) or the downloaded resources are attacker-controlled or untrusted. Use requires trusting the blob generation inputs, target definitions, and the remote hosts providing Node binaries and checksums. Recommend validating and sanitizing all inputs used in shell commands and pinning trusted sources for binaries and checksums; prefer using execFile/spawn with argument arrays or proper escaping to avoid shell injection. Confidence: 0.90 Severity: 0.60 From: package-lock.json → npm/@yao-pkg/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/@yao-pkg/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Potential code anomaly (AI signal): npm esbuild is 100.0% likely to have a medium risk anomaly Notes: The code represents a thorough and sophisticated installer for esbuild with multiple fallback mechanisms to acquire platform-appropriate binaries. While largely legitimate, its use of direct tarball downloads, manual extraction without explicit integrity validation, and the override/wrapper mechanism create nontrivial supply-chain and abuse risks. Recommend enabling strict binary integrity checks (checksums/signatures), minimizing or auditing the override/wrapper feature, and implementing tighter error visibility and logging to reduce operational risk and potential misuse. Confidence: 1.00 Severity: 0.60 From: package-lock.json → npm/@yao-pkg/[email protected] → npm/[email protected] ℹ Read more on: This package | This alert | What is an AI-detected potential code anomaly? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: An AI system found a low-risk anomaly in this package. It may still be fine to use, but you should check that it is safe before proceeding. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report