fix: update webpack plugins to resolve serialize-javascript RCE (GHSA-5c6j-r48x-rmvq)

[theluckystrike]

Summary

serialize-javascript versions ≤7.0.2 are vulnerable to Remote Code Execution via crafted RegExp.flags and Date.prototype.toISOString() (GHSA-5c6j-r48x-rmvq).

Two devDependencies pull in the vulnerable version:

• css-minimizer-webpack-plugin (≤7.0.4) → serialize-javascript ≤7.0.2
• terser-webpack-plugin (≤5.3.16) → serialize-javascript ≤7.0.2

Changes

• Updated css-minimizer-webpack-plugin from ^5.0.1 to ^8.0.0
• Added terser-webpack-plugin ^5.3.17 as a direct devDependency to override the transitive version from webpack

Verification

After these changes, npm audit no longer reports the serialize-javascript RCE vulnerability.

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated development dependencies for build optimization and code compression tools to latest versions
• Tests
  • Reformatted test assertions for improved code readability

[qodo-code-review]

Review Summary by Qodo

Resolve serialize-javascript RCE vulnerability in webpack plugins

🐞 Bug fix

Walkthroughs

Description

• Update css-minimizer-webpack-plugin to ^8.0.0
• Add terser-webpack-plugin ^5.3.17 as direct devDependency
• Resolve serialize-javascript RCE vulnerability (GHSA-5c6j-r48x-rmvq)
• Minor formatting adjustment in test file

Diagram

flowchart LR
  A["Vulnerable Dependencies<br/>serialize-javascript ≤7.0.2"] -->|"Update"| B["css-minimizer-webpack-plugin ^8.0.0"]
  A -->|"Add Override"| C["terser-webpack-plugin ^5.3.17"]
  B -->|"Resolves"| D["GHSA-5c6j-r48x-rmvq RCE Fixed"]
  C -->|"Resolves"| D

Loading

File Changes

1. package.json Dependencies +2/-1

Update webpack plugins to fix RCE vulnerability

• Updated css-minimizer-webpack-plugin from ^5.0.1 to ^8.0.0
• Added terser-webpack-plugin ^5.3.17 as direct devDependency to override transitive vulnerable
 version
• Resolves serialize-javascript RCE vulnerability in both webpack plugins

package.json

---

2. tests/unit/services/apis/custom-api.test.mjs Formatting +4/-1

Format assertion call across multiple lines

• Reformatted assertion call to multi-line format for improved readability
• No functional changes to test logic

tests/unit/services/apis/custom-api.test.mjs

---

[qodo-code-review]

Code Review by Qodo

🐞 Bugs (1) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. Undocumented indirect dependency 🐞 Bug ⛨ Security

Description

terser-webpack-plugin is added as a direct devDependency, but the build config uses esbuild for JS
minification and never references Terser. This likely works as a transitive-vulnerability mitigation
today, but it’s easy for a future cleanup to remove the “unused” dependency and silently reintroduce
the vulnerable tree; prefer an explicit overrides pin and/or documentation.

Code

package.json[105]

+    "terser-webpack-plugin": "^5.3.17",

Evidence

The PR adds terser-webpack-plugin at the top level, but the webpack build’s
optimization.minimizer is explicitly configured to use EsbuildPlugin (with a comment noting it’s
faster than Terser) and CssMinimizerPlugin, so terser-webpack-plugin is not a direct code
dependency and its presence is non-obvious. The lockfile confirms webpack still declares a
dependency on terser-webpack-plugin (transitively) and that serialize-javascript is now resolved
to 7.0.4, indicating this is a dependency-tree mitigation rather than a code usage change.

package.json[96-106]
build.mjs[182-193]
package-lock.json[14156-14187]
package-lock.json[12678-12686]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`terser-webpack-plugin` is added as a direct devDependency but is not referenced by the build (which uses esbuild for JS minification). This is likely intended to influence webpack’s transitive dependency graph for a security fix, but it’s non-obvious and easy to accidentally remove later.

## Issue Context
- Webpack is installed and still declares a transitive dependency on `terser-webpack-plugin`.
- The build uses `EsbuildPlugin` for JS minification (not Terser).
- Today the lockfile resolves `serialize-javascript` to 7.0.4, but the mitigation should remain stable even after future dependency refactors.

## Fix Focus Areas
- package.json[1-110]

## Proposed changes
1. Add an explicit npm `overrides` section to pin patched versions (pick the narrowest pin that satisfies your audit policy), e.g.:
  - `"overrides": { "serialize-javascript": "^7.0.4" }`
  - optionally also pin `terser-webpack-plugin` if desired.
2. Optionally keep `terser-webpack-plugin` as a direct devDependency, but add a short note in a repo doc/changelog (since JSON can’t have comments) explaining it exists for security remediation, so it’s not removed as “unused.”

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 63453338-10d8-42be-a2bb-82ef4259ef6b

📥 Commits

Reviewing files that changed from the base of the PR and between fade0ea and 33b2e51.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (2)

• package.json
• tests/unit/services/apis/custom-api.test.mjs

---

📝 Walkthrough

Walkthrough

Dependencies updated in package.json with css-minimizer-webpack-plugin bumped from v5 to v8 and terser-webpack-plugin added at v5.3.17. Test assertion in custom-api.test.mjs reformatted for multi-line clarity without functional changes.

Changes

Cohort / File(s)	Summary
Dependency Updates package.json	Upgraded css-minimizer-webpack-plugin to ^8.0.0 and added terser-webpack-plugin ^5.3.17 to devDependencies.
Test Formatting tests/unit/services/apis/custom-api.test.mjs	Reformatted test assertion to span multiple lines with explicit trailing comma; no logic changes.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

🐰 Dependencies dance in versions new,
Webpack plugins shiny, fresh and true,
Test assertions neatly spread,
Code flows clear from tail to head! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title directly addresses the main objective: updating webpack plugins to fix a serialize-javascript RCE vulnerability (GHSA-5c6j-r48x-rmvq), which aligns perfectly with the changeset.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request implements crucial security updates by addressing a Remote Code Execution vulnerability found in the serialize-javascript package. It achieves this by upgrading the css-minimizer-webpack-plugin and explicitly adding a newer version of terser-webpack-plugin to ensure all transitive dependencies are secure. The changes enhance the project's overall security posture.

Highlights

• Security Fix: Addressed a Remote Code Execution (RCE) vulnerability in serialize-javascript (GHSA-5c6j-r48x-rmvq) by updating webpack plugins.
• Dependency Update: Upgraded css-minimizer-webpack-plugin from ^5.0.1 to ^8.0.0.
• Direct Dependency Addition: Added terser-webpack-plugin ^5.3.17 as a direct devDependency to override a vulnerable transitive version of serialize-javascript.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• package-lock.json
  • Updated css-minimizer-webpack-plugin to ^8.0.0.
  • Added terser-webpack-plugin ^5.3.17.
  • Updated various other transitive dependencies like @jest/schemas, @jest/types, @sinclair/typebox, ci-info, css-declaration-sorter, css-select, css-tree, css-what, cssnano, cssnano-preset-default, cssnano-utils, domutils, jest-util, jest-worker, lilconfig, mdn-data, nanoid, postcss, postcss-calc, postcss-colormin, postcss-convert-values, postcss-discard-comments, postcss-discard-duplicates, postcss-discard-empty, postcss-discard-overridden, postcss-merge-longhand, postcss-merge-rules, postcss-minify-font-values, postcss-minify-gradients, postcss-minify-params, postcss-minify-selectors, postcss-normalize-charset, postcss-normalize-display-values, postcss-normalize-positions, postcss-normalize-repeat-style, postcss-normalize-string, postcss-normalize-timing-functions, postcss-normalize-unicode, postcss-normalize-url, postcss-normalize-whitespace, postcss-ordered-values, postcss-reduce-initial, postcss-reduce-transforms, postcss-svgo, postcss-unique-selectors, serialize-javascript, source-map-js, stylehacks, svgo, terser-webpack-plugin, and removed nested chalk and supports-color entries.
• package.json
  • Updated css-minimizer-webpack-plugin from ^5.0.1 to ^8.0.0.
  • Added terser-webpack-plugin with version ^5.3.17 as a direct devDependency.
• tests/unit/services/apis/custom-api.test.mjs
  • Reformatted an assert.equal statement for better readability.

Activity

• The pull request was initiated to resolve a critical Remote Code Execution vulnerability.
• The author implemented dependency updates and explicit dependency additions to mitigate the vulnerability.
• The changes were verified using npm audit to confirm the resolution of the RCE vulnerability.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request updates css-minimizer-webpack-plugin and adds terser-webpack-plugin to resolve a security vulnerability in the transitive dependency serialize-javascript. The changes are correct and effectively mitigate the vulnerability. I have one suggestion to use npm's overrides feature for terser-webpack-plugin for better dependency management clarity and maintainability.

[gemini-code-assist]

For better maintainability and to more clearly express the intent of overriding a transitive dependency, consider using the overrides field in package.json instead of adding terser-webpack-plugin as a direct dependency. This is the recommended approach for such cases since npm v8.3.0, and it is supported by your project's configured Node.js version (>=22).

You would remove this line and add the following to your package.json:

"overrides": {
  "terser-webpack-plugin": "^5.3.17"
}

[theluckystrike]

Closing, apologies for the noise.

[PeterDaveHello]

Should be done in #944, thanks anyway.