fix: update serialize-javascript to >=7.0.3#592
fix: update serialize-javascript to >=7.0.3#592Anshumancanrock wants to merge 1 commit intocameri:mainfrom
Conversation
🦋 Changeset detectedLatest commit: 1aa065f The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
coverage: 64.591% (+0.01%) from 64.58% — Anshumancanrock:fix-serialize-javascript into cameri:main |
There was a problem hiding this comment.
Pull request overview
This PR mitigates a high-severity RCE vulnerability in the transitive devDependency serialize-javascript by forcing pnpm to resolve it to a patched version across the workspace.
Changes:
- Added a pnpm workspace override for
serialize-javascriptto require>=7.0.3. - Regenerated
pnpm-lock.yamlto reflect resolution toserialize-javascript@7.0.5and removal of no-longer-needed transitive deps. - Added a Changeset marking a patch release for the security-related dependency resolution change.
Reviewed changes
Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
package.json |
Introduces pnpm override configuration to force patched serialize-javascript. |
pnpm-lock.yaml |
Captures the override in the lockfile and updates resolved dependency graph (now serialize-javascript@7.0.5). |
.changeset/fix-serialize-javascript-cve.md |
Adds a patch changeset documenting the security fix. |
Files not reviewed (1)
- pnpm-lock.yaml: Language not supported
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "axios@<0.31.0": ">=0.31.0" | ||
| }, | ||
| "pnpm": { | ||
| "overrides": { | ||
| "serialize-javascript": ">=7.0.3" | ||
| } |
There was a problem hiding this comment.
@Anshumancanrock Good point, can we consolidate this with the top overrides field?
There was a problem hiding this comment.
Hii @cameri Actually the top-level overrides field is npm syntax , pnpm v10 ignores it entirely, so consolidating there wouldn't actually do anything. I went ahead and removed that legacy field entirely and kept only pnpm.overrides, so there's a single place now.
| }, | ||
| "pnpm": { | ||
| "overrides": { | ||
| "serialize-javascript": ">=7.0.3" |
There was a problem hiding this comment.
@Anshumancanrock Good point, I think we should add the <8
There was a problem hiding this comment.
Makes sense, updated pinned to >=7.0.3 <8 .
Anshumancanrock
force-pushed
the
fix-serialize-javascript
branch
from
6db254a to
65ff30b
Compare
Anshumancanrock
force-pushed
the
fix-serialize-javascript
branch
from
65ff30b to
1aa065f
Compare
Description
This PR adds a
pnpm.overridesentry to forceserialize-javascriptto>=7.0.3, resolving a high-severity RCE vulnerability (GHSA-5c6j-r48x-rmvq, CVSS 8.1).The package isn't a direct dependency — it's pulled in transitively via
mocha → serialize-javascript@^6.0.2. Since mocha upstream hasn't bumped this yet, the only correct fix is overriding the resolution at the workspace level using pnpm's native override mechanism.Related Issue
Closes #521
Motivation and Context
serialize-javascript <=7.0.2allows code injection through spoofedRegExp.flagsandDate.toISOString()properties. When the serialized output iseval'd, the injected code executes. Mocha uses this package in its parallel worker pool (buffered-worker-pool.js) to serialize test options between the main process and worker threads.While this is a devDependency and not reachable at relay runtime, it still poses a risk in CI environments and developer machines. Patching it is the right call.
How Has This Been Tested?
Manual PoC verification: Ran the CVE proof-of-concept against both versions:
serialize-javascript@6.0.2→ injection succeeds silentlyserialize-javascript@7.0.5(installed after override) → throws"RegExp.prototype.source getter called on non-RegExp object", injection neutralizedScreenshots (if appropriate):
N/A
Types of changes
Checklist: