Skip to content

Bump serialize-javascript and @rollup/plugin-terser in /src/native#126217

Open
dependabot[bot] wants to merge 2 commits intomainfrom
dependabot/npm_and_yarn/src/native/multi-6d4e7e967a
Open

Bump serialize-javascript and @rollup/plugin-terser in /src/native#126217
dependabot[bot] wants to merge 2 commits intomainfrom
dependabot/npm_and_yarn/src/native/multi-6d4e7e967a

Conversation

@dependabot
Copy link
Copy Markdown
Contributor

@dependabot dependabot bot commented on behalf of github Mar 27, 2026

Bumps serialize-javascript to 7.0.5 and updates ancestor dependency @rollup/plugin-terser. These dependencies need to be updated together.

Updates serialize-javascript from 6.0.2 to 7.0.5

Release notes

Sourced from serialize-javascript's releases.

v7.0.5

Fixes

  • Improve robustness and validation for array-like object serialization.
  • Fix an issue where certain object structures could lead to excessive CPU usage.

For more details, please see GHSA-qj8w-gfj5-8c6v.

v7.0.4

What's Changed

Full Changelog: yahoo/serialize-javascript@v7.0.3...v7.0.4

v7.0.3

  • fix(CVE-2020-7660): fix for RegExp.flags and Date.prototype.toISOString (#207) 2e609d0
  • build(deps-dev): bump lodash from 4.17.21 to 4.17.23 (#206) 42b7cdb

yahoo/serialize-javascript@v7.0.2...v7.0.3

v7.0.2

What's Changed

Full Changelog: yahoo/serialize-javascript@v7.0.1...v7.0.2

v7.0.1

What's Changed

New Contributors

Full Changelog: yahoo/serialize-javascript@v7.0.0...v7.0.1

v7.0.0

Breaking Changes

  • requires Node.js v20+

What's Changed

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for serialize-javascript since your current version.


Updates @rollup/plugin-terser from 0.4.4 to 1.0.0

Changelog

Sourced from @​rollup/plugin-terser's changelog.

v1.0.0

2026-03-05

Breaking Changes

  • terser!: upgrade serialize-javascript to v7 and node to v20 (#1968)
Commits
Maintainer changes

This version was pushed to npm by [GitHub Actions](https://www.npmjs.com/~GitHub Actions), a new releaser for @​rollup/plugin-terser since your current version.


Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

@dependabot
Bump serialize-javascript and @rollup/plugin-terser in /src/native
b616466 
Bumps [serialize-javascript](https://github.com/yahoo/serialize-javascript) to 7.0.5 and updates ancestor dependency [@rollup/plugin-terser](https://github.com/rollup/plugins/tree/HEAD/packages/terser). These dependencies need to be updated together.


Updates `serialize-javascript` from 6.0.2 to 7.0.5
- [Release notes](https://github.com/yahoo/serialize-javascript/releases)
- [Commits](yahoo/serialize-javascript@v6.0.2...v7.0.5)

Updates `@rollup/plugin-terser` from 0.4.4 to 1.0.0
- [Changelog](https://github.com/rollup/plugins/blob/master/packages/terser/CHANGELOG.md)
- [Commits](https://github.com/rollup/plugins/commits/beep-v1.0.0/packages/terser)

---
updated-dependencies:
- dependency-name: serialize-javascript
  dependency-version: 7.0.5
  dependency-type: indirect
- dependency-name: "@rollup/plugin-terser"
  dependency-version: 1.0.0
  dependency-type: direct:development
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot bot added dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code labels Mar 27, 2026
@github-actions github-actions bot added the area-codeflow for labeling automated codeflow label Mar 27, 2026
This was referenced Mar 28, 2026
Closed
Open
Open
Open
Open
Open
Open
Closed
@github-actions
Copy link
Copy Markdown
Contributor

github-actions bot commented Apr 12, 2026

🤖 Copilot Code Review — PR #126217

Note

This review was AI-generated by Copilot.

Holistic Assessment

Motivation: Justified — this is a standard Dependabot devDependency update bumping @rollup/plugin-terser (0.4.4 → 1.0.0) and its transitive dependency serialize-javascript (6.0.2 → 7.0.5). The update reduces the dependency tree by removing randombytes and safe-buffer, since serialize-javascript 7.x uses Node's built-in crypto module instead.

Approach: Correct — the changes are confined to src/native/package.json and src/native/package-lock.json, which is exactly the right scope for a dependency bump.

Summary: ✅ LGTM. This is a low-risk devDependency update with no .NET code changes, no public API changes, and no behavioral changes to the rollup build output. The major version bumps are compatible with the codebase's usage pattern. All findings are positive or informational.

Detailed Findings

✅ Dependency tree simplification

The update removes two transitive dependencies (randombytessafe-buffer) that are no longer needed. serialize-javascript 7.x uses Node's built-in crypto.randomUUID() instead of randombytes, which is more secure and reduces supply chain attack surface. Verified: randombytes and safe-buffer are absent from the updated lockfile.

✅ API compatibility verified

The codebase imports @rollup/plugin-terser via import terser from "@rollup/plugin-terser" (default import) in src/native/rollup.config.plugins.js:9 and calls it with terser({ ecma, compress, mangle }) — the standard rollup plugin API. The 0.4.4 → 1.0.0 bump for @rollup/plugin-* packages is typically a stability milestone without breaking API changes.

✅ Node.js engine requirement satisfied

Both updated packages now require node >= 20.0.0 (previously >= 14.0.0). The build pipeline (src/native/libs/Common/JavaScript/CMakeLists.txt:163) runs npm ci during the rollup build step. Modern CI environments satisfy this requirement.

💡 Lockfile integrity hashes use sha1 from Azure DevOps registry

Two lockfile entries (@rollup/plugin-terser, serialize-javascript) use sha1 integrity hashes instead of sha512. This is standard behavior when packages are resolved through the Azure DevOps npm registry rather than the public npm registry. Not a concern with this PR.

Generated by Code Review for issue #126217 ·

This was referenced Apr 12, 2026
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@danmoseley danmoseley danmoseley approved these changes

Assignees

@dependabot dependabot[bot]

Labels

area-codeflow for labeling automated codeflow dependencies Pull requests that update a dependency file javascript Pull requests that update Javascript code

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@danmoseley