## Security Alert: High-Severity RCE Vulnerability in serialize-javascript Build Dependency
A high-severity Remote Code Execution (RCE) vulnerability has been identified in the `serialize-javascript` package, a transitive dependency for projects using `copy-webpack-plugin`. The vulnerability, tracked as GHSA-5c6j-r48x-rmvq, affects `serialize-javascript` versions 7.0.2 and earlier. While classified as a build-time dependency, its presence creates a critical attack vector within development and CI/CD pipelines, exposing projects to potential supply chain attacks.

The flaw is introduced via `copy-webpack-plugin` versions 4.3.0 through 13.0.1, which depend on the vulnerable `serialize-javascript` versions. The primary risk is not at application runtime but during the build process itself. Any build step that processes untrusted input through webpack could be exploited, allowing an attacker to execute arbitrary code within the build environment. This makes continuous integration systems and developer machines potential targets.

Immediate remediation requires upgrading `copy-webpack-plugin` to version 14.0.0 or later, which no longer carries the vulnerable dependency. Developers should run `npm audit fix --force` and integrate `npm audit` checks into their CI/CD workflows to detect similar transitive vulnerabilities automatically. The incident underscores the persistent risk hidden in deep dependency chains and the necessity of securing the software supply chain from the build stage upward.
---
- **Source**: GitHub Issues
- **Sector**: The Lab
- **Tags**: security, vulnerability, npm, supply-chain, webpack
- **Credibility**: unverified
- **Published**: 2026-03-26 14:27:38
- **ID**: 35625
- **URL**: https://whisperx.ai/en/intel/35625