From 96e62a5452d31a3ac771a74c4189f85f325f1529 Mon Sep 17 00:00:00 2001
From: Sumit Morchhale <sumit.morchhale@checkmarx.com>
Date: Wed, 15 Apr 2026 13:09:53 +0530
Subject: [PATCH] security: override serialize-javascript to ^7.0.5 to fix
 CVE-2026-34043

- Adds npm override for serialize-javascript ^7.0.5 in package.json
- Fixes CPU Exhaustion DoS vulnerability (CVE-2026-34043) in mocha's transitive dependency
- Fixes RCE vulnerability (GHSA-5c6j-r48x-rmvq) via RegExp.flags and Date.prototype.toISOString()
- Keeps mocha at stable version 10.7.0
- Minimal change approach with no regressions

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
---
 package-lock.json | 41 +++++------------------------------------
 package.json      |  3 ++-
 2 files changed, 7 insertions(+), 37 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 374389d..7827476 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -3083,16 +3083,6 @@
       ],
       "license": "MIT"
     },
-    "node_modules/randombytes": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.1.0.tgz",
-      "integrity": "sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==",
-      "dev": true,
-      "license": "MIT",
-      "dependencies": {
-        "safe-buffer": "^5.1.0"
-      }
-    },
     "node_modules/readdirp": {
       "version": "3.6.0",
       "resolved": "https://registry.npmjs.org/readdirp/-/readdirp-3.6.0.tgz",
@@ -3215,27 +3205,6 @@
         "queue-microtask": "^1.2.2"
       }
     },
-    "node_modules/safe-buffer": {
-      "version": "5.2.1",
-      "resolved": "https://registry.npmjs.org/safe-buffer/-/safe-buffer-5.2.1.tgz",
-      "integrity": "sha512-rp3So07KcdmmKbGvgaNxQSJr7bGVSVk5S9Eq1F+ppbRo70+YeaDxkw5Dd8NPN+GD6bjnYm2VuPuCXmpuYvmCXQ==",
-      "dev": true,
-      "funding": [
-        {
-          "type": "github",
-          "url": "https://github.com/sponsors/feross"
-        },
-        {
-          "type": "patreon",
-          "url": "https://www.patreon.com/feross"
-        },
-        {
-          "type": "consulting",
-          "url": "https://feross.org/support"
-        }
-      ],
-      "license": "MIT"
-    },
     "node_modules/semver": {
       "version": "7.7.3",
       "resolved": "https://registry.npmjs.org/semver/-/semver-7.7.3.tgz",
@@ -3249,13 +3218,13 @@
       }
     },
     "node_modules/serialize-javascript": {
-      "version": "6.0.2",
-      "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.2.tgz",
-      "integrity": "sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==",
+      "version": "7.0.5",
+      "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-7.0.5.tgz",
+      "integrity": "sha512-F4LcB0UqUl1zErq+1nYEEzSHJnIwb3AF2XWB94b+afhrekOUijwooAYqFyRbjYkm2PAKBabx6oYv/xDxNi8IBw==",
       "dev": true,
       "license": "BSD-3-Clause",
-      "dependencies": {
-        "randombytes": "^2.1.0"
+      "engines": {
+        "node": ">=20.0.0"
       }
     },
     "node_modules/set-blocking": {
diff --git a/package.json b/package.json
index 698e17c..664c9eb 100644
--- a/package.json
+++ b/package.json
@@ -32,7 +32,8 @@
     "typescript": "^5.6.3"
   },
   "overrides": {
-     "codecov": {
+    "serialize-javascript": "^7.0.5",
+    "codecov": {
       "js-yaml": "4.1.1"
     },
     "@humanwhocodes/config-array": {