Skip to content

Bump serialize-javascript and webpack#97

Open
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/multi-433ff03fb3
Open

Bump serialize-javascript and webpack#97
dependabot[bot] wants to merge 1 commit intomasterfrom
dependabot/npm_and_yarn/multi-433ff03fb3

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 29, 2026

Removes serialize-javascript. It's no longer used after updating ancestor dependency webpack. These dependencies need to be updated together.

Removes serialize-javascript

Updates webpack from 4.36.1 to 5.105.4

Release notes

Sourced from webpack's releases.

v5.105.4

Patch Changes

  • Add Module.getSourceBasicTypes to distinguish basic source types and clarify how modules with non-basic source types like remote still produce JavaScript output. (by @​xiaoxiaojx in #20546)

  • Handle createRequire in expressions. (by @​alexander-akait in #20549)

  • Fixed types for multi stats. (by @​alexander-akait in #20556)

  • Remove empty needless js output for normal css module. (by @​JSerFeng in #20162)

  • Update enhanced-resolve to support new features for tsconfig.json. (by @​alexander-akait in #20555)

  • Narrows export presence guard detection to explicit existence checks on namespace imports only, i.e. patterns like "x" in ns. (by @​hai-x in #20561)

v5.105.3

Patch Changes

  • Context modules now handle rejections correctly. (by @​alexander-akait in #20455)

  • Only mark asset modules as side-effect-free when experimental.futureDefaults is set to true, so asset-copying use cases (e.g. import "./x.png") won’t break unless the option is enabled. (by @​hai-x in #20535)

  • Add the missing webpack_exports declaration in certain cases when bundling a JS entry together with non-JS entries (e.g., CSS entry or asset module entry). (by @​hai-x in #20463)

  • Fixed HMR failure for CSS modules with @​import when exportType !== "link". When exportType is not "link", CSS modules now behave like JavaScript modules and don't require special HMR handling, allowing @​import CSS to work correctly during hot module replacement. (by @​xiaoxiaojx in #20514)

  • Fixed an issue where empty JavaScript files were generated for CSS-only entry points. The code now correctly checks if entry modules have JavaScript source types before determining whether to generate a JS file. (by @​xiaoxiaojx in #20454)

  • Do not crash when a referenced chunk is not a runtime chunk. (by @​alexander-akait in #20461)

  • Fix some types. (by @​alexander-akait in #20412)

  • Ensure that missing module error are thrown after the interception handler (if present), allowing module interception to customize the module factory. (by @​hai-x in #20510)

  • Added createRequire support for ECMA modules. (by @​stefanbinoj in #20497)

  • Added category for CJS reexport dependency to fix issues with ECMA modules. (by @​hai-x in #20444)

  • Implement immutable bytes for bytes import attribute to match tc39 spec. (by @​alexander-akait in #20481)

  • Fixed deterministic search for graph roots regardless of edge order. (by @​veeceey in #20452)

v5.105.2

Patch Changes

v5.105.1

Patch Changes

... (truncated)

Changelog

Sourced from webpack's changelog.

5.105.4

Patch Changes

  • Add Module.getSourceBasicTypes to distinguish basic source types and clarify how modules with non-basic source types like remote still produce JavaScript output. (by @​xiaoxiaojx in #20546)

  • Handle createRequire in expressions. (by @​alexander-akait in #20549)

  • Fixed types for multi stats. (by @​alexander-akait in #20556)

  • Remove empty needless js output for normal css module. (by @​JSerFeng in #20162)

  • Update enhanced-resolve to support new features for tsconfig.json. (by @​alexander-akait in #20555)

  • Narrows export presence guard detection to explicit existence checks on namespace imports only, i.e. patterns like "x" in ns. (by @​hai-x in #20561)

5.105.3

Patch Changes

  • Context modules now handle rejections correctly. (by @​alexander-akait in #20455)

  • Only mark asset modules as side-effect-free when experimental.futureDefaults is set to true, so asset-copying use cases (e.g. import "./x.png") won’t break unless the option is enabled. (by @​hai-x in #20535)

  • Add the missing webpack_exports declaration in certain cases when bundling a JS entry together with non-JS entries (e.g., CSS entry or asset module entry). (by @​hai-x in #20463)

  • Fixed HMR failure for CSS modules with @​import when exportType !== "link". When exportType is not "link", CSS modules now behave like JavaScript modules and don't require special HMR handling, allowing @​import CSS to work correctly during hot module replacement. (by @​xiaoxiaojx in #20514)

  • Fixed an issue where empty JavaScript files were generated for CSS-only entry points. The code now correctly checks if entry modules have JavaScript source types before determining whether to generate a JS file. (by @​xiaoxiaojx in #20454)

  • Do not crash when a referenced chunk is not a runtime chunk. (by @​alexander-akait in #20461)

  • Fix some types. (by @​alexander-akait in #20412)

  • Ensure that missing module error are thrown after the interception handler (if present), allowing module interception to customize the module factory. (by @​hai-x in #20510)

