Skip to content

fix: update serialize-javascript to 7.0.3#8215

Open
yashvanthbl137-crypto wants to merge 1 commit intomasterfrom
fix-serialize-javascript-vulnerability
Open

fix: update serialize-javascript to 7.0.3#8215
yashvanthbl137-crypto wants to merge 1 commit intomasterfrom
fix-serialize-javascript-vulnerability

Conversation

@yashvanthbl137-crypto
Copy link
Contributor

@yashvanthbl137-crypto yashvanthbl137-crypto commented Mar 2, 2026

Fix serialize-javascript RCE Vulnerability (GHSA-5c6j-r48x-rmvq)

Summary

Updates serialize-javascript from 6.0.2 to 7.0.3 to resolve a Remote Code Execution (RCE) vulnerability.

Vulnerability Details

  • CVE: GHSA-5c6j-r48x-rmvq
  • Severity: HIGH
  • Attack Vector: RCE via malicious RegExp.flags and Date.prototype.toISOString() methods

Changes

  • Added Yarn resolution **/serialize-javascript: 7.0.3 to force version across all transitive dependencies
  • Updated yarn.lock to reflect the resolution

Failed Job: https://github.com/BitGo/BitGoJS/actions/runs/22571247763/job/65379334392

Ticket: CGARD-518

@yashvanthbl137-crypto yashvanthbl137-crypto marked this pull request as ready for review March 2, 2026 12:28
@yashvanthbl137-crypto yashvanthbl137-crypto requested a review from a team as a code owner March 2, 2026 12:28
@yashvanthbl137-crypto yashvanthbl137-crypto requested review from a team as code owners March 2, 2026 18:45
zahin-mohammad
zahin-mohammad reviewed Mar 2, 2026
View reviewed changes
Copy link
Contributor

@zahin-mohammad zahin-mohammad left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

check dms

@yashvanthbl137-crypto yashvanthbl137-crypto force-pushed the fix-serialize-javascript-vulnerability branch from 7f21676 to 3d6f7d9 Compare March 2, 2026 18:48
@yashvanthbl137-crypto
fix: update serialize-javascript to 7.0.3
b7ab828 
Resolves GHSA-5c6j-r48x-rmvq RCE vulnerability via RegExp.flags
and Date.prototype.toISOString(). Affects dev dependencies only.

Ticket: CGARD-518
@yashvanthbl137-crypto yashvanthbl137-crypto force-pushed the fix-serialize-javascript-vulnerability branch from 3d6f7d9 to b7ab828 Compare March 2, 2026 18:50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zahin-mohammad zahin-mohammad zahin-mohammad approved these changes

@kaustubhbitgo kaustubhbitgo Awaiting requested review from kaustubhbitgo kaustubhbitgo was automatically assigned from BitGo/wallet-core-india

+1 more reviewer

@bhargavirao24 bhargavirao24 bhargavirao24 approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@yashvanthbl137-crypto @zahin-mohammad @bhargavirao24