diff --git a/CHANGELOG.md b/CHANGELOG.md
index b3513578..979e0fd4 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,11 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 
+## [3.14.1] - 2020-12-07
+### Security
+- Fix possible code execution in (already unsafe) `.load()` (in &anchor).
+
+
 ## [3.14.0] - 2020-05-22
 ### Changed
 - Support `safe/loadAll(input, options)` variant of call.
diff --git a/lib/js-yaml/loader.js b/lib/js-yaml/loader.js
index ef01386b..d7484a59 100644
--- a/lib/js-yaml/loader.js
+++ b/lib/js-yaml/loader.js
@@ -1272,7 +1272,7 @@ function readAlias(state) {
 
   alias = state.input.slice(_position, state.position);
 
-  if (!state.anchorMap.hasOwnProperty(alias)) {
+  if (!_hasOwnProperty.call(state.anchorMap, alias)) {
     throwError(state, 'unidentified alias "' + alias + '"');
   }