Update dependency serialize-javascript to v7

[mend-for-github-com]

This PR contains the following updates:

Package	Type	Update	Change
serialize-javascript	dependencies	major	^1.5.0 → ^7.0.0

By merging this PR, the issue #70 will be automatically resolved and closed:

Severity	CVSS Score	Vulnerability	Reachability
High	8.1	CVE-2020-7660	Reachable
Medium	5.9	CVE-2026-34043	Reachable
Medium	5.4	CVE-2024-11831	Reachable
Medium	4.2	CVE-2019-16769	Unreachable

---

Release Notes

yahoo/serialize-javascript (serialize-javascript)

v7.0.5

Compare Source

Fixes

• Improve robustness and validation for array-like object serialization.
• Fix an issue where certain object structures could lead to excessive CPU usage.

For more details, please see GHSA-qj8w-gfj5-8c6v.

v7.0.4

Compare Source

What's Changed

• release: v7.0.4 by @​okuryu in #​211

Full Changelog: yahoo/serialize-javascript@v7.0.3...v7.0.4

v7.0.3

Compare Source

• fix(CVE-2020-7660): fix for RegExp.flags and Date.prototype.toISOString (#​207) 2e609d0
• build(deps-dev): bump lodash from 4.17.21 to 4.17.23 (#​206) 42b7cdb

---

v7.0.2

Compare Source

What's Changed

• ci: bump GitHub Actions to latest versions by @​okuryu in #​203
• ci: setup trusted publishing workflow by @​okuryu in #​204
• release: v7.0.2 by @​okuryu in #​205

Full Changelog: yahoo/serialize-javascript@v7.0.1...v7.0.2

v7.0.1

Compare Source

What's Changed

• Add warning about using this package to send arbitrary data to worker threads by @​valadaptive in #​200
• security: sanitize function bodies by @​redonkulus in #​199
• docs: tweak README by @​okuryu in #​201
• release: v7.0.1 by @​okuryu in #​202

New Contributors

• @​redonkulus made their first contribution in #​199

Full Changelog: yahoo/serialize-javascript@v7.0.0...v7.0.1

v7.0.0

Compare Source

Breaking Changes

• requires Node.js v20+

What's Changed

• Bump mocha from 10.2.0 to 10.4.0 by @​dependabot[bot] in #​178
• Bump mocha from 10.4.0 to 10.5.2 by @​dependabot[bot] in #​183
• Bump nyc from 15.1.0 to 17.0.0 by @​dependabot[bot] in #​184
• Bump braces from 3.0.2 to 3.0.3 by @​dependabot[bot] in #​181
• Bump mocha from 10.5.2 to 10.7.0 by @​dependabot[bot] in #​185
• Bump mocha from 10.7.0 to 10.7.3 by @​dependabot[bot] in #​186
• Bump nyc from 17.0.0 to 17.1.0 by @​dependabot[bot] in #​187
• Bump mocha from 10.7.3 to 10.8.2 by @​dependabot[bot] in #​188
• feat: test on Node.js 22 and built-in test runner by @​okuryu in #​192
• Generate UID without randombytes dependency by @​valadaptive in #​196
• release: v7.0.0 by @​okuryu in #​197

New Contributors

• @​valadaptive made their first contribution in #​196

Full Changelog: yahoo/serialize-javascript@v6.0.2...v7.0.0

v6.0.2

Compare Source

• fix: serialize URL string contents to prevent XSS (#​173) f27d65d
• Bump @​babel/traverse from 7.10.1 to 7.23.7 (#​171) 02499c0
• docs: update readme with URL support (#​146) 0d88527
• chore: update node version and lock file e2a3a91
• fix typo (#​164) 5a1fa64

