Upgrade serialize-javascript to ≥7.0.4 to resolve high severity RCE vulnerability

[stephan-ansems]

Have you read the Contributing Guidelines on issues?

• I have read the Contributing Guidelines on issues.

Prerequisites

• I'm using the latest version of Docusaurus.
• I have tried the npm run clear or yarn clear command.
• I have tried rm -rf node_modules yarn.lock package-lock.json and re-installing packages.
• I have tried creating a repro with https://new.docusaurus.io.
• I have read the console error message carefully (if applicable).

Description

Running npm audit reports a high-severity vulnerability in serialize-javascript <= 7.0.2, which is susceptible to Remote Code Execution (RCE) via RegExp.flags and Date.prototype.toISOString().

The vulnerable package is introduced transitively through the Docusaurus/webpack toolchain (copy-webpack-plugin and css-minimizer-webpack-plugin).

Upgrade the dependency chain so that serialize-javascript is updated to at least 7.0.4, which resolves the issue.

Reference: GHSA-5c6j-r48x-rmvq

Reproducible demo

No response

Steps to reproduce

1. Update to the latest
2. Run npm audit
3. Run npm audit fix if you will, won't change anything

Expected behavior

I hoped no audit issues would show up.

Actual behavior

Instead i got this:

# npm audit report

serialize-javascript  <=7.0.2
Severity: high
Serialize JavaScript is Vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() - https://github.com/advisories/GHSA-5c6j-r48x-rmvq
fix available via `npm audit fix --force`
Will install @docusaurus/core@3.5.2, which is a breaking change
node_modules/serialize-javascript
  copy-webpack-plugin  4.3.0 - 13.0.1
  Depends on vulnerable versions of serialize-javascript
  node_modules/copy-webpack-plugin
    @docusaurus/bundler  *
    Depends on vulnerable versions of copy-webpack-plugin
    Depends on vulnerable versions of css-minimizer-webpack-plugin
    node_modules/@docusaurus/bundler
      @docusaurus/core  <=0.0.0-6119 || 3.5.2-canary-6121 - 3.5.2-canary-6131 || >=3.6.0-canary-6132
      Depends on vulnerable versions of @docusaurus/bundler
      node_modules/@docusaurus/core
        @docusaurus/plugin-content-blog  <=0.0.0-6119 || 3.5.2-canary-6121 - 3.5.2-canary-6131 || >=3.6.0-canary-6132
        Depends on vulnerable versions of @docusaurus/core
        node_modules/@docusaurus/plugin-content-blog
        @docusaurus/plugin-content-docs  <=0.0.0-6119 || 3.5.2-canary-6121 - 3.5.2-canary-6131 || >=3.6.0-canary-6132
        Depends on vulnerable versions of @docusaurus/core
        node_modules/@docusaurus/plugin-content-docs
        @docusaurus/plugin-content-pages  <=0.0.0-6119 || 3.5.2-canary-6121 - 3.5.2-canary-6131 || >=3.6.0-canary-6132
        Depends on vulnerable versions of @docusaurus/core
        node_modules/@docusaurus/plugin-content-pages
        @docusaurus/plugin-css-cascade-layers  *
        Depends on vulnerable versions of @docusaurus/core
        node_modules/@docusaurus/plugin-css-cascade-layers
          @docusaurus/preset-classic  <=0.0.0-6119 || 3.5.2-canary-6121 - 3.5.2-canary-6131 || >=3.6.0-canary-6132
          Depends on vulnerable versions of @docusaurus/core
          Depends on vulnerable versions of @docusaurus/plugin-content-blog
          Depends on vulnerable versions of @docusaurus/plugin-content-docs
          Depends on vulnerable versions of @docusaurus/plugin-content-pages
          Depends on vulnerable versions of @docusaurus/plugin-css-cascade-layers
          Depends on vulnerable versions of @docusaurus/plugin-debug
          Depends on vulnerable versions of @docusaurus/plugin-google-analytics
          Depends on vulnerable versions of @docusaurus/plugin-google-gtag
          Depends on vulnerable versions of @docusaurus/plugin-google-tag-manager
          Depends on vulnerable versions of @docusaurus/plugin-sitemap
          Depends on vulnerable versions of @docusaurus/plugin-svgr
          Depends on vulnerable versions of @docusaurus/theme-classic
          Depends on vulnerable versions of @docusaurus/theme-search-algolia
          node_modules/@docusaurus/preset-classic
        @docusaurus/plugin-debug  <=0.0.0-6119 || 3.5.2-canary-6121 - 3.5.2-canary-6131 || >=3.6.0-canary-6132
        Depends on vulnerable versions of @docusaurus/core
        node_modules/@docusaurus/plugin-debug
        @docusaurus/plugin-google-analytics  <=0.0.0-6119 || 3.5.2-canary-6121 - 3.5.2-canary-6131 || >=3.6.0-canary-6132
        Depends on vulnerable versions of @docusaurus/core
        node_modules/@docusaurus/plugin-google-analytics
        @docusaurus/plugin-google-gtag  <=0.0.0-6119 || 3.5.2-canary-6121 - 3.5.2-canary-6131 || >=3.6.0-canary-6132
        Depends on vulnerable versions of @docusaurus/core
        node_modules/@docusaurus/plugin-google-gtag
        @docusaurus/plugin-google-tag-manager  <=0.0.0-6119 || 3.5.2-canary-6121 - 3.5.2-canary-6131 || >=3.6.0-canary-6132
        Depends on vulnerable versions of @docusaurus/core
        node_modules/@docusaurus/plugin-google-tag-manager
        @docusaurus/plugin-sitemap  <=0.0.0-6119 || 3.5.2-canary-6121 - 3.5.2-canary-6131 || >=3.6.0-canary-6132
        Depends on vulnerable versions of @docusaurus/core
        node_modules/@docusaurus/plugin-sitemap
        @docusaurus/plugin-svgr  *
        Depends on vulnerable versions of @docusaurus/core
        node_modules/@docusaurus/plugin-svgr
        @docusaurus/theme-classic  <=0.0.0-6119 || 3.5.2-canary-6121 - 3.5.2-canary-6131 || >=3.6.0-canary-6132
        Depends on vulnerable versions of @docusaurus/core
        Depends on vulnerable versions of @docusaurus/plugin-content-blog
        Depends on vulnerable versions of @docusaurus/plugin-content-docs
        Depends on vulnerable versions of @docusaurus/plugin-content-pages
        node_modules/@docusaurus/theme-classic
        @docusaurus/theme-search-algolia  <=0.0.0-6119 || 3.5.2-canary-6121 - 3.5.2-canary-6131 || >=3.6.0-canary-6132
        Depends on vulnerable versions of @docusaurus/core
        Depends on vulnerable versions of @docusaurus/plugin-content-docs
        node_modules/@docusaurus/theme-search-algolia
  css-minimizer-webpack-plugin  <=7.0.4
  Depends on vulnerable versions of serialize-javascript
  node_modules/css-minimizer-webpack-plugin

