js-yaml is vulnerable to arbitrary code execution. The vulnerability exists through the usage of unsafe `load()` function, which allows attackers to inject arbitrary code via a malicious YAML file using objects that have `toString` as key, JavaScript code as value and are used as explicit mapping keys.