Skip to content

fix(deps): bump serialize-javascript to 7.0.5 (high-severity RCE/DoS)#124

Merged
anoncam merged 1 commit into
mainfrom
fix/deps-serialize-javascript
Jun 2, 2026
Merged

fix(deps): bump serialize-javascript to 7.0.5 (high-severity RCE/DoS)#124
anoncam merged 1 commit into
mainfrom
fix/deps-serialize-javascript

Conversation

@anoncam

@anoncam anoncam commented Jun 2, 2026

Copy link
Copy Markdown
Owner

Summary

Forces serialize-javascript to 7.0.5 via an overrides entry, resolving:

  • CVE-2026-34043 (7.5) — RCE via RegExp.flags / Date.prototype.toISOString()
  • sonatype-2026-000632 (8.1) — CPU-exhaustion DoS via crafted array-like objects

Target version confirmed by Sonatype (trust score 98, no remaining vulns).

Why an override

serialize-javascript is pulled only by mocha@^6.0.2 (devDependency), which pins the ^6 major. A plain npm update can't cross to 7.x, so an overrides entry is required to force the patched major.

Risk assessment

Low. serialize-javascript is used by mocha solely to serialize data across parallel test workers. This project's test script (mocha test/**/*.test.js) runs serially — no --parallel flag — so the package is never invoked at runtime. The override only improves the dependency tree's security posture.

Verification

  • npm run build ✅ passes
  • npm test: no regression — failures are confined to the pre-existing flaky friend-encryption / PGP suites (verified identical on main across multiple runs; which ones fail varies due to key-generation entropy).

Note

Touches the same overrides block as #123 (undici). Whichever merges second will need a trivial rebase to combine the two override keys.

Resolves high-severity RCE (CVE-2026-34043) and CPU-exhaustion DoS.
Forced via overrides because mocha pins ^6.0.2. Rebased onto main to
combine with the existing undici override.
@anoncam anoncam force-pushed the fix/deps-serialize-javascript branch from fed25de to 85c1801 Compare June 2, 2026 15:45
@anoncam anoncam merged commit f23e07c into main Jun 2, 2026
2 checks passed
@anoncam anoncam deleted the fix/deps-serialize-javascript branch June 2, 2026 15:45
github-actions Bot added a commit that referenced this pull request Jun 2, 2026
Version bump type: patch
PR: #124
Title: fix(deps): bump serialize-javascript to 7.0.5 (high-severity RCE/DoS)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant