[Snyk] Fix for 1 vulnerabilities

[Eric-Guo]

Snyk has created this PR to fix 1 vulnerabilities in the yarn dependencies of this project.

Snyk changed the following file(s):

• package.json

Note for zero-installs users

If you are using the Yarn feature zero-installs that was introduced in Yarn V2, note that this PR does not update the .yarn/cache/ directory meaning this code cannot be pulled and immediately developed on as one would expect for a zero-install project - you will need to run yarn to update the contents of the ./yarn/cache directory.
If you are not using zero-install you can ignore this as your flow should likely be unchanged.

⚠️ Warning

Failed to update the yarn.lock, please update manually before merging.

Vulnerabilities that will be fixed with an upgrade:

	Issue
	Arbitrary Code Injection SNYK-JS-SERIALIZEJAVASCRIPT-570062

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• Max score is 1000. Note that the real score may have changed since the PR was raised.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open fix PRs.

For more information:
🧐 View latest project report
📜 Customise PR templates
🛠 Adjust project settings
📚 Read about Snyk's upgrade logic

---

Learn how to fix vulnerabilities with free interactive lessons:

🦉 Arbitrary Code Injection

[Copilot]

Pull request overview

This Snyk-generated PR attempts to remediate a reported serialize-javascript vulnerability by upgrading related Webpack build dependencies in package.json.

Changes:

• Bump compression-webpack-plugin from ^9.2.0 to ^12.0.0.
• Bump css-minimizer-webpack-plugin from ^4.2.2 to ^8.0.0.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

package.json is updated, but the repo uses pnpm (see packageManager: pnpm@... and CI runs pnpm install --frozen-lockfile). Without updating pnpm-lock.yaml to match these new versions, installs/CI will fail or continue using the old resolved versions. Regenerate and commit an updated pnpm-lock.yaml (and any related patch changes) for this dependency bump.

[Copilot]

The PR description refers to “yarn dependencies” / “yarn.lock”, but this project is configured for pnpm (packageManager: pnpm@... and a committed pnpm-lock.yaml). Please ensure the vulnerability fix is being applied to the correct package manager/lockfile (pnpm), otherwise the advisory may remain unresolved in actual builds.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 30e0560796

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Update pnpm-lock.yaml with dependency version bumps

This change only edits package.json, but in this revision pnpm-lock.yaml still resolves compression-webpack-plugin to 9.2.0 and css-minimizer-webpack-plugin to 4.2.2, so the intended security upgrade is not captured in the committed dependency graph; because CI installs with pnpm install --frozen-lockfile in .github/workflows/rubyonrails.yml (line 54), this manifest/lockfile mismatch will break dependency installation and block the pipeline until the lockfile is regenerated and committed.

Useful? React with 👍 / 👎.