chore(deps): force mocha to use serialize-javascript@7.0.5 from override#2422
Merged
jpgough-ms merged 1 commit intofinos:mainfrom May 6, 2026
Conversation
The serialize-javascript ^7.0.5 override in package.json wasn't being applied to mocha's nested copy because the lockfile retained a stale node_modules/mocha/node_modules/serialize-javascript@6.0.2 entry from before the override was added. npm install preserves existing nested entries even when an override is added afterwards. Removing the stale lockfile entry lets npm re-resolve mocha's serialize-javascript dependency under the override; it now points at the hoisted top-level serialize-javascript@7.0.5. Resolves Dependabot alert finos#174 (GHSA-5c6j-r48x-rmvq, RCE in serialize-javascript via RegExp.flags / Date.prototype.toISOString).
Contributor
There was a problem hiding this comment.
Copilot wasn't able to review any files in this pull request.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
jpgough-ms
approved these changes
May 6, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Resolves Dependabot alert #174 (GHSA-5c6j-r48x-rmvq — RCE in
serialize-javascriptviaRegExp.flags/Date.prototype.toISOString).The existing
serialize-javascript: "^7.0.5"override inpackage.jsonwas already in place, butpackage-lock.jsonretained a stalenode_modules/mocha/node_modules/serialize-javascript@6.0.2entry from before the override was added. npm install preserves nested entries even after an override is added, so the vulnerable copy persisted on every install.This PR removes the stale lockfile entry so npm re-resolves mocha's
serialize-javascriptunder the override. After install, mocha now uses the hoisted top-levelserialize-javascript@7.0.5, and there is no longer a vulnerable copy on disk.Verified locally:
npm ls serialize-javascriptno longer shows any6.xentries (the only remaining6.xranges are warnings from npm because consumers' declared range is^6.x, but the actual installed version is7.0.5)node -e "require('serialize-javascript')"andrequire('mocha')both load successfullyTwo unrelated metadata flips (
dev:true,peer:trueremoved fromaxios@1.16.0andproxy-from-env@2.1.0) appear in the diff — these are npm's resolver tidying on re-resolve, not behavioural changes.Type of Change
Affected Components
Testing
Checklist