Commit 056268a
authored
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?v=4&size=40){kind=avatar}
chore(deps): update dependency serialize-javascript to v7.0.5 [security] (#8120)
This PR contains the following updates:
| Package | Change |
[Age](https://docs.renovatebot.com/merge-confidence/) |
[Confidence](https://docs.renovatebot.com/merge-confidence/) |
|---|---|---|---|
|
[serialize-javascript](https://redirect.github.com/yahoo/serialize-javascript)
| [`7.0.3` →
`7.0.5`](https://renovatebot.com/diffs/npm/serialize-javascript/7.0.3/7.0.5)
|
|
|
### GitHub Vulnerability Alerts
####
[CVE-2026-34043](https://redirect.github.com/yahoo/serialize-javascript/security/advisories/GHSA-qj8w-gfj5-8c6v)
### Impact
**What kind of vulnerability is it?**
It is a **Denial of Service (DoS)** vulnerability caused by CPU
exhaustion. When serializing a specially crafted "array-like" object (an
object that inherits from `Array.prototype` but has a very large
`length` property), the process enters an intensive loop that consumes
100% CPU and hangs indefinitely.
**Who is impacted?**
Applications that use `serialize-javascript` to serialize untrusted or
user-controlled objects are at risk. While direct exploitation is
difficult, it becomes a high-priority threat if the application is also
vulnerable to **Prototype Pollution** or handles untrusted data via
**YAML Deserialization**, as these could be used to inject the malicious
object.
### Patches
**Has the problem been patched?**
Yes, the issue has been patched by replacing `instanceof Array` checks
with `Array.isArray()` and using `Object.keys()` for sparse array
detection.
**What versions should users upgrade to?**
Users should upgrade to **`v7.0.5`** or later.
### Workarounds
**Is there a way for users to fix or remediate the vulnerability without
upgrading?**
There is no direct code-level workaround within the library itself.
However, users can mitigate the risk by:
* Validating and sanitizing all input before passing it to the
`serialize()` function.
* Ensuring the environment is protected against Prototype Pollution.
* Upgrading to **`v7.0.5`** as soon as possible.
### Acknowledgements
Serialize JavaScript thanks **Tomer Aberbach** (@​TomerAberbach)
for discovering and privately disclosing this issue.
---
### Release Notes
<details>
<summary>yahoo/serialize-javascript (serialize-javascript)</summary>
###
[`v7.0.5`](https://redirect.github.com/yahoo/serialize-javascript/releases/tag/v7.0.5)
[Compare
Source](https://redirect.github.com/yahoo/serialize-javascript/compare/v7.0.4...v7.0.5)
##### Fixes
- Improve robustness and validation for array-like object serialization.
- Fix an issue where certain object structures could lead to excessive
CPU usage.
For more details, please see GHSA-qj8w-gfj5-8c6v.
###
[`v7.0.4`](https://redirect.github.com/yahoo/serialize-javascript/releases/tag/v7.0.4)
[Compare
Source](https://redirect.github.com/yahoo/serialize-javascript/compare/v7.0.3...v7.0.4)
#### What's Changed
- release: v7.0.4 by
[@​okuryu](https://redirect.github.com/okuryu) in
[#​211](https://redirect.github.com/yahoo/serialize-javascript/pull/211)
**Full Changelog**:
<yahoo/serialize-javascript@v7.0.3...v7.0.4>
</details>
---
### Configuration
📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no
schedule defined).
🚦 **Automerge**: Enabled.
♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.
🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.
---
- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box
---
This PR was generated by [Mend Renovate](https://mend.io/renovate/).
View the [repository job
log](https://developer.mend.io/github/netlify/cli).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0My45NC4xIiwidXBkYXRlZEluVmVyIjoiNDMuOTQuMSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOlsiZGVwZW5kZW5jaWVzIiwiamF2YXNjcmlwdCJdfQ==-->
Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>1 parent 3cefa0e commit 056268a
2 files changed
Lines changed: 5 additions & 5 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
209 | 209 | | |
210 | 210 | | |
211 | 211 | | |
212 | | - | |
| 212 | + | |
213 | 213 | | |
214 | 214 | | |
215 | 215 | | |
| |||
0 commit comments