fix(e2e): force patched serialize-javascript@7.0.5 via npm override

[timbortnik]

Summary

Resolves the Dependabot alert for serialize-javascript in the /e2e test harness.

serialize-javascript <7.0.5 has a high-severity RCE (GHSA-5c6j-r48x-rmvq) and a DoS

  @wdio/mocha-framework@9.28.0 → mocha@10.8.2 → serialize-javascript@^6.0.2

Mocha's ^6.0.2 ceiling blocks the patched 7.0.5, and Dependabot's only in-range
path would downgrade @wdio/mocha-framework to 6.1.17 (a major regression).

Fix

Add an npm overrides entry pinning serialize-javascript to ^7.0.5, keeping
@wdio/mocha-framework@9.28.0.

Why this is safe

• Dev-only — lives entirely in the /e2e harness; never in the shipped app.
• Path not exercised — mocha uses it only in buffered-worker-pool.js to serialize
  its own options for parallel workers (trusted local input), and wdio.conf.js runs
  maxInstances: 1 (no parallel workers).
• API-compatible — 7.0.0's only breaking change was dropping Node <20; CI runs Node 20+.
  Mocha's call signature is unchanged in 7.x.

Verification

• npm ci passes (exit 0) — same command CI runs.
• npm audit → 0 vulnerabilities.
• Tree confirms serialize-javascript@7.0.5 overridden, @wdio/mocha-framework@9.28.0 retained.

Summary by CodeRabbit

• Chores
  • Updated test infrastructure dependencies to improve stability and compatibility of end-to-end testing suite.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro Plus

Run ID: c6d846b4-e090-447d-b5d2-2c53febad340

📥 Commits

Reviewing files that changed from the base of the PR and between e1eeab7 and b4806ce.

⛔ Files ignored due to path filters (1)

• e2e/package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• e2e/package.json

---

📝 Walkthrough

Walkthrough

e2e/package.json gains a top-level overrides block that forces serialize-javascript to ^7.0.5, along with inline comments explaining the override's purpose relative to the existing WebdriverIO/Mocha/Appium dependencies.

Changes

Dependency Override

Layer / File(s)	Summary
npm overrides for serialize-javascript e2e/package.json	Adds an overrides block pinning serialize-javascript to ^7.0.5 and inline comments describing the rationale within the e2e tooling stack.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly and specifically describes the main change: adding an npm override to force serialize-javascript@7.0.5 in the e2e test configuration to address security vulnerabilities.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/e2e-serialize-javascript-cve

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}