Context
mocha@11.7.5 depends on serialize-javascript@^6.0.2, which resolves to 6.0.2 — vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() (GHSA-5c6j-r48x-rmvq).
Since no patched version of mocha is available, we added an npm override forcing serialize-javascript@^7.0.3 for mocha.
Action
Once mocha releases a version that depends on serialize-javascript@^7.0.3 natively, remove the override from package.json.
Context
mocha@11.7.5depends onserialize-javascript@^6.0.2, which resolves to6.0.2— vulnerable to RCE viaRegExp.flagsandDate.prototype.toISOString()(GHSA-5c6j-r48x-rmvq).Since no patched version of mocha is available, we added an npm override forcing
serialize-javascript@^7.0.3for mocha.Action
Once mocha releases a version that depends on
serialize-javascript@^7.0.3natively, remove the override frompackage.json.