  • Added createRequire support for ECMA modules. (by @​stefanbinoj in #20497)

  • Added category for CJS reexport dependency to fix issues with ECMA modules. (by @​hai-x in #20444)

  • Implement immutable bytes for bytes import attribute to match tc39 spec. (by @​alexander-akait in #20481)

  • Fixed deterministic search for graph roots regardless of edge order. (by @​veeceey in #20452)

5.105.2

Patch Changes

... (truncated)

Commits
  • 27c13b4 chore(release): new release (#20550)
  • 9b2f41e chore: bump terser plugin (#20569)
  • eafe060 fix: narrow the export presence guard detection (#20561)
  • 75d605c refactor: add AppendOnlyStackedSet iteration support and tests (#20560)
  • afa607d refactor: remove unused code (#20562)
  • 4098902 test: add source files for web-webworker and web-webworker-auto-public-path (...
  • f97be67 refactor: fix duplicated word in Compilation JSDoc (#20547)
  • 9d76fff refactor: add Module.getSourceBasicTypes for basic JS type detection (#20546)
  • a3d7839 fix: types for multi stats (#20556)
  • b8e9b05 fix: update enhanced-resolve to support new features for tsconfig.json (#...
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for webpack since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump serialize-javascript and webpack
ec5f1be 
Removes [serialize-javascript](https://github.com/yahoo/serialize-javascript). It's no longer used after updating ancestor dependency [webpack](https://github.com/webpack/webpack). These dependencies need to be updated together.


Removes `serialize-javascript`

Updates `webpack` from 4.36.1 to 5.105.4
- [Release notes](https://github.com/webpack/webpack/releases)
- [Changelog](https://github.com/webpack/webpack/blob/main/CHANGELOG.md)
- [Commits](webpack/webpack@v4.36.1...v5.105.4)

---
updated-dependencies:
- dependency-name: serialize-javascript
  dependency-version: 
  dependency-type: indirect
- dependency-name: webpack
  dependency-version: 5.105.4
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Mar 29, 2026
@dg-appsec-cxone
Copy link
Copy Markdown

