fix(terser): update serialize-javascript to ^7.0.5 to fix security vulnerabilities

[williamquintas]

Rollup Plugin Name: terser

This PR contains:

• bugfix
• feature
• refactor
• documentation
• other

Are tests included?

• yes (bugfixes and features will not be merged without tests)
• no (dependency update only)

Breaking Changes?

• yes (breaking changes will not be merged unless absolutely necessary)
• no

If yes, then include "BREAKING CHANGES:" in the first commit message body, followed by a description of what is breaking.

List any relevant issue numbers:

• Related: Vulnerability: Update dependency @rollup/plugin-terser@0.4.4 that relies on vulnerable version serialize-javascript <=7.0.2 GoogleChrome/workbox#3470
• GHSA-5c6j-r48x-rmvq
• GHSA-qj8w-gfj5-8c6v

Description

This PR updates serialize-javascript dependency from ^7.0.3 to ^7.0.5 to fix two security vulnerabilities:

1. GHSA-5c6j-r48x-rmvq (High severity): Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()

   • Patched in: 7.0.3

2. GHSA-qj8w-gfj5-8c6v (Moderate severity): Serialize JavaScript has CPU Exhaustion Denial of Service via crafted array-like objects

   • Patched in: 7.0.5

Impact on Downstream Libraries

This vulnerability affects multiple downstream libraries in the dependency chain:

serialize-javascript (vulnerable)
    ↓
@rollup/plugin-terser (uses serialize-javascript)
    ↓
workbox-build (uses @rollup/plugin-terser)
    ↓
vite-plugin-pwa (uses workbox-build)

• workbox-build: Uses @rollup/plugin-terser@^0.4.3 which depends on serialize-javascript@^6.0.1
• vite-plugin-pwa: Uses workbox-build which pulls in the vulnerable chain

Reference: GoogleChrome/workbox#3470

Fix

Update packages/terser/package.json:

• Change: "serialize-javascript": "^7.0.3" → "serialize-javascript": "^7.0.5"