From 85c18017f268c35df5898cc68f709eb84ece6211 Mon Sep 17 00:00:00 2001 From: Cameron Banowsky Date: Tue, 2 Jun 2026 08:45:21 -0700 Subject: [PATCH] fix(deps): bump serialize-javascript to 7.0.5 via overrides Resolves high-severity RCE (CVE-2026-34043) and CPU-exhaustion DoS. Forced via overrides because mocha pins ^6.0.2. Rebased onto main to combine with the existing undici override. --- package-lock.json | 45 +++++++-------------------------------------- package.json | 3 ++- 2 files changed, 9 insertions(+), 39 deletions(-) diff --git a/package-lock.json b/package-lock.json index c246691..7c5af3a 100644 --- a/package-lock.json +++ b/package-lock.json @@ -1,12 +1,12 @@ { "name": "dedpaste", - "version": "1.24.4", + "version": "1.24.6", "lockfileVersion": 3, "requires": true, "packages": { "": { "name": "dedpaste", - "version": "1.24.4", + "version": "1.24.6", "hasInstallScript": true, "license": "ISC", "dependencies": { @@ -7313,16 +7313,6 @@ ], "license": "MIT" }, - "node_modules/randombytes": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.1.0.tgz", - "integrity": "sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==", - "dev": true, - "license": "MIT", - "dependencies": { - "safe-buffer": "^5.1.0" - } - }, "node_modules/react": { "version": "19.1.1", "resolved": "https://registry.npmjs.org/react/-/react-19.1.1.tgz", @@ -7461,27 +7451,6 @@ "tslib": "^2.1.0" } }, - "node_modules/safe-buffer": { - "version": "5.2.1", - "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz", - "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==", - "dev": true, - "funding": [ - { - "type": "github", - "url": "https://github.com/sponsors/feross" - }, - { - "type": "patreon", - "url": "https://www.patreon.com/feross" - }, - { - "type": "consulting", - "url": "https://feross.org/support" - } - ], - "license": "MIT" - }, "node_modules/safer-buffer": { "version": "2.1.2", "resolved": "https://registry.npmjs.org/safer-buffer/-/safer-buffer-2.1.2.tgz", @@ -7508,13 +7477,13 @@ } }, "node_modules/serialize-javascript": { - "version": "6.0.2", - "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.2.tgz", - "integrity": "sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==", + "version": "7.0.5", + "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-7.0.5.tgz", + "integrity": "sha512-F4LcB0UqUl1zErq+1nYEEzSHJnIwb3AF2XWB94b+afhrekOUijwooAYqFyRbjYkm2PAKBabx6oYv/xDxNi8IBw==", "dev": true, "license": "BSD-3-Clause", - "dependencies": { - "randombytes": "^2.1.0" + "engines": { + "node": ">=20.0.0" } }, "node_modules/sharp": { diff --git a/package.json b/package.json index 2180863..831e78f 100644 --- a/package.json +++ b/package.json @@ -46,7 +46,8 @@ "node": ">=18" }, "overrides": { - "undici": "7.24.4" + "undici": "7.24.4", + "serialize-javascript": "7.0.5" }, "devDependencies": { "@cloudflare/workers-types": "^4.20250303.0",