fix(deps): Add serialize-javascript resolution at ^7.0.3

[jfox-box]

Summary by CodeRabbit

• Chores
  • Added a dependency resolution to address a specific package version, improving build stability and reducing potential runtime issues.

[coderabbitai]

Walkthrough

Added a single dependency resolution override for serialize-javascript set to ^7.0.3 in the top-level resolutions block of package.json.

Changes

Cohort / File(s)	Summary
Dependency Resolution package.json	Added "serialize-javascript": "^7.0.3" to the top-level resolutions block to pin the package version across the project.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• box/box-ui-elements#4426 — Also modifies the resolutions block in package.json to pin a transitive dependency (tar), touching the same resolutions area.
• box/box-ui-elements#4386 — Adds a top-level resolutions entry (node-forge), another change to the same package.json resolutions mechanism.

Suggested reviewers

• reneshen0328
• jpan-box
• tjiang-box

Poem

🐰 A tiny tweak, a careful pin,
One line to keep the packages in,
serialize-javascript set just right,
The build hops on through day and night,
Dependencies snug, the repo bright.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The description contains only the template boilerplate about merge procedures with no actual context about the PR's purpose or rationale for the dependency resolution change.	Add a clear description explaining why the serialize-javascript resolution was added, what problem it solves, and any relevant context for reviewers.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly summarizes the main change: adding a serialize-javascript resolution at version ^7.0.3 to package.json.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch bump-serialize-javascript-resolution-7.0.3

Tip

Try Coding Plans. Let us write the prompt for your AI agent so you can ship faster (with fewer bugs).
Share your feedback on Discord.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[mergify]

Merge Queue Status

Rule: Automatic strict merge

---

• ✅ Entered queue — 2026-03-06 02:24 UTC
• 🚫 Left the queue — 2026-03-06 06:29 UTC · at 644656865bfbf18c6a971a7ee27d8be8ecbbe05d

This pull request spent 4 hours 4 minutes 49 seconds in the queue, with no time running CI.

Reason

The pull request #4469 has been manually updated

Hint

If you want to requeue this pull request, you can post a @mergifyio queue comment.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@package.json`:
- Line 361: The forced resolutions entry pinning "serialize-javascript" to
"^7.0.3" is incompatible with Node 18; either relax the resolution to a v6.x
range compatible with Node 18 (e.g., "serialize-javascript": "^6.0.0") or update
the package.json engines.node field to remove Node 18 support (e.g., bump to
">=20.x || ^22.x"); update the "resolutions" entry that references
serialize-javascript or the "engines.node" value in package.json accordingly and
ensure any lockfile is regenerated so the chosen version is installed.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 51a794e8-47c2-4d86-bdfc-22bc738bd958

📥 Commits

Reviewing files that changed from the base of the PR and between 6446568 and b2aea4c.

⛔ Files ignored due to path filters (1)

• yarn.lock is excluded by !**/yarn.lock, !**/*.lock

📒 Files selected for processing (1)

• package.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

# Read the package.json engines field to confirm Node support declaration
head -100 package.json | cat -n

# Also get the exact line 361 context
sed -n '355,365p' package.json | cat -n

Repository: box/box-ui-elements

Length of output: 5996

---

🌐 Web query:

serialize-javascript v7.0.0 Node.js requirements release notes

💡 Result:

• Node.js requirement (v7.0.0): node >=20.0.0 (package.json engines.node). [2]
• Release notes (v7.0.0, published Oct 4, 2025):
  • Breaking change: “requires Node.js v20+”. [1]
  • Notable changes listed: add CI/testing for Node.js 22 + built-in test runner; generate UID without randombytes dependency; plus various dev-dependency bumps (mocha/nyc/braces). [1]

Sources:
[1] GitHub release “v7.0.0” notes. (github.com)
[2] package.json at tag/commit for v7.0.0 (engines.node). (github.com)

Citations:

• 1: https://github.com/yahoo/serialize-javascript/releases/tag/v7.0.0
• 2: https://github.com/yahoo/serialize-javascript/blob/bb0048c18a6aeab397b7ade2b6b8381d4d1f8487/package.json

---

🏁 Script executed:

# Check if yarn.lock exists and search for serialize-javascript
if [ -f yarn.lock ]; then
  echo "=== yarn.lock entries for serialize-javascript ==="
  rg -A 5 "serialize-javascript@" yarn.lock | head -50
else
  echo "yarn.lock not found"
fi

# Also check if there's a package-lock.json
ls -la package*.json yarn.lock 2>/dev/null

Repository: box/box-ui-elements

Length of output: 609

---

This resolution conflicts with Node 18 support.

The forced resolution to serialize-javascript@^7.0.3 requires Node.js v20+ (confirmed breaking change in v7.0.0), but package.json declares support for >=18.x || ^20.x || ^22.x. Node 18 installations will encounter engine compatibility failures. Either update the engines.node constraint to drop Node 18 or use a lower serialize-javascript version compatible with Node 18.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@package.json` at line 361, The forced resolutions entry pinning
"serialize-javascript" to "^7.0.3" is incompatible with Node 18; either relax
the resolution to a v6.x range compatible with Node 18 (e.g.,
"serialize-javascript": "^6.0.0") or update the package.json engines.node field
to remove Node 18 support (e.g., bump to ">=20.x || ^22.x"); update the
"resolutions" entry that references serialize-javascript or the "engines.node"
value in package.json accordingly and ensure any lockfile is regenerated so the
chosen version is installed.