v6.0.1

Compare Source

What's Changed

• Bump mocha from 9.0.1 to 9.0.2 by @​dependabot in #​126
• Bump mocha from 9.0.2 to 9.0.3 by @​dependabot in #​127
• Bump path-parse from 1.0.6 to 1.0.7 by @​dependabot in #​129
• Bump mocha from 9.0.3 to 9.1.0 by @​dependabot in #​130
• Bump mocha from 9.1.0 to 9.1.1 by @​dependabot in #​131
• Bump mocha from 9.1.1 to 9.1.2 by @​dependabot in #​132
• Bump mocha from 9.1.2 to 9.1.3 by @​dependabot in #​133
• Bump mocha from 9.1.3 to 9.1.4 by @​dependabot in #​137
• Bump mocha from 9.1.4 to 9.2.0 by @​dependabot in #​138
• Bump chai from 4.3.4 to 4.3.6 by @​dependabot in #​140
• Bump ansi-regex from 5.0.0 to 5.0.1 by @​dependabot in #​141
• Bump mocha from 9.2.0 to 9.2.2 by @​dependabot in #​143
• Bump minimist from 1.2.5 to 1.2.6 by @​dependabot in #​144
• Bump mocha from 9.2.2 to 10.0.0 by @​dependabot in #​145
• Bump mocha from 10.0.0 to 10.1.0 by @​dependabot in #​149
• Bump chai from 4.3.6 to 4.3.7 by @​dependabot in #​150
• ci: test.yml - actions bump by @​piwysocki in #​151
• Bump minimatch from 3.0.4 to 3.1.2 by @​dependabot in #​152
• Bump mocha from 10.1.0 to 10.2.0 by @​dependabot in #​153
• Bump json5 from 2.1.3 to 2.2.3 by @​dependabot in #​155
• Fix serialization issue for 0n. by @​momocow in #​156
• Release v6.0.1 by @​okuryu in #​157

New Contributors

• @​piwysocki made their first contribution in #​151
• @​momocow made their first contribution in #​156

Full Changelog: yahoo/serialize-javascript@v6.0.0...v6.0.1

v6.0.0

Compare Source

Changelog

• Add support for URL's (#​123)
• Bump mocha from 9.0.0 to 9.0.1 (#​124)
• Bump mocha from 8.4.0 to 9.0.0 (#​121)
• Update Node.js CI matrix (#​122)
• Bump mocha from 8.3.2 to 8.4.0 (#​120)
• Bump lodash from 4.17.19 to 4.17.21 (#​119)
• Bump y18n from 4.0.0 to 4.0.1 (#​116)
• Bump chai from 4.3.3 to 4.3.4 (#​115)
• Bump mocha from 8.3.1 to 8.3.2 (#​114)
• Bump mocha from 8.3.0 to 8.3.1 (#​113)
• Bump chai from 4.3.1 to 4.3.3 (#​112)
• Bump chai from 4.2.0 to 4.3.1 (#​111)
• Bump mocha from 8.2.1 to 8.3.0 (#​109)
• Bump mocha from 8.1.3 to 8.2.1 (#​105)
• Drop Travis CI settings (#​100)
• Change default branch name to main (#​99)
• GitHub Aactions (#​98)

Behavior changes for URL objects

It serializes URL objects as follows since this version. The result of serialization may be changed if you are passing URL object values into the serialize-javascript.

const serialize = require("serialize-javascript");

serialize({u: new URL("http://example.com/")}); // '{"u":new URL("http://example.com/")}'

---

Thank you @​rrdelaney for this release.

v5.0.1

Compare Source

Changelog

• Exclude .vscode and .github directories from package (#​97)

v5.0.0

Compare Source

Changelog

• Bump mocha from 8.1.2 to 8.1.3 (#​96)
• Support sparse arrays (#​95)
• Bump mocha from 8.1.1 to 8.1.2 (#​94)
• Bump mocha from 8.1.0 to 8.1.1 (#​92)
• Create Dependabot config file (#​91)
• Bump mocha from 8.0.1 to 8.1.0 (#​90)
• Bump lodash from 4.17.15 to 4.17.19 (#​89)
• Bump mocha from 7.2.0 to 8.0.1 (#​88)

