security: fix seroval vulnerabilities (CVE-2025-*)

Override seroval to ^1.4.1 to fix 8 high-severity vulnerabilities:
- Remote Code Execution via JSON Deserialization
- Prototype Pollution via JSON Deserialization
- Denial of Service via Array/RegExp serialization

seroval is a transitive dependency from solid-js which pins ~1.3.0.
This commit is contained in:
rcourtman
2026-01-21 19:38:29 +00:00
parent 643bc04dd9
commit ccc32083ba
2 changed files with 10 additions and 6 deletions

View File

@@ -5234,9 +5234,9 @@
}
},
"node_modules/seroval": {
"version": "1.3.2",
"resolved": "https://registry.npmjs.org/seroval/-/seroval-1.3.2.tgz",
"integrity": "sha512-RbcPH1n5cfwKrru7v7+zrZvjLurgHhGyso3HTyGtRivGWgYjbOmGuivCQaORNELjNONoK35nj28EoWul9sb1zQ==",
"version": "1.4.2",
"resolved": "https://registry.npmjs.org/seroval/-/seroval-1.4.2.tgz",
"integrity": "sha512-N3HEHRCZYn3cQbsC4B5ldj9j+tHdf4JZoYPlcI4rRYu0Xy4qN8MQf1Z08EibzB0WpgRG5BGK08FTrmM66eSzKQ==",
"license": "MIT",
"peer": true,
"engines": {
@@ -5244,9 +5244,9 @@
}
},
"node_modules/seroval-plugins": {
"version": "1.3.3",
"resolved": "https://registry.npmjs.org/seroval-plugins/-/seroval-plugins-1.3.3.tgz",
"integrity": "sha512-16OL3NnUBw8JG1jBLUoZJsLnQq0n5Ua6aHalhJK4fMQkz1lqR7Osz1sA30trBtd9VUDc2NgkuRCn8+/pBwqZ+w==",
"version": "1.4.2",
"resolved": "https://registry.npmjs.org/seroval-plugins/-/seroval-plugins-1.4.2.tgz",
"integrity": "sha512-X7p4MEDTi+60o2sXZ4bnDBhgsUYDSkQEvzYZuJyFqWg9jcoPsHts5nrg5O956py2wyt28lUrBxk0M0/wU8URpA==",
"license": "MIT",
"engines": {
"node": ">=10"

View File

@@ -34,6 +34,10 @@
"marked": "^17.0.1",
"solid-js": "^1.8.0"
},
"overrides": {
"seroval": "^1.4.1",
"seroval-plugins": "^1.4.1"
},
"devDependencies": {
"@solidjs/testing-library": "^0.8.5",
"@tailwindcss/typography": "^0.5.19",