Pin serialize-javascript to ^7.0.5 via npm overrides#228
Merged
Conversation
Resolves GHSA-76p7-773f-r4q5. Three Docusaurus transitive deps (copy-webpack-plugin, css-minimizer-webpack-plugin, terser-webpack-plugin) constrain serialize-javascript to ^6.x, blocking Dependabot from picking up the patched 7.0.5. Forcing the resolution via npm overrides is compatible because the v7 release is a Node engine bump (>=20) which matches this repo's engines field.
marc0der
approved these changes
Jun 10, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves the
serialize-javascriptadvisory (GHSA-76p7-773f-r4q5). Dependabot couldn't apply the fix because three Docusaurus transitive dependencies pinserialize-javascriptto^6.x:copy-webpack-plugin@11.0.0→^6.0.0css-minimizer-webpack-plugin@5.0.1→^6.0.1terser-webpack-plugin@5.3.16→^6.0.2Adding
"overrides": { "serialize-javascript": "^7.0.5" }topackage.jsonforces npm to resolve all three to the patched7.0.5regardless of the parent's semver range. Compatibility is safe: the v7 release was a Node engine bump (>=20.0.0), which matches this repo's existingengines.node: >=20.0. The API surface is unchanged.Test plan
npm installresolvesserialize-javascript@7.0.5(verified inpackage-lock.json)npm run buildsucceeds end-to-end (preprocessing + docusaurus build, client+server bundles)npm auditno longer flagsserialize-javascript(remaining 20 moderate findings all chain throughuuid, unrelated to this CVE)