fix(deps): update dependency serialize-javascript to v3 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
serialize-javascript	1.7.0 -> 3.1.0

GitHub Vulnerability Alerts

CVE-2019-16769

Versions of serialize-javascript prior to 2.1.1 are vulnerable to Cross-Site Scripting (XSS). The package fails to sanitize serialized regular expressions. This vulnerability does not affect Node.js applications.

Recommendation

Upgrade to version 2.1.1 or later.

CVE-2020-7660

serialize-javascript prior to 3.1.0 allows remote attackers to inject arbitrary code via the function "deleteFunctions" within "index.js".

An object such as {"foo": /1"/, "bar": "a\"@&#8203;__R-<UID>-0__@&#8203;"} was serialized as {"foo": /1"/, "bar": "a\/1"/}, which allows an attacker to escape the bar key. This requires the attacker to control the values of both foo and bar and guess the value of <UID>. The UID has a keyspace of approximately 4 billion making it a realistic network attack.

---

Release Notes

yahoo/serialize-javascript (serialize-javascript)

v3.1.0

Compare Source

• Bump mocha from 7.1.2 to 7.2.0 (#​83)
• Bump mocha from 7.1.1 to 7.1.2 (#​82)
• Bump nyc from 15.0.0 to 15.0.1 (#​81)
• Don't replace regex / function placeholders within string literals (#​79)
• [Security] Bump minimist from 1.2.0 to 1.2.5 (#​78)
• Bump mocha from 7.1.0 to 7.1.1 (#​77)
• Bump mocha from 7.0.1 to 7.1.0 (#​74)
• Update example in README (#​73)

Note: the randombytes has been added to the dependency package to improve the generation of UIDs. Check the #​22 for more information. Thanks to @​JordanMilne and @​Siebes for this change.

v3.0.0

Compare Source

• Introduce support for Infinity (@​vthibault, #​72)
• Bump mocha from 7.0.0 to 7.0.1 (#​71)
• Test on Node.js v12 (@​okuryu, #​70)
• Bump mocha from 6.2.2 to 7.0.0 (#​69)
• Bump nyc from 14.1.1 to 15.0.0 (#​68)

Behavior changes for Infinity

It serializes Infinity values as follows since this version. The result of serialization may be changed if you are passing Infinity values into the serialize-javascript.

v3.x

const serialize = require('serialize-javascript');

serialize({inf: Infinity}); // '{"inf":Infinity}'

v2.x

const serialize = require('serialize-javascript');

serialize({inf: Infinity}); // '{"inf":null}'

v2.1.2

Compare Source

• Ignore .nyc_output (@​styfle, #​64)

v2.1.1

Compare Source

• Fix regular expressions Cross-Site Scripting (XSS) vulnerability (see security advisory)
• Migrate to nyc from istanbul

v2.1.0

Compare Source

• Add ignoreFunction option (@​realdennis, #​58)

v2.0.0

Compare Source

• re-landed #​54 with bump major version (see: #​57)

Behavior changes for undefined

It serializes undefined values as follows since this version. The result of serialization may be changed if you are passing undefined values into the serialize-javascript.

v2.x

const serialize = require('serialize-javascript');

serialize({undef: undefined}); // '{"undef":undefined}'

v1.x

const serialize = require('serialize-javascript');

serialize({undef: undefined}); // '{}'

v1.9.1

Compare Source

• Revert #​54 for breaking changes (see: https://github.com/yahoo/serialize-javascript/issues/57)
• Bump mocha from 5.2.0 to 6.2.0 (#​56)

v1.9.0

Compare Source

• support serialize undefined (@​nqdy666, #​54)
• Update Node.js versions to tests

v1.8.0

Compare Source

• Enhanced object literals don't have arrows (@​jowenjowen, #​51)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.