18 high severity vulnerabilities

To address issues that do not require attention, run:
  npm audit fix

To address all issues (including breaking changes), run:
  npm audit fix --force

Your environment

• Public source code:
• Public site URL:
• Docusaurus version used:
• Environment name and version (e.g. Chrome 89, Node.js 16.4):
• Operating system and version (e.g. Ubuntu 20.04.2 LTS):

Self-service

• I'd be willing to fix this bug myself.

[slorber]

We can't fix this issue without making a breaking change and upgrading the minimum Node version

webpack/copy-webpack-plugin#819

This will be solved for Docusaurus v4, unless they decide to backport the security fix to v6 (yahoo/serialize-javascript#209)

---

Note that we don't have a server runtime, and although tooling reports a severe RCE vulnerability, it's unlikely there's any real attack vector for Docusaurus users, unless your project is already compromised. Also, using Docusaurus Faster (Rspack) would opt-out of using the vulnerable packages, altough they remain installed.

[tats-u]

It's safe to override serialize-javascript v6 to v7 as long as you use Node 20+. The only breaking change in v7.0.0 is that it ditched Node 18 or prior. I wish all package managers provided a common method to override transitive dependencies. (create-docusaurus would be able to provide package.json with such a override)

[slorber]

This could eventually be resolved once we drop support for Node 20 after May 2026.

See also our node versioning policy: https://docusaurus.io/community/release-process#nodejs-support

[slorber]

I'll be able to partially fix this warning in #11924

However, our PWA plugin depends on Workbox, and we need them to upgrade as well: GoogleChrome/workbox#3470

@Docusaurus#plugin-pwa#workbox-build#@rollup#plugin-terser#serialize-javascript