V17.4.10 — override serialize-javascript to ^7.0.5
Same shape as V17.4.9's qs override and V17.3.1's tough-cookie override. No runtime code changes.
What was wrong
GitHub Dependabot failed on the latest serialize-javascript security advisory (run 26342003814) with security_update_not_possible:
The latest possible version that can be installed is 6.0.2
The earliest fixed version is 7.0.5.
mocha@10.8.2 requires serialize-javascript@^6.0.2
The blocking constraint is mocha, which pins serialize-javascript@^6.0.2 (caret-range, ≥6.0.2 <7.0.0). And it's not just our mocha version — mocha@11.7.6 (the current latest stable) still pins ^6.0.2. Only mocha 12 betas use 7.x, which aren't release-ready. So bumping mocha doesn't fix this.
What V17.4.10 changes
One line in package.json:
"overrides": {
"tough-cookie": "^4.1.3",
"qs": "^6.15.2",
+ "serialize-javascript": "^7.0.5"
},npm install then forces the transitive copy to resolve to 7.0.5:
$ npm ls serialize-javascript
node-red-contrib-telegrambot@17.4.10
`-- mocha@10.8.2
`-- serialize-javascript@7.0.5
Risk
Low. mocha uses serialize-javascript only for its parallel-test-reporter — to serialise test result objects between worker processes. The serialize() API didn't change shape across the 6→7 jump (the 7.0.0 release was a security tightening, not an API redesign). 232 tests pass unchanged under the override.
Other changes in this commit
npm-publish.yml: 4-space indentation (was 2-space) and explicitsecrets.NPM_TOKEN(was the case-insensitivesecrets.npm_token). Functionally identical, clearer.
npm registry side effect
V17.4.10 publishing through the npm-publish workflow also restores the latest dist-tag to the newest version. Earlier today, the V17.4.7 and V17.4.8 backfill reruns (after the npm token was refreshed) published successfully, but npm publish always sets latest to whatever it just published — so V17.4.8's late backfill had demoted latest from 17.4.9 back to 17.4.8. The V17.4.10 publish bumps latest forward correctly.