From 1aa065f6a9838441172653e58912d4f8a25949b5 Mon Sep 17 00:00:00 2001
From: anshumancanrock <anshu.1239.as@gmail.com>
Date: Fri, 1 May 2026 01:11:22 +0530
Subject: [PATCH] fix: update serialize-javascript to >=7.0.3 <8

---
 .changeset/fix-serialize-javascript-cve.md |  5 +++++
 package.json                               |  6 ++++--
 pnpm-lock.yaml                             | 21 ++++++++-------------
 3 files changed, 17 insertions(+), 15 deletions(-)
 create mode 100644 .changeset/fix-serialize-javascript-cve.md

diff --git a/.changeset/fix-serialize-javascript-cve.md b/.changeset/fix-serialize-javascript-cve.md
new file mode 100644
index 00000000..224eef2b
--- /dev/null
+++ b/.changeset/fix-serialize-javascript-cve.md
@@ -0,0 +1,5 @@
+---
+"nostream": patch
+---
+
+Security: override serialize-javascript to >=7.0.3 (CVE RCE, GHSA-5c6j-r48x-rmvq)
diff --git a/package.json b/package.json
index e062e8b0..83f03c9e 100644
--- a/package.json
+++ b/package.json
@@ -175,7 +175,9 @@
   "optionalDependencies": {
     "lzma-native": "^8.0.6"
   },
-  "overrides": {
-    "axios@<0.31.0": ">=0.31.0"
+  "pnpm": {
+    "overrides": {
+      "serialize-javascript": ">=7.0.3 <8"
+    }
   }
 }
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 042562e8..116dfc9d 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -4,6 +4,9 @@ settings:
   autoInstallPeers: true
   excludeLinksFromLockfile: false
 
+overrides:
+  serialize-javascript: '>=7.0.3 <8'
+
 importers:
 
   .:
@@ -2659,9 +2662,6 @@ packages:
   ramda@0.28.0:
     resolution: {integrity: sha512-9QnLuG/kPVgWvMQ4aODhsBUFKOUmnbUnsSXACv+NCQZcHbeb+v8Lodp8OVxtRULN1/xOyYLLaL6npE6dMq5QTA==}
 
-  randombytes@2.1.0:
-    resolution: {integrity: sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==}
-
   range-parser@1.2.1:
     resolution: {integrity: sha512-Hrgsx+orqoygnmhFbKaHE6c296J+HTAQXoxEF6gNupROmmGJRoyzfG3ccAveqCBrwr/2yxQ5BVd/GTl5agOwSg==}
     engines: {node: '>= 0.6'}
@@ -2848,8 +2848,9 @@ packages:
     resolution: {integrity: sha512-VMbMxbDeehAxpOtWJXlcUS5E8iXh6QmN+BkRX1GARS3wRaXEEgzCcB10gTQazO42tpNIya8xIyNx8fll1OFPrg==}
     engines: {node: '>= 0.8.0'}
 
-  serialize-javascript@6.0.2:
-    resolution: {integrity: sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==}
+  serialize-javascript@7.0.5:
+    resolution: {integrity: sha512-F4LcB0UqUl1zErq+1nYEEzSHJnIwb3AF2XWB94b+afhrekOUijwooAYqFyRbjYkm2PAKBabx6oYv/xDxNi8IBw==}
+    engines: {node: '>=20.0.0'}
 
   serve-static@1.16.3:
     resolution: {integrity: sha512-x0RTqQel6g5SY7Lg6ZreMmsOzncHFU7nhnRWkKgWuMTu5NN0DR5oruckMqRvacAN9d5w6ARnRBXl9xhDCgfMeA==}
@@ -5687,7 +5688,7 @@ snapshots:
       minimatch: 9.0.9
       ms: 2.1.3
       picocolors: 1.1.1
-      serialize-javascript: 6.0.2
+      serialize-javascript: 7.0.5
       strip-json-comments: 3.1.1
       supports-color: 8.1.1
       workerpool: 9.3.4
@@ -6150,10 +6151,6 @@ snapshots:
 
   ramda@0.28.0: {}
 
-  randombytes@2.1.0:
-    dependencies:
-      safe-buffer: 5.2.1
-
   range-parser@1.2.1: {}
 
   raw-body@2.5.3:
@@ -6343,9 +6340,7 @@ snapshots:
     transitivePeerDependencies:
       - supports-color
 
-  serialize-javascript@6.0.2:
-    dependencies:
-      randombytes: 2.1.0
+  serialize-javascript@7.0.5: {}
 
   serve-static@1.16.3:
     dependencies: