Update js-yaml dependency to ^4.2.0 (#11081)

**@mikeharder**
`js-yaml` has a security fix in `4.2.0`. But since `http-client-python`
only floated `~4.1.0` instead of `^4.2.0`, consumers are prevented from
updating. We should always float with `^` instead of `~`, unless we have
a strong reason (eg some packages allow breaking changes in minors).

**@copilot**
Bumps the `js-yaml` dependency to `^4.2.0` in the http-client-python and
http-client-java packages, widening the range to allow patch and minor
updates within the 4.x line.

### Changes
- **`packages/http-client-python/package.json`**: `~4.1.0` → `^4.2.0`
- **`packages/http-client-java/package.json`**: `~4.2.0` → `^4.2.0`
- **Lock files**: refreshed `js-yaml` resolution in both
`package-lock.json` files (now `4.2.0`)
- **Changelog**: added a chronus `dependencies` entry covering both
packages

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: mikeharder <9459391+mikeharder@users.noreply.github.com>
Co-authored-by: Mike Harder <mharder@microsoft.com>

Author: Copilot

.chronus/changes/update-js-yaml-dependency-2026-6-24-18-17-42.md

@@ -0,0 +1,8 @@
+---
+changeKind: dependencies
+packages:
+  - "@typespec/http-client-python"
+  - "@typespec/http-client-java"
+---
+
+Update `js-yaml` dependency to `^4.2.0`

packages/http-client-java/package-lock.json

@@ -65,7 +65,7 @@
   },
   "dependencies": {
     "@autorest/codemodel": "~4.20.1",
-    "js-yaml": "~4.2.0",
+    "js-yaml": "^4.2.0",
     "lodash": "~4.18.1"
   },
   "devDependencies": {

packages/http-client-java/package.json

@@ -95,7 +95,7 @@
     ]
   },
   "dependencies": {
-    "js-yaml": "~4.1.0",
+    "js-yaml": "^4.2.0",
     "marked": "^15.0.6",
     "pyodide": "0.26.2",
     "semver": "~7.6.2",