From b4806ce72da66c62dea0dc67b11696d300685434 Mon Sep 17 00:00:00 2001 From: Tymofiy Bortnyk Date: Sun, 14 Jun 2026 12:05:51 +0300 Subject: [PATCH] fix(e2e): force patched serialize-javascript@7.0.5 via npm override serialize-javascript <7.0.5 has a high-severity RCE (GHSA-5c6j-r48x-rmvq) and a DoS (GHSA-qj8w-gfj5-8c6v). It is a transitive devDependency: @wdio/mocha-framework@9.28.0 -> mocha@10.8.2 -> serialize-javascript@^6.0.2. Mocha's ^6.0.2 ceiling blocks the patched 7.0.5, and Dependabot's only in-range path would downgrade @wdio/mocha-framework to 6.1.17. Add an npm `overrides` entry pinning serialize-javascript to ^7.0.5, keeping @wdio/mocha-framework at 9.28.0. Safe because: - dev-only (e2e harness, never shipped in the app) - 7.0.0's only breaking change was dropping Node <20; CI runs Node 20+ - mocha's call signature is unchanged in 7.x; the parallel-worker path that uses it isn't even exercised (wdio.conf.js maxInstances: 1) `npm ci` passes and `npm audit` reports 0 vulnerabilities. Co-Authored-By: Claude Opus 4.8 (1M context) --- e2e/package-lock.json | 19 +++++-------------- e2e/package.json | 6 +++++- 2 files changed, 10 insertions(+), 15 deletions(-) diff --git a/e2e/package-lock.json b/e2e/package-lock.json index 01d2907..03ea785 100644 --- a/e2e/package-lock.json +++ b/e2e/package-lock.json @@ -7816,15 +7816,6 @@ "integrity": "sha512-lT5yCqEBgfoMYpf3F2xQRK7zEr1rhIIZuceDK6+xRkJQ4NMbHTwXqk4NkwDwQMNqXgG9r9fyHnzwNVs6zV5KRw==", "dev": true }, - "node_modules/randombytes": { - "version": "2.1.0", - "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.1.0.tgz", - "integrity": "sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==", - "dev": true, - "dependencies": { - "safe-buffer": "^5.1.0" - } - }, "node_modules/range-parser": { "version": "1.2.1", "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.1.tgz", @@ -8504,12 +8495,12 @@ } }, "node_modules/serialize-javascript": { - "version": "6.0.2", - "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.2.tgz", - "integrity": "sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==", + "version": "7.0.5", + "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-7.0.5.tgz", + "integrity": "sha512-F4LcB0UqUl1zErq+1nYEEzSHJnIwb3AF2XWB94b+afhrekOUijwooAYqFyRbjYkm2PAKBabx6oYv/xDxNi8IBw==", "dev": true, - "dependencies": { - "randombytes": "^2.1.0" + "engines": { + "node": ">=20.0.0" } }, "node_modules/serve-favicon": { diff --git a/e2e/package.json b/e2e/package.json index 0b7d416..275ad51 100644 --- a/e2e/package.json +++ b/e2e/package.json @@ -16,5 +16,9 @@ "appium": "3.5.0", "webdriverio": "9.28.0" }, - "//uiautomator2": "Driver installed via `npm run driver:install` (uiautomator2@4.2.9 — last 4.x; 5.x+ require Appium 3). Not an npm dependency; lives under APPIUM_HOME=./.appium." + "//uiautomator2": "Driver installed via `npm run driver:install` (uiautomator2@4.2.9 — last 4.x; 5.x+ require Appium 3). Not an npm dependency; lives under APPIUM_HOME=./.appium.", + "//overrides": "serialize-javascript: mocha@10.8.2 pins ^6.0.2 (vuln <7.0.5, GHSA-5c6j-r48x-rmvq + GHSA-qj8w-gfj5-8c6v). Force the patched 7.x — API-compatible (only 7.0.0 breaking change was dropping Node<20; CI runs Node 20+) and keeps @wdio/mocha-framework@9.28.0 (Dependabot's path would downgrade it to 6.1.17).", + "overrides": { + "serialize-javascript": "^7.0.5" + } }