Skip to content

Fix serialize-javascript vulnerability (AST-145686)#706

Open
cx-sumit-morchhale wants to merge 1 commit intomainfrom
bug/AST-145686
Open

Fix serialize-javascript vulnerability (AST-145686)#706
cx-sumit-morchhale wants to merge 1 commit intomainfrom
bug/AST-145686

Conversation

@cx-sumit-morchhale
Copy link
Copy Markdown

@cx-sumit-morchhale cx-sumit-morchhale commented Apr 15, 2026

Summary

  • Adds npm override for serialize-javascript to ^7.0.5 in package.json
  • Fixes CPU Exhaustion Denial of Service vulnerability (CVE-2026-34043) in mocha's transitive dependency
  • Fixes Remote Code Execution vulnerability (GHSA-5c6j-r48x-rmvq) via RegExp.flags and Date.prototype.toISOString()
  • Maintains mocha at stable version 10.7.0 with minimal changes

Test Plan

  • npm install completes successfully
  • serialize-javascript overridden to 7.0.5
  • npm audit no longer flags serialize-javascript vulnerabilities
  • No regressions with mocha or its test runner

Details

serialize-javascript 6.0.2 (currently used by mocha 10.7.0) is vulnerable to:

This override ensures security while keeping mocha at the stable version until a patched version is released.

🤖 Generated with Claude Code

@cx-sumit-morchhale @claude
security: override serialize-javascript to ^7.0.5 to fix CVE-2026-34043
96e62a5 
- Adds npm override for serialize-javascript ^7.0.5 in package.json
- Fixes CPU Exhaustion DoS vulnerability (CVE-2026-34043) in mocha's transitive dependency
- Fixes RCE vulnerability (GHSA-5c6j-r48x-rmvq) via RegExp.flags and Date.prototype.toISOString()
- Keeps mocha at stable version 10.7.0
- Minimal change approach with no regressions

Co-Authored-By: Claude Haiku 4.5 <noreply@anthropic.com>
@github-actions
Copy link
Copy Markdown

github-actions Bot commented Apr 15, 2026

Logo
Checkmarx One – Scan Summary & Detailse0d1eaa2-6239-481c-8592-793fac5901e4

Fixed Issues (1) Great job! The following issues were fixed in this Pull Request
Severity Issue Source File / Package
HIGH CVE-2026-34043 Npm-serialize-javascript-6.0.2

@cx-sumit-morchhale cx-sumit-morchhale changed the title AST-145686: Fix serialize-javascript vulnerability (CVE-2026-34043) Fix serialize-javascript vulnerability (AST-145686) Apr 15, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cx-anand-nandeshwar cx-anand-nandeshwar Awaiting requested review from cx-anand-nandeshwar

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@cx-sumit-morchhale