Skip to content

Bump serialize-javascript to 7.0.5 to fix GHSA-5c6j-r48x-rmvq#1620

Open
chagong wants to merge 2 commits intomainfrom
fix/bump-serialize-javascript
Open

Bump serialize-javascript to 7.0.5 to fix GHSA-5c6j-r48x-rmvq#1620
chagong wants to merge 2 commits intomainfrom
fix/bump-serialize-javascript

Conversation

@chagong
Copy link
Copy Markdown
Contributor

@chagong chagong commented Apr 7, 2026
edited by Copilot AI
Loading

Summary

Bumps serialize-javascript from 6.0.2 to 7.0.5 (via npm override) to address GHSA-5c6j-r48x-rmvq — a high severity RCE vulnerability through unescaped RegExp.flags and Date.prototype.toISOString().

Changes

  • Added overrides section in package.json to pin serialize-javascript to exactly 7.0.5
  • Regenerated package-lock.json

@chagong
Copy link
Copy Markdown
Contributor Author

chagong commented Apr 7, 2026

@copilot bump up to 7.0.5 directly.

Copy link
Copy Markdown

Copilot AI commented Apr 7, 2026

@copilot bump up to 7.0.5 directly.

Done — changed the override from ^7.0.3 to exactly 7.0.5 in package.json and regenerated package-lock.json (commit 4f2e884).

Copilot AI changed the title Bump serialize-javascript to ^7.0.3 to fix GHSA-5c6j-r48x-rmvq Bump serialize-javascript to 7.0.5 to fix GHSA-5c6j-r48x-rmvq Apr 7, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@testforstephen testforstephen Awaiting requested review from testforstephen testforstephen is a code owner

@jdneo jdneo Awaiting requested review from jdneo jdneo is a code owner

@wenytang-ms wenytang-ms Awaiting requested review from wenytang-ms wenytang-ms is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@chagong