[Release-4.19] OCPBUGS-83384: Fix CVE-2026-34043 in serialize-javascript by MrSanketkumar · Pull Request #395 · openshift/networking-console-plugin

MrSanketkumar · 2026-04-27T10:54:17Z

copy-webpack-plugin@14.0.0 requires Node.js ≥ 20.9.0, So override serialize-javascript to patched version

Summary by CodeRabbit

Chores
- Updated dependency resolution configuration to ensure consistent version convergence for a transitive package dependency. This change pins the specific transitive package version in project configuration.
- No changes to public APIs or runtime-visible features; end-user behavior remains unchanged.

coderabbitai · 2026-04-27T10:54:24Z

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 6f3ca5b9-9bf5-4aa4-862e-01a842a95904

📥 Commits

Reviewing files that changed from the base of the PR and between 986b0c8 and e002371.

⛔ Files ignored due to path filters (1)

package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

package.json

Walkthrough

Adds an overrides entry to package.json that pins serialize-javascript to ^7.0.5. No runtime/public API changes.

Changes

Dependency Overrides

Layer / File(s)	Summary
Manifest Update `package.json`	Introduces an `overrides` block with `"serialize-javascript": "^7.0.5"`.
Formatting / Context `package.json`	Change consists solely of dependency-resolution metadata; existing `resolutions`/other entries left intact.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly references a specific CVE (CVE-2026-34043) and the package being fixed (serialize-javascript), clearly summarizing the main change in the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This custom check for Ginkgo test name stability is not applicable. The PR modifies only package.json (CVE-2026-34043 fix). The repository uses Cypress, not Ginkgo, and no test files were modified.
Test Structure And Quality	✅ Passed	Not applicable - PR only modifies package.json for CVE-2026-34043 fix. This TypeScript/Node.js project has no Ginkgo tests (Go-based). No test files modified.
Microshift Test Compatibility	✅ Passed	PR only modifies package.json. This JS/TypeScript repo has no Go tests or Ginkgo e2e tests. The check applies only to new Ginkgo tests, which are absent here.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. The repository is a TypeScript/Node.js project, not a Go project. The PR only updates package.json dependencies. The custom check is not applicable.
Topology-Aware Scheduling Compatibility	✅ Passed	PR only updates package.json dependency pin for CVE fix; no deployment manifests, operators, controllers, or scheduling constraints introduced. Check not applicable to dependency version changes.
Ote Binary Stdout Contract	✅ Passed	This is a React/TypeScript plugin project, not an OTE binary. The OTE Binary Stdout Contract check only applies to OTE binaries. The PR only modifies package.json dependencies. Not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR contains no Ginkgo e2e tests or Go test files. This is a TypeScript React plugin with only a package.json dependency management change (serialize-javascript override). Check is not applicable.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

Create PR with unit tests

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

openshift-ci-robot · 2026-04-27T10:54:24Z

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-83384, which is invalid:

expected dependent Jira Issue OCPBUGS-83386 to be in one of the following states: VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA), but it is POST instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

MrSanketkumar · 2026-04-27T10:54:55Z

@coderabbitai review

coderabbitai · 2026-04-27T10:55:01Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

coderabbitai

🧹 Nitpick comments (1)

package.json (1)
123-124: Consider exact version pinning for this security fix.

The CVE-2026-34043 DoS vulnerability in serialize-javascript (versions < 7.0.5) is confirmed and affects CPU exhaustion when serializing specially crafted array-like objects. Version 7.0.5 is the correct patched version.

Using ^7.0.5 allows any 7.x version, but for security fixes it's safer to use exact version pinning ("7.0.5") to ensure only the verified patched version is used across all environments. This prevents unexpected behavior from untested patch versions.
Recommended fix
   "sass/immutable": "4.3.8",
-  "serialize-javascript": "^7.0.5"
+  "serialize-javascript": "7.0.5"
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@package.json` around lines 123 - 124, Update the package.json dependency
entry for "serialize-javascript" to use exact version pinning instead of a caret
range: change the dependency key value from "^7.0.5" to "7.0.5" (remove the
leading ^) so the project is locked to the confirmed patched release; update any
lockfiles (e.g., package-lock.json / yarn.lock) by reinstalling dependencies to
ensure the exact version is reflected across environments.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In `@package.json`:
- Around line 123-124: Update the package.json dependency entry for
"serialize-javascript" to use exact version pinning instead of a caret range:
change the dependency key value from "^7.0.5" to "7.0.5" (remove the leading ^)
so the project is locked to the confirmed patched release; update any lockfiles
(e.g., package-lock.json / yarn.lock) by reinstalling dependencies to ensure the
exact version is reflected across environments.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b73a135b-0c92-4d9e-bff1-b959f1b16b25

📥 Commits

Reviewing files that changed from the base of the PR and between dc82c3e and 986b0c8.

⛔ Files ignored due to path filters (1)

yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

package.json

MrSanketkumar · 2026-04-27T14:00:00Z

/hold Waiting for the NPM migration to complete.

MrSanketkumar · 2026-05-06T05:51:45Z

/jira refresh

openshift-ci-robot · 2026-05-06T05:51:52Z

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-83384, which is valid. The bug has been moved to the POST state.

