Skip to content

fix: upgrade @rollup/plugin-terser to fix serialize-javascript vulnerability#398

Merged
pkaeding merged 1 commit into
mainfrom
devin/1780603975-fix-serialize-javascript-vuln
Jun 4, 2026
Merged

fix: upgrade @rollup/plugin-terser to fix serialize-javascript vulnerability#398
pkaeding merged 1 commit into
mainfrom
devin/1780603975-fix-serialize-javascript-vuln

Conversation

@pkaeding
Copy link
Copy Markdown
Contributor

@pkaeding pkaeding commented Jun 4, 2026
edited by joker23
Loading

BEGIN_COMMIT_OVERRIDE
chore: upgrade @rollup/plugin-terser to fix serialize-javascript vulnerability
END_COMMIT_OVERRIDE

Requirements

  • I have added test coverage for new or changed functionality
  • I have followed the repository's pull request submission guidelines
  • I have validated my changes against all supported platform versions

Related issues

Remediates high-severity Dependabot alerts for serialize-javascript:

Describe the solution you've provided

Upgrades @rollup/plugin-terser from ^0.4.3 to ^1.0.0. The new version depends on serialize-javascript@^7.0.3, which resolves to 7.0.5 (the patched version). The plugin's peer dependency on rollup (^2.0.0||^3.0.0||^4.0.0) is unchanged, so no other changes are needed.

Build and all 93 tests pass with the upgrade.

Describe alternatives you've considered

An npm overrides field to force serialize-javascript@7.0.5 under the old terser version, but a clean major bump is simpler and better maintained.

Additional context

This is a devDependency-only change — no runtime code is affected.

Link to Devin session: https://app.devin.ai/sessions/f782088a3883446e8bb7b049e5631747
Requested by: @pkaeding

@devin-ai-integration @pkaeding
fix: upgrade @rollup/plugin-terser to fix serialize-javascript vulner…
1570433 
…ability

Upgrade @rollup/plugin-terser from ^0.4.3 to ^1.0.0 to resolve high-severity
vulnerabilities in serialize-javascript (GHSA-5c6j-r48x-rmvq, GHSA-qj8w-gfj5-8c6v).

Co-Authored-By: Patrick Kaeding <patrick@kaeding.name>
@devin-ai-integration
Copy link
Copy Markdown
Contributor

devin-ai-integration Bot commented Jun 4, 2026

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

  • Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
  • Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

  • Disable automatic comment, CI, and merge conflict monitoring

@pkaeding pkaeding marked this pull request as ready for review June 4, 2026 20:19
@pkaeding pkaeding requested a review from a team as a code owner June 4, 2026 20:19
@pkaeding pkaeding merged commit b5a4c27 into main Jun 4, 2026
7 checks passed
@pkaeding pkaeding deleted the devin/1780603975-fix-serialize-javascript-vuln branch June 4, 2026 21:28
@github-actions github-actions Bot mentioned this pull request Jun 4, 2026
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@joker23 joker23 joker23 approved these changes

Assignees

@pkaeding pkaeding

Labels

devin-pr

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pkaeding @joker23