Skip to content

[APS-18800] fix(security): pin serialize-javascript via overrides + lockfile v1#1103

Merged
karanshah-browserstack merged 1 commit into
masterfrom
security/fix-serialize-javascript-rce-aps-18800-v2
May 15, 2026
Merged

[APS-18800] fix(security): pin serialize-javascript via overrides + lockfile v1#1103
karanshah-browserstack merged 1 commit into
masterfrom
security/fix-serialize-javascript-rce-aps-18800-v2

Conversation

@karanshah-browserstack
Copy link
Copy Markdown
Collaborator

@karanshah-browserstack karanshah-browserstack commented May 14, 2026
edited by atlassian Bot
Loading

Security Fix: APS-18800 (v2)

Context

This re-applies the security fix from #1096, which was reverted in #1101 because regenerating package-lock.json on npm 10 / Node 20 bumped lockfileVersion from 1 -> 3. npm 6 (ships with Node 14) cannot parse v3 lockfiles, breaking installs for Node 14 users.

Issue

serialize-javascript versions <= 7.0.4 are vulnerable to:

  • GHSA-5c6j-r48x-rmvq -- Remote Code Execution via RegExp.flags and Date.prototype.toISOString() -- CVSS 8.1 (High)
  • GHSA-qj8w-gfj5-8c6v -- CPU Exhaustion DoS via crafted array-like objects -- CVSS 5.9 (Moderate)

Both come through the transitive chain: mocha@10.8.2 -> serialize-javascript@6.0.2.

serialize-javascript is not used in CLI runtime code -- only inside mocha's parallel worker pool (buffered-worker-pool.js, worker.js), invoked when running npm test. Production CLI users are not exposed, but the dev/CI surface is still flagged by npm audit.

Fix

Three small changes that together prevent the regression that killed #1096:

  1. .npmrc -- added lockfile-version=1. Any contributor running npm install (on any npm version) will now write a v1 lockfile, so the lockfile cannot drift to v3 again.
  2. package.json -- added overrides to pin serialize-javascript to >=7.0.5. npm 8.3+ honors this at install-resolution time.
  3. package-lock.json -- regenerated. The override is baked into the v1 lockfile as a pinned version in the dependency tree. Node 14 / npm 6 consumers don't need to understand overrides -- they just install the pinned version.

Why this is more robust than #1096

#1096 relied on the developer running npm install under the right npm version. Anyone on npm 7+ would silently regenerate the lockfile to v3 -- which is exactly what caused the revert. With lockfile-version=1 in .npmrc, the constraint is enforced for every contributor and every CI run, no convention required.

Verification

  • head -5 package-lock.json -> "lockfileVersion": 1
  • npm ls serialize-javascript -> serialize-javascript@7.0.5 overridden
  • npm audit -> found 0 vulnerabilities
  • npm test -> 678 passing / 13 failing / 2 pending. The 13 failures are pre-existing on master and unrelated to this change.

Files Changed

  • .npmrc -- 1 line added
  • package.json -- 3 lines added (overrides block)
  • package-lock.json -- regenerated, stays at lockfileVersion 1

Jira Ticket

APS-18800

Checklist

  • Both CVEs addressed (GHSA-5c6j-r48x-rmvq, GHSA-qj8w-gfj5-8c6v)
  • serialize-javascript@7.0.5 resolved via npm overrides
  • package-lock.json stays at lockfileVersion 1 (Node 14 compatible)
  • .npmrc enforces v1 lockfile for all future installs
  • npm audit -> 0 vulnerabilities
  • No regression in test suite vs master baseline
  • No production runtime change (mocha is test-only)

🤖 Generated with Claude Code

@karanshah-browserstack @claude
fix(security): pin serialize-javascript via overrides + lockfile v1 […
461435b 
…APS-18800]

Re-applies the serialize-javascript RCE fix from #1096 (reverted in #1101)
without breaking Node 14 / npm 6 compatibility.

#1096 added "overrides" but regenerating package-lock.json on npm 10
bumped lockfileVersion 1 -> 3, which npm 6 cannot parse. Pinning
lockfile-version=1 in .npmrc enforces v1 regardless of contributor's
npm version, so the regression cannot recur.

- .npmrc: lockfile-version=1
- package.json: overrides.serialize-javascript >=7.0.5
- package-lock.json: regenerated under npm 10, stays at v1, contains
  serialize-javascript@7.0.5 pinned in the resolution tree

Verified: npm ls shows 7.0.5 overridden, npm audit clean, test suite
unchanged (678 passing / 13 pre-existing failures / 2 pending).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@karanshah-browserstack karanshah-browserstack merged commit a9a153b into master May 15, 2026
7 of 8 checks passed
@karanshah-browserstack karanshah-browserstack deleted the security/fix-serialize-javascript-rce-aps-18800-v2 branch May 15, 2026 11:08
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@avinash-bharti avinash-bharti avinash-bharti approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@karanshah-browserstack @avinash-bharti