fix: update serialize-javascript to >=7.0.3

[Anshumancanrock]

Description

This PR adds a pnpm.overrides entry to force serialize-javascript to >=7.0.3, resolving a high-severity RCE vulnerability (GHSA-5c6j-r48x-rmvq, CVSS 8.1).

The package isn't a direct dependency — it's pulled in transitively via mocha → serialize-javascript@^6.0.2. Since mocha upstream hasn't bumped this yet, the only correct fix is overriding the resolution at the workspace level using pnpm's native override mechanism.

Related Issue

Closes #521

Motivation and Context

serialize-javascript <=7.0.2 allows code injection through spoofed RegExp.flags and Date.toISOString() properties. When the serialized output is eval'd, the injected code executes. Mocha uses this package in its parallel worker pool (buffered-worker-pool.js) to serialize test options between the main process and worker threads.

While this is a devDependency and not reachable at relay runtime, it still poses a risk in CI environments and developer machines. Patching it is the right call.

How Has This Been Tested?

Manual PoC verification: Ran the CVE proof-of-concept against both versions:

• serialize-javascript@6.0.2 → injection succeeds silently
• serialize-javascript@7.0.5 (installed after override) → throws "RegExp.prototype.source getter called on non-RegExp object", injection neutralized

Screenshots (if appropriate):

N/A

Types of changes

• Non-functional change (docs, style, minor refactor)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• My code follows the code style of this project.
• My change requires a change to the documentation.
• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my code changes.
• I added a changeset, or this is docs-only and I added an empty changeset.
• All new and existing tests passed.

[changeset-bot]

🦋 Changeset detected

Latest commit: a85ca44

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
nostream	Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[coveralls]

coverage: 65.131% (+2.4%) from 62.753% — Anshumancanrock:fix-serialize-javascript into cameri:main

[Copilot]

Pull request overview

This PR mitigates a high-severity RCE vulnerability in the transitive devDependency serialize-javascript by forcing pnpm to resolve it to a patched version across the workspace.

Changes:

• Added a pnpm workspace override for serialize-javascript to require >=7.0.3.
• Regenerated pnpm-lock.yaml to reflect resolution to serialize-javascript@7.0.5 and removal of no-longer-needed transitive deps.
• Added a Changeset marking a patch release for the security-related dependency resolution change.

Reviewed changes

Copilot reviewed 2 out of 3 changed files in this pull request and generated 2 comments.

File	Description
package.json	Introduces pnpm override configuration to force patched serialize-javascript.
pnpm-lock.yaml	Captures the override in the lockfile and updates resolved dependency graph (now serialize-javascript@7.0.5).
.changeset/fix-serialize-javascript-cve.md	Adds a patch changeset documenting the security fix.

Files not reviewed (1)

• pnpm-lock.yaml: Language not supported

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.