Security: Makes sure serialize-javascript is at latest version

[50bbx]

What I did

Upgraded all necessary dependencies to bump serialize-javascript to address GHSA-5c6j-r48x-rmvq.

It required to upgrade:

• terser-webpack-plugin which used serialize-javascript directly
• webpack which used terser-webpack-plugin
• all @angular/* and @angular-devkit/* which used copy-webpack-plugin which used serialize-javascript

The changes in this PR are covered in the following automated tests:

• stories
• unit tests
• integration tests
• end-to-end tests

Manual testing

I am unable to run the yarn start script locally because of nx permission issues.

Documentation

• Add or update documentation reflecting your changes
• If you are deprecating/removing a feature, make sure to update
  MIGRATION.MD

Checklist for Maintainers

• When this PR is ready for testing, make sure to add ci:normal, ci:merged or ci:daily GH label to it to run a specific set of sandboxes. The particular set of sandboxes can be found in code/lib/cli-storybook/src/sandbox-templates.ts

• Make sure this PR contains one of the labels below:

  Available labels

  • bug: Internal changes that fixes incorrect behavior.
  • maintenance: User-facing maintenance tasks.
  • dependencies: Upgrading (sometimes downgrading) dependencies.
  • build: Internal-facing build tooling & test updates. Will not show up in release changelog.
  • cleanup: Minor cleanup style change. Will not show up in release changelog.
  • documentation: Documentation only changes. Will not show up in release changelog.
  • feature request: Introducing a new feature.
  • BREAKING CHANGE: Changes that break compatibility in some way with current major version.
  • other: Changes that don't fit in the above categories.

🦋 Canary release

This PR does not have a canary release associated. You can request a canary release of this pull request by mentioning the @storybookjs/core team here.

core team members can create a canary release here or locally with gh workflow run --repo storybookjs/storybook publish.yml --field pr=<PR_NUMBER>

Summary by CodeRabbit

Release Notes

• Chores
  • Updated build tool dependencies (webpack, terser-webpack-plugin) across builder and framework packages.
  • Upgraded Angular framework packages to version 20.x with compatible tooling versions.
  • Adjusted dependency resolution configuration for improved package management.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: c78ecc82-9113-4d0b-b727-1cbd92887227

📥 Commits

Reviewing files that changed from the base of the PR and between bb7e528 and 7060e61.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (5)

• code/builders/builder-webpack5/package.json
• code/frameworks/angular/package.json
• code/frameworks/nextjs/package.json
• package.json
• scripts/ecosystem-ci/existing-resolutions.js

💤 Files with no reviewable changes (2)

• package.json
• scripts/ecosystem-ci/existing-resolutions.js

---

📝 Walkthrough

Walkthrough

This PR updates dependencies and removes a dependency resolution. Changes include upgrading Angular framework packages from version 19.x to 20.x, aligning webpack versions across multiple package configurations to ^5.105.4, updating terser-webpack-plugin, and removing the serialize-javascript resolution entry.

Changes

Cohort / File(s)	Summary
Webpack Version Alignment code/builders/builder-webpack5/package.json, code/frameworks/nextjs/package.json	Updated webpack versions to ^5.105.4 and terser-webpack-plugin to ^5.3.17.
Angular Framework Upgrade code/frameworks/angular/package.json	Upgraded Angular devDependencies (architect, build-angular, core, animations, common, compiler, compiler-cli, platform packages) from 19.x to 20.x (20.3.17). Updated webpack specification to ^5.105.4.
Dependency Resolution Cleanup package.json, scripts/ecosystem-ci/existing-resolutions.js	Removed serialize-javascript resolution entry from root package.json and corresponding reference from the EXISTING_RESOLUTIONS Set.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[valentinpalkovic]

Hi @50bbx,

Thank you for your contribution. I've converted this PR to draft as long as CI isn't green. The failure currently is that the yarn.lock file is not updated. Please run yarn and commit the lock file.