fix(security): remove transitive serialize-javascript@6.x from mc-scripts

[misama-ct]

Summary

• Bumps terser-webpack-plugin to ^5.5.0 (no longer depends on serialize-javascript as of 5.4.0).
• Bumps css-minimizer-webpack-plugin to ^8.0.0 (declares serialize-javascript: ^7.0.3).
• Bumps postcss to ^8.5.12 to satisfy cssnano@7's peer dep introduced by the above.
• Drops Node 18 from mc-scripts engines (now 20.x || >=22.0.0) to match css-minimizer-webpack-plugin@8's >= 20.9 requirement.

Why

Customer ticket SUPPORT-40033 reported that our previous security fix only patched one of three transitive serialize-javascript@6.0.2 paths (GHSA-5c6j-r48x-rmvq). The pnpm.overrides declaration in our root package.json does not propagate to published packages — it only affects local installs inside this monorepo. As a result, consumers' fresh installs still resolved vulnerable copies via css-minimizer-webpack-plugin@3.4.1 and terser-webpack-plugin@5.3.14.

This PR fixes the issue at the spec-range level so consumers' installs naturally land on safe versions, with no overrides required on their side.

Test plan

• pnpm install clean — no new peer dep warnings
• Lockfile contains only serialize-javascript@7.0.5
• preconstruct build succeeds
• jest mc-scripts unit tests pass (79/79)
• Starter template production build succeeds (webpack runs new minifiers end-to-end, all bundles minified, HTML compiled)
• Visual regression test against a downstream consumer app via the preview release tag — see canary validation comment

[changeset-bot]

🦋 Changeset detected

Latest commit: edfd3f2

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 36 packages

Name	Type
@commercetools-frontend/mc-scripts	Minor
@commercetools-applications/merchant-center-template-starter-typescript	Minor
@commercetools-applications/merchant-center-template-starter	Minor
@commercetools-applications/merchant-center-custom-view-template-starter-typescript	Minor
@commercetools-applications/merchant-center-custom-view-template-starter	Minor
@commercetools-local/playground	Minor
@commercetools-backend/eslint-config-node	Minor
@commercetools-backend/express	Minor
@commercetools-backend/loggers	Minor
@commercetools-frontend/actions-global	Minor
@commercetools-frontend/application-components	Minor
@commercetools-frontend/application-config	Minor
@commercetools-frontend/application-shell-connectors	Minor
@commercetools-frontend/application-shell	Minor
@commercetools-frontend/assets	Minor
@commercetools-frontend/babel-preset-mc-app	Minor
@commercetools-frontend/browser-history	Minor
@commercetools-frontend/codemod	Minor
@commercetools-frontend/constants	Minor
@commercetools-frontend/create-mc-app	Minor
@commercetools-frontend/cypress	Minor
@commercetools-frontend/eslint-config-mc-app	Minor
@commercetools-frontend/i18n	Minor
@commercetools-frontend/jest-preset-mc-app	Minor
@commercetools-frontend/jest-stylelint-runner	Minor
@commercetools-frontend/l10n	Minor
@commercetools-frontend/mc-dev-authentication	Minor
@commercetools-frontend/mc-html-template	Minor
@commercetools-frontend/notifications	Minor
@commercetools-frontend/permissions	Minor
@commercetools-frontend/react-notifications	Minor
@commercetools-frontend/sdk	Minor
@commercetools-frontend/sentry	Minor
@commercetools-frontend/url-utils	Minor
@commercetools-local/visual-testing-app	Minor
@commercetools-website/components-playground	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

Project	Deployment	Actions	Updated (UTC)
mc-app-kit-playground	Ready	Preview, Comment	Apr 28, 2026 8:30am
merchant-center-application-kit-components-playground	Ready	Preview, Comment	Apr 28, 2026 8:30am

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.93%. Comparing base (66a5c17) to head (edfd3f2).

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #3986   +/-   ##
=======================================
  Coverage   72.93%   72.93%           
=======================================
  Files         267      267           
  Lines        7102     7102           
  Branches     2211     2241   +30     
=======================================
  Hits         5180     5180           
  Misses       1899     1899           
  Partials       23       23           

Components	Coverage Δ
Application Components	81.18% <ø> (ø)
Application Shell	74.54% <ø> (ø)
Application Shell Connectors	77.54% <ø> (ø)

---

Continue to review full report in Codecov by Sentry.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update 66a5c17...edfd3f2. Read the comment docs.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[misama-ct]

[preview_deployment]

[github-actions]

Release workflow succeeded ✅\nSee details: Workflow Run

[misama-ct]

Canary validation complete

The [preview_deployment] canary (0.0.0-fix-serialize-javascript-20260428090559) was installed in the Merchant Center frontend repo (consumer-side PR: commercetools/merchant-center-frontend#20586), and CI now passes.

Initial test failures (resolved, unrelated to this PR)

A first install via pnpm update <pkg>@fix-serialize-javascript produced two physical copies of @commercetools-frontend/application-shell-connectors due to a peer-dep variant on @types/node (24.x vs newly-published 25.x), causing duplicate React Context instances and downstream test failures (useSkipCookieConsent reading context.environment as undefined; Cypress login form failing to mount). Root-caused to pnpm update re-resolving the entire transitive graph and discovering a newer @types/node on npm — not a code regression in this PR. Resolved consumer-side by pinning @types/node in pnpm.overrides.

Confirms

• Vulnerability fix works: serialize-javascript@6.x no longer in the consumer's resolved tree.
• No build, runtime, or visual regression introduced by terser-webpack-plugin@^5.5.0 + css-minimizer-webpack-plugin@^8.0.0 + postcss@^8.5.12 + cssnano@7.

Ready for review.