fix(deps): force serialize-javascript to 7.0.7 (CVE-2024-11831)#75
Merged
Conversation
Dependabot flagged serialize-javascript@6.0.2 (High) in kotlin-js-store/yarn.lock. Chain: mocha (Kotlin/JS test runner) -> serialize-javascript ^6.0.2 -> 6.0.2, which carries CVE-2024-11831 / GHSA-76p7-773f-r4q5. The 6.x line ends at 6.0.2 (no patch), and the fixes are only in 7.0.5+; mocha 11.x declares ^6.0.2 so a normal bump is impossible. A yarn `resolutions` entry forces the transitive to 7.0.7. This is a TEST-ONLY dependency (jsNodeTest / wasmJs test runner) — it never ships in the app binary or the published chess-core artifact. Implementation: a doLast on the KGP `rootPackageJson`/`wasmRootPackageJson` tasks injects the resolution into build/{js,wasm}/package.json after KGP generates it but before yarn resolves. KGP's `kotlinYarn.resolution()` extension can't be used because its resolutions are snapshotted during rootPackageJson's configuration, before any subproject can register them. Verified: kotlinUpgradeYarnLock regenerates the lock with serialize-javascript@7.0.7; :chess-core:jsNodeTest passes (mocha 11.7.x is compatible with serialize-javascript 7.x).
The previous fix injected the yarn resolution into both build/js/package.json and build/wasm/package.json via doLast hooks on rootPackageJson + wasmRootPackageJson. The wasm injection desynced the wasm lock on CI: > Task :kotlinWasmStoreYarnLock FAILED > Lock file was changed. Run the `kotlinWasmUpgradeYarnLock` task to actualize lock file serialize-javascript/mocha are JS-test-only and don't appear in the wasm dependency graph at all, so injecting a resolution there just perturbs yarn's validation. Scope the doLast to rootPackageJson (build/js) only; the wasm lock stays untouched and kotlinWasmStoreYarnLock validates cleanly. Verified locally with a clean build dir: kotlinStoreYarnLock + kotlinWasmStoreYarnLock both pass; JS lock resolves serialize-javascript@7.0.7; wasm lock byte-identical to main.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Resolves the Dependabot alert:
serialize-javascript@6.0.2(High) inkotlin-js-store/yarn.lock.serialize-javascript6.0.2❌7.0.7✅The chain
mocha(Kotlin/JS test runner) →serialize-javascript@^6.0.2→ resolved6.0.2, which carries CVE-2024-11831 (XSS, High).Why a forced resolution
6.xline ends at6.0.2— there's no patched 6.x release.7.0.5+.11.7.xdeclares^6.0.2, so it won't accept7.xvia a normal bump.12.xbeta/RC (the only line pulling^7.0.2) isn't an option.A yarn
resolutionsentry is the supported escape hatch: it forces every nested copy ofserialize-javascriptto7.0.7regardless of the range mocha declares.Scope: test-only, not shipped
serialize-javascriptis a transitive test dependency pulled by mocha forjsNodeTest/wasmJsBrowserTest. It never ships in the app binary or the publishedio.github.ber4444:chess-coreartifact. The CVE (XSS via deserialized regex in non-Node environments) is also not exercisable in the headless node test runner.Implementation (
build.gradle.kts)A
doLaston the KGProotPackageJson/wasmRootPackageJsontasks injects theresolutionsfield into the generatedbuild/{js,wasm}/package.jsonafter KGP writes it but before yarn resolves.Why not KGP's
kotlinYarn.resolution()extension? That extension's resolutions are snapshotted duringrootPackageJson's configuration, before any subproject build script can register them — so the field never lands in the generatedpackage.json. Patching the file in adoLast(which runs after generation, before the install/lock tasks that depend onrootPackageJson) is the reliable hook.Verification
./gradlew kotlinUpgradeYarnLock→ lock now resolvesserialize-javascript@7.0.7:./gradlew :chess-core:jsNodeTest→ ✅ passes (mocha 11.7.x is compatible with serialize-javascript 7.x)6.xreferences remain in eitherkotlin-js-store/yarn.lockorkotlin-js-store/wasm/yarn.lock