dg-appsec-cxone commented Mar 29, 2026

Logo
Checkmarx One – Scan Summary & Details7dba0d76-07e9-4e5b-ae32-f723614a6ea6

New Issues (21) Checkmarx found the following issues in this Pull Request
# Severity Issue Source File / Package Checkmarx Insight
1 HIGH CVE-2025-66418 Python-urllib3-1.26.20
detailsRecommended version: 2.6.3
Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.24 and prior to 2.6.0, the number of links in the decompression ch...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
2 HIGH CVE-2025-66471 Python-urllib3-1.26.20
detailsRecommended version: 2.6.3
Description: urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API improperly handles highly ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
3 HIGH CVE-2026-0775 Npm-npm-6.14.9
detailsRecommended version: 10.9.5
Description: npm cli Incorrect Permission Assignment Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges ...
Attack Vector: LOCAL
Attack Complexity: HIGH
Vulnerable Package
4 HIGH CVE-2026-21441 Python-urllib3-1.26.20
detailsRecommended version: 2.6.3
Description: urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HTTP responses by reading the...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
5 HIGH CVE-2026-23745 Npm-tar-4.4.13
detailsRecommended version: 7.5.11
Description: node-tar is a Tar for Node.js. The node-tar library versions through 7.5.2 fail to sanitize the "linkpath" of Link (hardlink) and Symbolic Link ent...
Attack Vector: LOCAL
Attack Complexity: LOW
Vulnerable Package
6 HIGH CVE-2026-24842 Npm-tar-4.4.13
detailsRecommended version: 7.5.11
Description: node-tar, a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
7 HIGH CVE-2026-26960 Npm-tar-4.4.13
detailsRecommended version: 7.5.11
Description: "tar.extract()" in Node tar allows an attacker-controlled archive to create a hardlink inside the extraction directory that points to a file outsid...
Attack Vector: LOCAL
Attack Complexity: LOW
Vulnerable Package
8 HIGH CVE-2026-26996 Npm-minimatch-3.0.4
detailsRecommended version: 3.1.4
Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. Versions prior to 3.1.3, 4.0.0 prior to 4.2...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
9 HIGH CVE-2026-27903 Npm-minimatch-3.0.4
detailsRecommended version: 3.1.4
Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
10 HIGH CVE-2026-27904 Npm-minimatch-3.0.4
detailsRecommended version: 3.1.4
Description: minimatch is a minimal matching utility for converting glob expressions into JavaScript RegExp objects. All versions starting from 3.0.0 and prior ...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
11 HIGH CVE-2026-29786 Npm-tar-4.4.13
detailsRecommended version: 7.5.11
Description: node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10, tar can be tricked into creating a hardlink that points outside the extractio...
Attack Vector: LOCAL
Attack Complexity: LOW
Vulnerable Package
12 HIGH CVE-2026-31802 Npm-tar-4.4.13
detailsRecommended version: 7.5.11
Description: node-tar is a full-featured Tar for Node.js. Prior to version 7.5.11, tar (npm) can be tricked into creating a symlink that points outside the extr...
Attack Vector: LOCAL
Attack Complexity: LOW
Vulnerable Package
13 HIGH CVE-2026-32141 Npm-flatted-2.0.2
detailsRecommended version: 3.4.2
Description: flatted is a circular JSON parser. Prior to 3.4.0, flatted's "parse()" function uses a recursive "revive()" phase to resolve circular references in...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
14 HIGH CVE-2026-33228 Npm-flatted-2.0.2
detailsRecommended version: 3.4.2
Description: The "parse()" function in flatted can use attacker-controlled string values from the parsed JSON as direct array index keys, without validating t...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
15 HIGH CVE-2026-4926 Npm-path-to-regexp-1.9.0
detailsRecommended version: 8.4.0
Description: A bad regular expression is generated any time you have multiple sequential optional groups (curly brace syntax), such as "{a}{b}{c}:z". The genera...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
16 MEDIUM CVE-2025-13465 Npm-lodash-4.17.19
detailsRecommended version: 4.17.23
Description: Lodash versions from 4.0.0 through 4.17.22 are vulnerable to Prototype Pollution in the "_.unset" and "_.omit" functions. An attacker can pass craf...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
17 MEDIUM CVE-2025-15284 Npm-qs-6.5.2
detailsRecommended version: 6.5.4
Description: Improper Input Validation vulnerability in qs (parse modules) versions prior to 6.14.1 allows HTTP Denial-of-Service (DoS). The "arrayLimit" option...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
18 MEDIUM CVE-2025-64718 Npm-js-yaml-3.14.0
detailsRecommended version: 3.14.2
Description: js-yaml is a JavaScript YAML parser and dumper. In js-yaml versions through 3.14.1 and 4.x through 4.1.0, it's possible for an attacker to modify t...
Attack Vector: NETWORK
Attack Complexity: LOW
Vulnerable Package
19 MEDIUM CVE-2026-23950 Npm-tar-4.4.13
detailsRecommended version: 7.5.11
Description: node-tar,a Tar for Node.js, has a race condition vulnerability in versions through 7.5.3. This is due to an incomplete handling of Unicode path col...
Attack Vector: NETWORK
Attack Complexity: HIGH
Vulnerable Package
20 LOW CVE-2025-69873 Npm-ajv-6.12.2
detailsRecommended version: 6.14.0
Description: ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the "$data" option is...
Attack Vector: LOCAL
Attack Complexity: HIGH
Vulnerable Package
21 LOW CVE-2025-69873 Npm-ajv-6.12.6
detailsRecommended version: 6.14.0
Description: ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the "$data" option is...
Attack Vector: LOCAL
Attack Complexity: HIGH
Vulnerable Package
Fixed Issues (25) Great job! The following issues were fixed in this Pull Request
Severity Issue Source File / Package
CRITICAL CVE-2024-42461 Npm-elliptic-6.5.4
CRITICAL CVE-2024-48949 Npm-elliptic-6.5.4
CRITICAL CVE-2025-25200 Npm-koa-2.13.0
CRITICAL CVE-2025-6545 Npm-pbkdf2-3.1.1
CRITICAL CVE-2025-6547 Npm-pbkdf2-3.1.1
CRITICAL CVE-2025-9287 Npm-cipher-base-1.0.4
CRITICAL CVE-2025-9288 Npm-sha.js-2.4.11
CRITICAL Cx88b46a98-47a5 Npm-elliptic-6.5.4
HIGH CVE-2022-25858 Npm-terser-4.8.0
HIGH CVE-2023-46234 Npm-browserify-sign-4.2.0
HIGH CVE-2024-37890 Npm-ws-6.2.1
HIGH CVE-2024-45296 Npm-path-to-regexp-1.8.0
MEDIUM CVE-2021-23364 Npm-browserslist-4.16.0
MEDIUM CVE-2021-32640 Npm-ws-6.2.1
MEDIUM CVE-2022-0155 Npm-follow-redirects-1.12.1
MEDIUM CVE-2022-0536 Npm-follow-redirects-1.12.1
MEDIUM CVE-2023-26159 Npm-follow-redirects-1.12.1
MEDIUM CVE-2024-11831 Npm-serialize-javascript-3.1.0
MEDIUM CVE-2024-28849 Npm-follow-redirects-1.12.1
MEDIUM CVE-2024-42459 Npm-elliptic-6.5.4
MEDIUM CVE-2024-42460 Npm-elliptic-6.5.4
MEDIUM CVE-2025-32379 Npm-koa-2.13.0
MEDIUM CVE-2025-62595 Npm-koa-2.13.0
MEDIUM CVE-2025-8129 Npm-koa-2.13.0
LOW CVE-2024-48948 Npm-elliptic-6.5.4

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@dg-appsec-cxone