Skip to content

chore(deps)!: upgrade serialize-javascript to v7 and node to v20#650

Closed
dargmuesli wants to merge 1 commit intowebpack:mainfrom
dargmuesli:chore/deps/serialize-javascript-v7
Closed

chore(deps)!: upgrade serialize-javascript to v7 and node to v20#650
dargmuesli wants to merge 1 commit intowebpack:mainfrom
dargmuesli:chore/deps/serialize-javascript-v7

Conversation

@dargmuesli
Copy link

@dargmuesli dargmuesli commented Mar 1, 2026

Summary

Upgrade serialize-javascript to v7 to resolve GHSA-5c6j-r48x-rmvq

What kind of change does this PR introduce?

Chore.
Resolves #644

Did you add tests for your changes?

no

Does this PR introduce a breaking change?

drop support for EOL node versions

If relevant, what needs to be documented once your changes are merged or what have you already documented?

Minimum support node js version maybe.

Use of AI

nope

@dargmuesli
chore(deps)!: upgrade serialize-javascript to v7 and node to v20
903594c 
BREAKING CHANGES: drop support for EOL node versions
@linux-foundation-easycla
Copy link

linux-foundation-easycla bot commented Mar 1, 2026
edited
Loading

CLA Signed
The committers listed above are authorized under a signed CLA.

  • ✅ login: dargmuesli / name: Jonas Thelemann (903594c)

@dargmuesli dargmuesli mentioned this pull request Mar 1, 2026
Closed
evenstensberg
evenstensberg reviewed Mar 1, 2026
View reviewed changes
Copy link
Member

@evenstensberg evenstensberg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We need to discuss this because we try to support the most oldest node versions based on that people use legacy deps. Thanks for the PR!

@olivier1980
Copy link

olivier1980 commented Mar 2, 2026

We need to discuss this because we try to support the most oldest node versions based on that people use legacy deps. Thanks for the PR!

Is this pacakge dead now because you cant do security upgrades because of legacy node?

@G-Rath
Copy link

G-Rath commented Mar 2, 2026

I think one of the better paths forward would be for webpack to fork the package, though I'd be happy to do that if they'd prefer not to have it under their org

@jrmhaig
Copy link

jrmhaig commented Mar 2, 2026

We need to discuss this because we try to support the most oldest node versions based on that people use legacy deps. Thanks for the PR!

Would it therefore make sense to create a new major version, 6, that drops support for older node versions and then, if support for older versions is necessary, backport any changes to version 5 as necessary?

@tats-u
Copy link

tats-u commented Mar 2, 2026

You can bump the major version if you are careful of breaking changes.

@alexander-akait
Copy link
Member

alexander-akait commented Mar 2, 2026

We can't it is a breaking change for webpack

@taylorreece
Copy link

taylorreece commented Mar 2, 2026

There's a PR to backport the fix to serialize-javascript v6 - might be worth waiting for that to deploy, and then bump this package's dep to the patched 6.x version yahoo/serialize-javascript#209

@tats-u
Copy link

tats-u commented Mar 2, 2026
edited
Loading

I heard that npm does not respect the engines field when it selects a version of a package. We will not be able to avoid breaking changes.

@alexander-akait alexander-akait mentioned this pull request Mar 3, 2026
Merged
@dargmuesli dargmuesli deleted the chore/deps/serialize-javascript-v7 branch March 3, 2026 16:52
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@evenstensberg evenstensberg evenstensberg left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

serialise-javascript outdated!

8 participants

@dargmuesli @olivier1980 @G-Rath @jrmhaig @tats-u @alexander-akait @taylorreece @evenstensberg