From ccc32083bab70eece1f7b9e81a50bb6fa5e208ee Mon Sep 17 00:00:00 2001
From: rcourtman <courtmanr@gmail.com>
Date: Wed, 21 Jan 2026 19:38:29 +0000
Subject: [PATCH] security: fix seroval vulnerabilities (CVE-2025-*)

Override seroval to ^1.4.1 to fix 8 high-severity vulnerabilities:
- Remote Code Execution via JSON Deserialization
- Prototype Pollution via JSON Deserialization
- Denial of Service via Array/RegExp serialization

seroval is a transitive dependency from solid-js which pins ~1.3.0.
---
 frontend-modern/package-lock.json | 12 ++++++------
 frontend-modern/package.json      |  4 ++++
 2 files changed, 10 insertions(+), 6 deletions(-)

diff --git a/frontend-modern/package-lock.json b/frontend-modern/package-lock.json
index e4e4d31dc..941223217 100644
--- a/frontend-modern/package-lock.json
+++ b/frontend-modern/package-lock.json
@@ -5234,9 +5234,9 @@
       }
     },
     "node_modules/seroval": {
-      "version": "1.3.2",
-      "resolved": "https://registry.npmjs.org/seroval/-/seroval-1.3.2.tgz",
-      "integrity": "sha512-RbcPH1n5cfwKrru7v7+zrZvjLurgHhGyso3HTyGtRivGWgYjbOmGuivCQaORNELjNONoK35nj28EoWul9sb1zQ==",
+      "version": "1.4.2",
+      "resolved": "https://registry.npmjs.org/seroval/-/seroval-1.4.2.tgz",
+      "integrity": "sha512-N3HEHRCZYn3cQbsC4B5ldj9j+tHdf4JZoYPlcI4rRYu0Xy4qN8MQf1Z08EibzB0WpgRG5BGK08FTrmM66eSzKQ==",
       "license": "MIT",
       "peer": true,
       "engines": {
@@ -5244,9 +5244,9 @@
       }
     },
     "node_modules/seroval-plugins": {
-      "version": "1.3.3",
-      "resolved": "https://registry.npmjs.org/seroval-plugins/-/seroval-plugins-1.3.3.tgz",
-      "integrity": "sha512-16OL3NnUBw8JG1jBLUoZJsLnQq0n5Ua6aHalhJK4fMQkz1lqR7Osz1sA30trBtd9VUDc2NgkuRCn8+/pBwqZ+w==",
+      "version": "1.4.2",
+      "resolved": "https://registry.npmjs.org/seroval-plugins/-/seroval-plugins-1.4.2.tgz",
+      "integrity": "sha512-X7p4MEDTi+60o2sXZ4bnDBhgsUYDSkQEvzYZuJyFqWg9jcoPsHts5nrg5O956py2wyt28lUrBxk0M0/wU8URpA==",
       "license": "MIT",
       "engines": {
         "node": ">=10"
diff --git a/frontend-modern/package.json b/frontend-modern/package.json
index b48ffc703..2faddfa3f 100644
--- a/frontend-modern/package.json
+++ b/frontend-modern/package.json
@@ -34,6 +34,10 @@
     "marked": "^17.0.1",
     "solid-js": "^1.8.0"
   },
+  "overrides": {
+    "seroval": "^1.4.1",
+    "seroval-plugins": "^1.4.1"
+  },
   "devDependencies": {
     "@solidjs/testing-library": "^0.8.5",
     "@tailwindcss/typography": "^0.5.19",