Skip to content

security vulnerability in downstream dependency (serialize-javascript@6.0.2) #34456

Closed as not planned
Bug
Closed as not planned
security vulnerability in downstream dependency (serialize-javascript@6.0.2)#34456
Bug
Labels
nitroNitro server engine integrationpending triagepossible regression
@trimble

Description

@trimble
trimble
opened on Mar 6, 2026

Snyk reports a vulnerability down the dependency chain:

Arbitrary Code Injection [High Severity][https://security.snyk.io/vuln/SNYK-JS-SERIALIZEJAVASCRIPT-570062] in serialize-javascript@6.0.2
    introduced by nuxt@4.3.1 > @nuxt/nitro-server@4.3.1 > nitropack@2.13.1 > @rollup/plugin-terser@0.4.4 > serialize-javascript@6.0.2

serialize-javascript has been updated to 7.0.4: https://www.npmjs.com/package/serialize-javascript/v/7.0.4
@rollup/plugin-terser has been updated to 1.0.0: https://www.npmjs.com/package/@rollup/plugin-terser/v/1.0.0
nitropack has an open issue: nitrojs/nitro#4074

Metadata

Metadata

Assignees

No one assigned

    Labels

    nitroNitro server engine integrationpending triagepossible regression

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions