js-yaml is a human-friendly data serialization language.
Affected versions of this package are vulnerable to Arbitrary Code Execution.
When an object with an executable toString() property used as a map key, it will execute that function. This happens only for load(), which should not be used with untrusted data anyway. safeLoad() is not affected because it can't parse functions.