Skip to content

fix(deps): force serialize-javascript to 7.0.7 (CVE-2024-11831)#75

Merged
ber4444 merged 2 commits into
mainfrom
chore/bump-serialize-javascript
Jul 7, 2026
Merged

fix(deps): force serialize-javascript to 7.0.7 (CVE-2024-11831)#75
ber4444 merged 2 commits into
mainfrom
chore/bump-serialize-javascript

Conversation

@ber4444

@ber4444 ber4444 commented Jul 7, 2026

Copy link
Copy Markdown
Owner

Summary

Resolves the Dependabot alert: serialize-javascript@6.0.2 (High) in kotlin-js-store/yarn.lock.

before after
serialize-javascript 6.0.2 7.0.7

The chain

mocha (Kotlin/JS test runner) → serialize-javascript@^6.0.2 → resolved 6.0.2, which carries CVE-2024-11831 (XSS, High).

Why a forced resolution

  • The 6.x line ends at 6.0.2 — there's no patched 6.x release.
  • Fixes are only in 7.0.5+.
  • mocha 11.7.x declares ^6.0.2, so it won't accept 7.x via a normal bump.
  • KGP pins the mocha version, so bumping mocha to the 12.x beta/RC (the only line pulling ^7.0.2) isn't an option.

A yarn resolutions entry is the supported escape hatch: it forces every nested copy of serialize-javascript to 7.0.7 regardless of the range mocha declares.

Scope: test-only, not shipped

serialize-javascript is a transitive test dependency pulled by mocha for jsNodeTest / wasmJsBrowserTest. It never ships in the app binary or the published io.github.ber4444:chess-core artifact. The CVE (XSS via deserialized regex in non-Node environments) is also not exercisable in the headless node test runner.

Implementation (build.gradle.kts)

A doLast on the KGP rootPackageJson / wasmRootPackageJson tasks injects the resolutions field into the generated build/{js,wasm}/package.json after KGP writes it but before yarn resolves.

Why not KGP's kotlinYarn.resolution() extension? That extension's resolutions are snapshotted during rootPackageJson's configuration, before any subproject build script can register them — so the field never lands in the generated package.json. Patching the file in a doLast (which runs after generation, before the install/lock tasks that depend on rootPackageJson) is the reliable hook.

Verification

  • ./gradlew kotlinUpgradeYarnLock → lock now resolves serialize-javascript@7.0.7:
    serialize-javascript@7.0.7, serialize-javascript@^6.0.2:
      version "7.0.7"
    
  • ./gradlew :chess-core:jsNodeTest → ✅ passes (mocha 11.7.x is compatible with serialize-javascript 7.x)
  • Zero 6.x references remain in either kotlin-js-store/yarn.lock or kotlin-js-store/wasm/yarn.lock

ber4444 added 2 commits July 6, 2026 18:45
Dependabot flagged serialize-javascript@6.0.2 (High) in kotlin-js-store/yarn.lock.

Chain: mocha (Kotlin/JS test runner) -> serialize-javascript ^6.0.2 -> 6.0.2, which
carries CVE-2024-11831 / GHSA-76p7-773f-r4q5. The 6.x line ends at 6.0.2 (no patch),
and the fixes are only in 7.0.5+; mocha 11.x declares ^6.0.2 so a normal bump is
impossible. A yarn `resolutions` entry forces the transitive to 7.0.7.

This is a TEST-ONLY dependency (jsNodeTest / wasmJs test runner) — it never ships in
the app binary or the published chess-core artifact.

Implementation: a doLast on the KGP `rootPackageJson`/`wasmRootPackageJson` tasks
injects the resolution into build/{js,wasm}/package.json after KGP generates it but
before yarn resolves. KGP's `kotlinYarn.resolution()` extension can't be used because
its resolutions are snapshotted during rootPackageJson's configuration, before any
subproject can register them.

Verified: kotlinUpgradeYarnLock regenerates the lock with serialize-javascript@7.0.7;
:chess-core:jsNodeTest passes (mocha 11.7.x is compatible with serialize-javascript 7.x).
The previous fix injected the yarn resolution into both build/js/package.json and
build/wasm/package.json via doLast hooks on rootPackageJson + wasmRootPackageJson.
The wasm injection desynced the wasm lock on CI:

  > Task :kotlinWasmStoreYarnLock FAILED
  > Lock file was changed. Run the `kotlinWasmUpgradeYarnLock` task to actualize lock file

serialize-javascript/mocha are JS-test-only and don't appear in the wasm dependency
graph at all, so injecting a resolution there just perturbs yarn's validation. Scope
the doLast to rootPackageJson (build/js) only; the wasm lock stays untouched and
kotlinWasmStoreYarnLock validates cleanly.

Verified locally with a clean build dir: kotlinStoreYarnLock + kotlinWasmStoreYarnLock
both pass; JS lock resolves serialize-javascript@7.0.7; wasm lock byte-identical to main.
@ber4444 ber4444 merged commit 98cebb4 into main Jul 7, 2026
3 checks passed
@ber4444 ber4444 deleted the chore/bump-serialize-javascript branch July 7, 2026 05:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant