Skip to content

Bump serialize-javascript to 7.0.5 to fix GHSA-5c6j-r48x-rmvq#1620

Merged
chagong merged 2 commits intomainfrom
fix/bump-serialize-javascript
Apr 8, 2026
Merged

Bump serialize-javascript to 7.0.5 to fix GHSA-5c6j-r48x-rmvq#1620
chagong merged 2 commits intomainfrom
fix/bump-serialize-javascript

Conversation

@chagong
Copy link
Copy Markdown
Contributor

@chagong chagong commented Apr 7, 2026
edited by Copilot AI
Loading

Summary

Bumps serialize-javascript from 6.0.2 to 7.0.5 (via npm override) to address GHSA-5c6j-r48x-rmvq — a high severity RCE vulnerability through unescaped RegExp.flags and Date.prototype.toISOString().

Changes

  • Added overrides section in package.json to pin serialize-javascript to exactly 7.0.5
  • Regenerated package-lock.json

@chagong
Copy link
Copy Markdown
Contributor Author

chagong commented Apr 7, 2026

@copilot bump up to 7.0.5 directly.

Copy link
Copy Markdown
Contributor

Copilot AI commented Apr 7, 2026

@copilot bump up to 7.0.5 directly.

Done — changed the override from ^7.0.3 to exactly 7.0.5 in package.json and regenerated package-lock.json (commit 4f2e884).

Copilot AI changed the title Bump serialize-javascript to ^7.0.3 to fix GHSA-5c6j-r48x-rmvq Bump serialize-javascript to 7.0.5 to fix GHSA-5c6j-r48x-rmvq Apr 7, 2026
@chagong chagong merged commit 6153710 into main Apr 8, 2026
4 checks passed
@chagong chagong deleted the fix/bump-serialize-javascript branch April 8, 2026 02:12
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wenytang-ms wenytang-ms wenytang-ms approved these changes

@testforstephen testforstephen Awaiting requested review from testforstephen testforstephen is a code owner

@jdneo jdneo Awaiting requested review from jdneo jdneo is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@chagong @wenytang-ms