7 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.19.z) matches configured target version for branch (4.19.z)
bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)
release note text is set and does not match the template
dependent bug Jira Issue OCPBUGS-83386 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
dependent Jira Issue OCPBUGS-83386 targets the "4.20.z" version, which is one of the valid target versions: 4.20.0, 4.20.z
bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (uyendava@redhat.com), skipping review request.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

MrSanketkumar · 2026-05-06T05:51:52Z

@coderabbitai review

coderabbitai · 2026-05-06T05:51:58Z

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

MrSanketkumar · 2026-05-06T05:52:03Z

/unhold

openshift-ci-robot · 2026-05-06T05:54:23Z

@MrSanketkumar: This pull request references Jira Issue OCPBUGS-83384, which is valid.

7 validation(s) were run on this bug

bug is open, matching expected state (open)
bug target version (4.19.z) matches configured target version for branch (4.19.z)
bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
release note text is set and does not match the template
dependent bug Jira Issue OCPBUGS-83386 is in the state Closed (Done), which is one of the valid states (VERIFIED, RELEASE PENDING, CLOSED (ERRATA), CLOSED (CURRENT RELEASE), CLOSED (DONE), CLOSED (DONE-ERRATA))
dependent Jira Issue OCPBUGS-83386 targets the "4.20.z" version, which is one of the valid target versions: 4.20.0, 4.20.z
bug has dependents

No GitHub users were found matching the public email listed for the QA contact in Jira (uyendava@redhat.com), skipping review request.

Details

In response to this:

Summary by CodeRabbit

Chores

Updated dependency resolution configuration to ensure consistent version convergence for a transitive package dependency. This change pins the specific transitive package version in project configuration.

No changes to public APIs or runtime-visible features; end-user behavior remains unchanged.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci · 2026-05-06T07:43:38Z

@MrSanketkumar: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

pcbailey · 2026-05-06T12:56:38Z

/lgtm

upalatucci

/approve

openshift-ci · 2026-05-06T14:39:33Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: MrSanketkumar, upalatucci

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [upalatucci]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

openshift-ci-robot · 2026-05-06T14:45:29Z

@MrSanketkumar: Jira Issue OCPBUGS-83384: All pull requests linked via external trackers have merged:

openshift/networking-console-plugin#395

Jira Issue OCPBUGS-83384 has been moved to the MODIFIED state.

Details

In response to this:

copy-webpack-plugin@14.0.0 requires Node.js ≥ 20.9.0, So override serialize-javascript to patched version

Summary by CodeRabbit

Chores

Updated dependency resolution configuration to ensure consistent version convergence for a transitive package dependency. This change pins the specific transitive package version in project configuration.

No changes to public APIs or runtime-visible features; end-user behavior remains unchanged.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels Apr 27, 2026

openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Apr 27, 2026

openshift-ci Bot requested review from metalice and vojtechszocs April 27, 2026 10:54

coderabbitai Bot reviewed Apr 27, 2026

View reviewed changes

openshift-ci Bot added do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. labels Apr 27, 2026

OCPBUGS-83384: Fix CVE-2026-34043 in serialize-javascript

e002371

MrSanketkumar force-pushed the CVE-2026-34043-4.19-serialize-js branch from 986b0c8 to e002371 Compare May 6, 2026 05:51

openshift-ci Bot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label May 6, 2026

openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels May 6, 2026

openshift-ci Bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 6, 2026

openshift-ci Bot assigned pcbailey May 6, 2026

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label May 6, 2026

upalatucci reviewed May 6, 2026

View reviewed changes

openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 6, 2026

openshift-merge-bot Bot merged commit ccbe710 into openshift:release-4.19 May 6, 2026
5 checks passed

Conversation

MrSanketkumar commented Apr 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Summary by CodeRabbit

Uh oh!

coderabbitai Bot commented Apr 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Uh oh!

openshift-ci-robot commented Apr 27, 2026

Uh oh!

MrSanketkumar commented Apr 27, 2026

Uh oh!

coderabbitai Bot commented Apr 27, 2026

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

MrSanketkumar commented Apr 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

MrSanketkumar commented May 6, 2026

Uh oh!

openshift-ci-robot commented May 6, 2026

Uh oh!

MrSanketkumar commented May 6, 2026

Uh oh!

coderabbitai Bot commented May 6, 2026

Uh oh!

MrSanketkumar commented May 6, 2026

Uh oh!

openshift-ci-robot commented May 6, 2026

Summary by CodeRabbit

Uh oh!

openshift-ci Bot commented May 6, 2026

Uh oh!

pcbailey commented May 6, 2026

Uh oh!

upalatucci left a comment

Choose a reason for hiding this comment

Uh oh!

openshift-ci Bot commented May 6, 2026

Uh oh!

Uh oh!

openshift-ci-robot commented May 6, 2026

Summary by CodeRabbit

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

MrSanketkumar commented Apr 27, 2026 •

edited

Loading

coderabbitai Bot commented Apr 27, 2026 •

edited

Loading

MrSanketkumar commented Apr 27, 2026 •

edited

Loading