[agent] chore(deps): add overrides to force serialize-javascript>=7.0.5

[github-actions]

Summary

Adds an npm overrides entry to the root package.json to force all transitive instances of serialize-javascript to resolve to >=7.0.5, addressing two Dependabot security alerts.

Alerts addressed

• Alert chore(ci): bump packages #173 — GHSA-5c6j-r48x-rmvq: Serialize JavaScript vulnerable to RCE via RegExp.flags and Date.prototype.toISOString() (high, CVSS 8.1)
• Alert fix(signing-utils): fix artifact signing #199 — GHSA-qj8w-gfj5-8c6v / CVE-2026-34043: Serialize JavaScript CPU Exhaustion DoS via crafted array-like objects (medium, CVSS 5.9)

Why overrides?

Two direct (dev) dependencies pull in vulnerable versions of serialize-javascript:

Direct dependency	Pinned transitive version	Status
mocha@^8.4.0	5.0.1 (exact pin)	All mocha 8.x and even 10.x/11.x still ship serialize-javascript 6.x — no released version resolves to ≥7.0.5
terser-webpack-plugin@^5.3.x	^6.0.1	Latest 5.x still resolves to 6.0.2 — no released version resolves to ≥7.0.5

Since neither maintainer has shipped a release that clears these advisories, a manifest-version bump cannot remediate the vulnerability. The npm overrides field is the correct fallback per project policy.

Changes

• package.json: added "overrides": { "serialize-javascript": ">=7.0.5" }
• package-lock.json: updated — both instances of serialize-javascript (root and the formerly-nested terser-webpack-plugin copy) are now resolved to 7.0.5, with the duplicate nested copy removed via deduplication

Generated by Dependabot remediation agent · ● 1.2M · ◷

[coveralls]

Coverage is 78.321% — fix/serialize-javascript-security-3ebebf160494f817 into main. No base build found for main.