fix: override serialize-javascript to patched version (#26819)

## Summary
- Overrides `serialize-javascript@>=6 <7` to `^7.0.4` across all 13
workspaces to resolve a known security vulnerability
- No 6.x patch exists; 7.x is API-compatible (only breaking change is
Node.js >=20 requirement, which FluidFramework already meets)
- Removes the now-redundant `mocha>serialize-javascript@6.0.0` scoped
override in eslint-config-fluid (superseded by the broader override)
- Consumers affected: terser-webpack-plugin, copy-webpack-plugin, mocha
- Adds version-scoped override key to syncpack ignore list in
build-tools
- No code changes — config, lockfile, and override updates only

## Test plan
- [x] CI passes across all workspace pipelines
- [x] Link check passes (272,172 links, 0 errors)
- [x] No functional changes — overrides only affect transitive
dependency resolution

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: frankmueller-msft

build-tools/package.json

@@ -156,7 +156,8 @@
 			"mdast-util-to-hast: overridden to ^13.2.1 to fix a known vulnerability (unsanitized class attribute injection).",
 			"simple-git: overridden to ^3.32.3 to resolve a CG alert.",
 			"diff: overridden to patched versions to resolve a known ReDoS vulnerability. diff@7.x has no fix so it is bumped to 8.0.3.",
-			"tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)."
+			"tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport).",
+			"serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support)."
 		],
 		"overrides": {
 			"@types/glob>@types/minimatch": "~5.1.2",
@@ -184,7 +185,8 @@
 			"minimatch@>=7 <8": "^7.4.9",
 			"minimatch@>=8 <9": "^8.0.7",
 			"minimatch@>=9 <10": "^9.0.9",
-			"minimatch@>=10 <11": "^10.2.4"
+			"minimatch@>=10 <11": "^10.2.4",
+			"serialize-javascript@>=6 <7": "^7.0.4"
 		},
 		"updateConfig": {
 			"ignoreDependencies": [

build-tools/pnpm-lock.yaml

@@ -94,6 +94,7 @@ module.exports = {
 				"minimatch@>=8 <9",
 				"minimatch@>=9 <10",
 				"minimatch@>=10 <11",
+				"serialize-javascript@>=6 <7",
 				"oclif>@aws-sdk/client*",
 				"@types/glob>@types/minimatch",
 			],

build-tools/syncpack.config.cjs

@@ -78,22 +78,22 @@
 	},
 	"pnpm": {
 		"commentsOverrides": [
-			"serialize-javascript - CVE-2024-11831 impacts version 6.0.0 which is pinned by mocha 10.4.0, which in turn comes from mocha-multi-reporters 1.5.1 (which has no updated version at this time)",
 			"js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys).",
 			"diff: overridden to patched version to resolve a known ReDoS vulnerability.",
-			"minimatch: overridden to patched versions to resolve known security vulnerabilities across all major version ranges."
+			"minimatch: overridden to patched versions to resolve known security vulnerabilities across all major version ranges.",
+			"serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq and CVE-2024-11831. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support)."
 		],
 		"overrides": {
 			"diff@>=5 <6": "^5.2.2",
 			"js-yaml": "^4.1.1",
-			"mocha>serialize-javascript@6.0.0": "^6.0.2",
 			"minimatch@>=3 <4": "^3.1.5",
 			"minimatch@>=5 <6": "^5.1.9",
 			"minimatch@>=6 <7": "^6.2.3",
 			"minimatch@>=7 <8": "^7.4.9",
 			"minimatch@>=8 <9": "^8.0.7",
 			"minimatch@>=9 <10": "^9.0.9",
-			"minimatch@>=10 <11": "^10.2.4"
+			"minimatch@>=10 <11": "^10.2.4",
+			"serialize-javascript@>=6 <7": "^7.0.4"
 		},
 		"onlyBuiltDependencies": [
 			"esbuild",

common/build/eslint-config-fluid/package.json

@@ -54,7 +54,8 @@
 			"qs: overridden to ^6.15.0 to resolve a known vulnerability in older versions.",
 			"js-yaml: overridden to fix CVE-2025-64718 (prototype pollution via merge keys).",
 			"diff: overridden to patched version to resolve a known ReDoS vulnerability.",
-			"minimatch: overridden to patched versions to resolve known security vulnerabilities across all major version ranges."
+			"minimatch: overridden to patched versions to resolve known security vulnerabilities across all major version ranges.",
+			"serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support)."
 		],
 		"overrides": {
 			"diff@>=5 <6": "^5.2.2",
@@ -67,7 +68,8 @@
 			"minimatch@>=7 <8": "^7.4.9",
 			"minimatch@>=8 <9": "^8.0.7",
 			"minimatch@>=9 <10": "^9.0.9",
-			"minimatch@>=10 <11": "^10.2.4"
+			"minimatch@>=10 <11": "^10.2.4",
+			"serialize-javascript@>=6 <7": "^7.0.4"
 		}
 	}
 }

common/build/eslint-config-fluid/pnpm-lock.yaml

@@ -159,7 +159,8 @@
 			"js-yaml: overridden to fix a known vulnerability (prototype pollution via merge keys).",
 			"simple-git: overridden to ^3.32.3 to resolve a CG alert.",
 			"diff: overridden to patched versions to resolve a known ReDoS vulnerability.",
-			"tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport)."
+			"tar: overridden to ^7.5.11 to resolve multiple security vulnerabilities in tar 6.x (EOL, no backport).",
+			"serialize-javascript: overridden to ^7.0.4 to resolve GHSA-5c6j-r48x-rmvq. No 6.x fix exists; 7.x is API-compatible (only drops Node <20 support)."
 		],
 		"overrides": {
 			"diff@>=4 <5": "^4.0.4",
@@ -180,7 +181,8 @@
 			"minimatch@>=7 <8": "^7.4.9",
 			"minimatch@>=8 <9": "^8.0.7",
 			"minimatch@>=9 <10": "^9.0.9",
-			"minimatch@>=10 <11": "^10.2.4"
+			"minimatch@>=10 <11": "^10.2.4",
+			"serialize-javascript@>=6 <7": "^7.0.4"
 		},
 		"patchedDependencies": {
 			"@microsoft/api-extractor@7.52.11": "../../../patches/@microsoft__api-extractor@7.52.11.patch"