Skip to content

Fix dependabot vulnerabilities: cross-spawn and serialize-javascript#10

Open
rohit-gohri with Copilot wants to merge 1 commit into
mainfrom
copilot/fix-dependabot-vulnerabilities
Open

Fix dependabot vulnerabilities: cross-spawn and serialize-javascript#10
rohit-gohri with Copilot wants to merge 1 commit into
mainfrom
copilot/fix-dependabot-vulnerabilities

Conversation

Copilot AI commented Mar 31, 2026

Copy link
Copy Markdown
Contributor

Summary

Fixes two security vulnerabilities in transitive dependencies identified by dependabot:

Vulnerabilities Fixed

  1. cross-spawn (ReDoS - Regular Expression Denial of Service)

    • Affected: >= 7.0.0, < 7.0.5
    • Updated: 7.0.37.0.6
    • Fix: yarn up --recursive cross-spawn
  2. serialize-javascript (RCE - Remote Code Execution via RegExp.flags)

    • Affected: <= 7.0.2
    • Updated: 6.0.27.0.5
    • Fix: Added resolutions override in package.json since mocha@10 constrains to ^6.0.2

Changes

  • package.json: Added resolutions field to force serialize-javascript >= 7.0.3
  • yarn.lock: Updated cross-spawn to 7.0.6 and serialize-javascript to 7.0.5

Testing

All 7 existing tests pass.

…lize-javascript to 7.0.5

Agent-Logs-Url: https://github.com/rohit-gohri/tf-patch/sessions/81bbe073-f88d-4728-a48a-9e0288796914

Co-authored-by: rohit-gohri <31949290+rohit-gohri@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants