UID2-6676: upgrade serialize-javascript to fix GHSA-5c6j-r48x-rmvq RCE

[cYKatherine]

Summary

Fixes GHSA-5c6j-r48x-rmvq — a critical Remote Code Execution (RCE) vulnerability in the `serialize-javascript` npm package.

Severity: Critical (CWE-94: Code Injection)

Root cause: `RegExp.flags` and `Date.prototype.toISOString()` are interpolated into serialized output without sanitization. A crafted `RegExp` or `Date` object can break out of generated string literals, leading to arbitrary code execution when the output is deserialized.

Affected versions: `serialize-javascript <= 7.0.2` — Fixed in 7.0.3

Changes:

• `overrides.serialize-javascript`: (new) `^7.0.3`

Resolved in lockfile: `serialize-javascript@7.0.3`

Part of UID2-6676. Also affects: uid2-self-serve-portal, uid2-web-integrations.

Test plan

• CI builds and tests pass
• `npm audit` shows serialize-javascript vulnerability resolved

🤖 Generated with Claude Code