fix: resolve serialize-javascript security vulnerability (CVE)

[sarayev]

Description of changes

• Add serialize-javascript@^7.0.3 to yarn resolutions
• Fixes Dependabot alert for auth cred refresh #188
• Addresses code injection vulnerability in serialize-javascript <= 7.0.2 (CVE)
• All tests passing with the updated dependency

This PR resolves a security vulnerability by forcing all packages to use serialize-javascript@7.0.3 via yarn resolutions.

Why not upgrade the parent dependencies?

The vulnerable version is introduced as a transitive dependency through:

• @size-limit/webpack@8.2.6 → terser-webpack-plugin@5.3.16 → serialize-javascript@^6.0.2
• @size-limit/webpack-why@8.2.6 → terser-webpack-plugin@5.3.16 → serialize-javascript@^6.0.2
• webpack@5.104.1 → terser-webpack-plugin@5.3.16 → serialize-javascript@^6.0.2

Upgrading these parent dependencies is not viable because:

1. terser-webpack-plugin@5.3.16 is the latest v5 release and still requires serialize-javascript@^6.0.2 (no v6 exists)
2. webpack@5.105.3 (latest) still depends on terser-webpack-plugin@5.3.16
3. @size-limit/webpack@12.0.0 would be a major version upgrade (from 8.x) with potential breaking changes

Using yarn resolutions is the recommended approach as it:

• Fixes the vulnerability immediately without waiting for upstream updates
• Avoids risky major version upgrades of build tooling
• Maintains backward compatibility (7.0.3 satisfies the ^6.0.2 semver range)

Issue #, if available

Fixes Dependabot alert #188

Description of how you validated changes

1. Ran yarn install to apply the resolution
2. Verified serialize-javascript@7.0.3 is installed: cat node_modules/serialize-javascript/package.json | grep version
3. Confirmed only one version exists in dependency tree: yarn why serialize-javascript
4. Ran yarn build - completed successfully
5. Ran yarn test - all tests passing

Checklist

• PR description included
• yarn test passes
• Unit Tests are changed or added - N/A (dependency update only)
• Relevant documentation is changed or added (and PR referenced) - N/A (internal dependency fix)

Checklist for repo maintainers

• Verify E2E tests for existing workflows are working as expected or add E2E tests for newly added workflows
• New source file paths included in this PR have been added to CODEOWNERS, if appropriate - N/A

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license.

[changeset-bot]

⚠️ No Changeset found

Latest commit: 13cf979

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR