From 37a2e13e0efd8b8d099975e3045c0543fd51771f Mon Sep 17 00:00:00 2001
From: Katherine Chen <katherine.chen@thetradedesk.com>
Date: Mon, 2 Mar 2026 15:37:18 +1100
Subject: [PATCH] UID2-6676: upgrade serialize-javascript to fix
 GHSA-5c6j-r48x-rmvq RCE

Adds serialize-javascript override to pin to patched version:
- overrides/serialize-javascript: (new) ^7.0.3

GHSA-5c6j-r48x-rmvq: Critical RCE via unsanitized RegExp.flags and
Date.prototype.toISOString() in serialized output, affects
serialize-javascript <= 7.0.2.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 package-lock.json | 19 ++++++-------------
 package.json      |  3 ++-
 2 files changed, 8 insertions(+), 14 deletions(-)

diff --git a/package-lock.json b/package-lock.json
index 112784176..06f16ec2f 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -15493,14 +15493,6 @@
         "url": "https://github.com/sponsors/sindresorhus"
       }
     },
-    "node_modules/randombytes": {
-      "version": "2.1.0",
-      "resolved": "https://registry.npmjs.org/randombytes/-/randombytes-2.1.0.tgz",
-      "integrity": "sha512-vYl3iOX+4CKUWuxGi9Ukhie6fsqXqS9FE2Zaic4tNFD2N2QQaXOMFbuKK4QmDHC0JO6B1Zp41J0LpT0oR68amQ==",
-      "dependencies": {
-        "safe-buffer": "^5.1.0"
-      }
-    },
     "node_modules/range-parser": {
       "version": "1.2.0",
       "resolved": "https://registry.npmjs.org/range-parser/-/range-parser-1.2.0.tgz",
@@ -16592,11 +16584,12 @@
       }
     },
     "node_modules/serialize-javascript": {
-      "version": "6.0.2",
-      "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-6.0.2.tgz",
-      "integrity": "sha512-Saa1xPByTTq2gdeFZYLLo+RFE35NHZkAbqZeWNd3BpzppeVisAqpDjcp8dyf6uIvEqJRd46jemmyA4iFIeVk8g==",
-      "dependencies": {
-        "randombytes": "^2.1.0"
+      "version": "7.0.3",
+      "resolved": "https://registry.npmjs.org/serialize-javascript/-/serialize-javascript-7.0.3.tgz",
+      "integrity": "sha512-h+cZ/XXarqDgCjo+YSyQU/ulDEESGGf8AMK9pPNmhNSl/FzPl6L8pMp1leca5z6NuG6tvV/auC8/43tmovowww==",
+      "license": "BSD-3-Clause",
+      "engines": {
+        "node": ">=20.0.0"
       }
     },
     "node_modules/serve-handler": {
diff --git a/package.json b/package.json
index a6d3d6211..f516bf118 100644
--- a/package.json
+++ b/package.json
@@ -55,7 +55,8 @@
     "path-to-regexp@0": "0.1.12",
     "path-to-regexp@1": "1.9.0",
     "path-to-regexp@2": "8.0.0",
-    "qs": "6.14.1"
+    "qs": "6.14.1",
+    "serialize-javascript": "^7.0.3"
   },
   "browserslist": {
     "production": [