fix(website): pin serialize-javascript and uuid via npm overrides

mirror of https://github.com/NousResearch/hermes-agent.git synced 2026-06-08 08:11:38 +00:00

Resolves the two Dependabot alerts currently open against the website
lockfile:

- serialize-javascript: pin to ^7.0.5 (was 6.0.2 — high-severity RCE
  via RegExp.flags + Date.prototype.to*, plus medium-severity DoS)
- uuid: pin to ^14.0.0 (was 8.3.2 — medium buffer bounds check miss
  in v3/v5/v6 when buf is provided)

Lockfile regenerated against current main (not the stale lockfile
from the original PR — several Dependabot bumps for mermaid,
webpack-dev-server, @babel/plugin-transform-modules-systemjs,
fast-uri, lodash-es+langium, lodash, follow-redirects, and dompurify
have landed since #30036 was opened, so the website portion was
re-applied surgically on top of those).

Salvaged the website half of PR #30036. The TUI test half landed
on main separately, so this PR is web-only.

This commit is contained in:

stephenschoettler

2026-05-28 00:00:55 -07:00

• committed by

Teknium

parent 7b778db472

commit 0bf9b867cf

2 changed files with 17 additions and 31 deletions

									
										4

website/package.json
									
										View file
										
				@ -34,6 +34,10 @@

				    "@docusaurus/types": "3.9.2",

				    "typescript": "~5.6.2"

				  },

				  "overrides": {

				    "serialize-javascript": "^7.0.5",

				    "uuid": "^14.0.0"

				  },

				  "browserslist": {

				    "production": [

				      ">0.5%",

Rows
Columns

fix(website): pin serialize-javascript and uuid via npm overrides

4 website/package.json Unescape Escape View file

4

website/package.json

View file