Behavior changes for sparse arrays

It serializes sparse arrays as follows since this version. The result of serialization may be changed if you are passing sparse arrays values into the serialize-javascript.

const serialize = require('serialize-javascript');

var a = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
delete a[0];
a.length = 3;
a[5] = 'wat';
serialize(a) // 'Array.prototype.slice.call({"1":2,"2":3,"5":"wat","length":6})'

---

Thank you @​victorporof for this release.

v4.0.0

Compare Source

Changelog

• Bump nyc from 15.0.1 to 15.1.0 (#​85)
• support for bigint (#​80)

Behavior changes for BigInt

It serializes BigInt values as follows since this version. The result of serialization may be changed if you are passing BigInt values into the serialize-javascript.

v4.x:

const serialize = require('serialize-javascript');

serialize({big: BigInt('10')}); // '{"big":BigInt("10")}'

v3.x:

const serialize = require('serialize-javascript');

serialize({big: BigInt('10')}); // throws error

---

Thank you @​mum-never-proud for this release.

v3.1.0

Compare Source

• Bump mocha from 7.1.2 to 7.2.0 (#​83)
• Bump mocha from 7.1.1 to 7.1.2 (#​82)
• Bump nyc from 15.0.0 to 15.0.1 (#​81)
• Don't replace regex / function placeholders within string literals (#​79)
• [Security] Bump minimist from 1.2.0 to 1.2.5 (#​78)
• Bump mocha from 7.1.0 to 7.1.1 (#​77)
• Bump mocha from 7.0.1 to 7.1.0 (#​74)
• Update example in README (#​73)

Note: the randombytes has been added to the dependency package to improve the generation of UIDs. Check the #​22 for more information. Thanks to @​JordanMilne and @​Siebes for this change.

v3.0.0

Compare Source

• Introduce support for Infinity (@​vthibault, #​72)
• Bump mocha from 7.0.0 to 7.0.1 (#​71)
• Test on Node.js v12 (@​okuryu, #​70)
• Bump mocha from 6.2.2 to 7.0.0 (#​69)
• Bump nyc from 14.1.1 to 15.0.0 (#​68)

Behavior changes for Infinity

It serializes Infinity values as follows since this version. The result of serialization may be changed if you are passing Infinity values into the serialize-javascript.

v3.x

const serialize = require('serialize-javascript');

serialize({inf: Infinity}); // '{"inf":Infinity}'

v2.x

const serialize = require('serialize-javascript');

serialize({inf: Infinity}); // '{"inf":null}'

v2.1.2

Compare Source

• Ignore .nyc_output (@​styfle, #​64)

v2.1.1

Compare Source

• Fix regular expressions Cross-Site Scripting (XSS) vulnerability (see security advisory)
• Migrate to nyc from istanbul

v2.1.0

Compare Source

• Add ignoreFunction option (@​realdennis, #​58)

v2.0.0

Compare Source

• re-landed #​54 with bump major version (see: #​57)

Behavior changes for undefined

It serializes undefined values as follows since this version. The result of serialization may be changed if you are passing undefined values into the serialize-javascript.

v2.x

const serialize = require('serialize-javascript');

serialize({undef: undefined}); // '{"undef":undefined}'

v1.x

const serialize = require('serialize-javascript');

serialize({undef: undefined}); // '{}'

v1.9.1

Compare Source

• Revert #​54 for breaking changes (see: #​57)
• Bump mocha from 5.2.0 to 6.2.0 (#​56)

v1.9.0

Compare Source

• support serialize undefined (@​nqdy666, #​54)
• Update Node.js versions to tests

v1.8.0

Compare Source

• Enhanced object literals don't have arrows (@​jowenjowen, #​51)

---

• If you want to rebase/retry this PR, check this box