[APS-18800] fix(security): upgrade serialize-javascript to 7.0.3 to fix RCE

[karanshah-browserstack]

Security Fix: APS-18800

Issue

`serialize-javascript` versions <= 7.0.4 are vulnerable to:

• GHSA-5c6j-r48x-rmvq — Remote Code Execution (RCE) via `RegExp.flags` and `Date.prototype.toISOString()` — CVSS 8.1 (High)
• GHSA-qj8w-gfj5-8c6v — CPU Exhaustion DoS via crafted array-like objects — CVSS 5.9 (Moderate)

Both affect the transitive dependency chain: `mocha@10.8.2` → `serialize-javascript@6.0.2`.

Fix Applied

Used npm's native `overrides` field (npm 7+) to pin `serialize-javascript` to `>=7.0.5`:

```json
"overrides": {
"serialize-javascript": ">=7.0.5"
}
```

`serialize-javascript` is a transitive dependency (via `mocha`) so it cannot be bumped directly. The `overrides` field is the official npm mechanism for this — no third-party tools or preinstall hacks needed.

`mocha` is used only as the test runner (`nyc mocha 'test/**/*.js' ...`), not in any production code path invoked by end users of the CLI.

Verification

`npm ls serialize-javascript` confirms the override:
```
browserstack-cypress-cli@1.36.5
└─┬ mocha@10.8.2
└── serialize-javascript@7.0.5 overridden
```

`npm audit` reports 0 vulnerabilities. Both GHSA-5c6j-r48x-rmvq and GHSA-qj8w-gfj5-8c6v are absent.

`package-lock.json` is regenerated at `lockfileVersion: 3` (npm 10 on Node 20, which is the current environment). This is expected and acceptable — the old lockfileVersion 1 was a legacy artifact.

Testing

Comparative regression test (same `npm test` command on both branches):

Branch	Passing	Failing	Pending
master (baseline, ef06797)	663	13	2
this branch	663	13	2

Failing tests are identical on both branches — pre-existing failures, not regressions from this change.

Jira Ticket

APS-18800

Checklist

• Both CVEs addressed (GHSA-5c6j-r48x-rmvq CVSS 8.1, GHSA-qj8w-gfj5-8c6v CVSS 5.9)
• `serialize-javascript@7.0.5` resolved via npm `overrides` — no third-party workarounds
• `npm audit` reports 0 vulnerabilities
• Test suite run on both branches; no regression (663 passing / 13 failing / 2 pending)
• No production runtime change (mocha is test-only)

[Jimesh-browserstack]

LGTM — Independent validation passes

Approving on behalf of APS-18800 (assignee). Re-ran the full validation locally on Node 20 / npm 10 with master as baseline.

Comparative regression test (npm test on both branches)

Branch	serialize-javascript resolved	npm audit (high)	passing	failing	pending
master (ef06797, baseline)	6.0.2 (vulnerable)	3 high	663	13	2
this branch (21f71a0)	7.0.5 overridden	0	663	13	2

The 13 failures and 2 pendings are identical on both branches — pre-existing, not regressions from this change. Numbers match the PR description exactly.

Why this is the right fix

• serialize-javascript is a transitive devDep (chain: mocha@10.8.2 → serialize-javascript); cannot be bumped directly. npm overrides is the correct mechanism.
• mocha is the unit-test runner only (nyc mocha 'test/**/*.js'). No production code path under bin/ imports it. So no runtime surface area is affected, and a live BrowserStack session is not required to validate this change.
• npm ls serialize-javascript confirms the override:

  browserstack-cypress-cli@1.36.5
  └─┬ mocha@10.8.2
    └── serialize-javascript@7.0.5 overridden
  

• npm audit reports 0 vulnerabilities on this branch (vs. 3 high on master).
• Both GHSA-5c6j-r48x-rmvq (RCE, CVSS 8.1) and GHSA-qj8w-gfj5-8c6v (DoS, CVSS 5.9) are resolved.

Notes

• A second PR (#1097) with the same head SHA 21f71a0 was already merged into pre_prod ~30 seconds after this PR was opened, so the fix is propagated to pre-prod.
• package-lock.json regenerates to lockfileVersion: 3 (npm 10 default). This is acceptable; the previous v1 was a legacy artifact.

Resolves: APS-18800