Skip to content

[agent] chore(deps): override serialize-javascript to ^7.0.5#761

Draft
github-actions[bot] wants to merge 1 commit into
mainfrom
fix/dependabot-264-serialize-javascript-f4007aec62188fc1
Draft

[agent] chore(deps): override serialize-javascript to ^7.0.5#761
github-actions[bot] wants to merge 1 commit into
mainfrom
fix/dependabot-264-serialize-javascript-f4007aec62188fc1

Conversation

@github-actions

Copy link
Copy Markdown
Contributor

Summary

Adds an npm overrides entry in the root package.json to force serialize-javascript to ^7.0.5, fixing a CPU exhaustion Denial-of-Service vulnerability.

Vulnerability

GHSA-qj8w-gfj5-8c6v / CVE-2026-34043serialize-javascript CPU Exhaustion DoS via crafted array-like objects (CVSS 5.9 Medium)

Affected range: >= 5.0.0, < 7.0.5
Fixed in: 7.0.5

The vulnerability allows an attacker to cause 100% CPU utilization by passing a specially crafted array-like object (with an overridden length property) to the serialize() function, leading to an indefinite hang.

Why overrides?

Two direct devDependencies pull in vulnerable transitive versions of serialize-javascript:

Direct dep Pinned serialize-javascript Status
mocha@8.4.0 5.0.1 (exact) mocha 8.x and even 11.x still declare ^6.0.2; no release uses ^7.0.5 yet
terser-webpack-plugin@5.3.8 ^6.0.1 Latest 5.6.0 still uses ^6.0.2; no release uses ^7.0.5 yet

Since neither upstream maintainer has shipped a patched release within their supported version range, an npm overrides entry is the correct fallback per security policy.

Changes

  • package.json: adds "overrides": { "serialize-javascript": "^7.0.5" }
  • package-lock.json: updated — both the top-level node_modules/serialize-javascript and the nested node_modules/terser-webpack-plugin/node_modules/serialize-javascript now resolve to 7.0.5; the nested copy is deduped to the top-level one.

Alerts addressed

Generated by Dependabot remediation agent · ● 1.8M ·

Fixes CVE-2026-34043 / GHSA-qj8w-gfj5-8c6v - CPU exhaustion DoS
via crafted array-like objects in serialize-javascript.

Adds an npm override to force serialize-javascript >= 7.0.5 across
all transitive dependents (mocha and terser-webpack-plugin).
Neither mocha@8 nor terser-webpack-plugin@5 have shipped a release
that uses serialize-javascript >= 7.0.5, so the override is the
correct remediation path.

Dependabot alert: #264

Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants