bump serialize-javascript to v7.0.4; replace crypto-browserify with built-in crypto

[Copilot]

serialize-javascript ≤7.0.2 has a high-severity RCE CVE. crypto-browserify pulls in pure-JS md5.js and hash.js where Node.js built-in crypto suffices.

package.json — override serialize-javascript to 7.0.4

• Moved the override to a flat top-level entry ("serialize-javascript": "7.0.4") instead of nested under mocha, since mocha declares ^6.0.2 and npm's flat override bypasses the semver range constraint.

src/github/utils.ts — drop the crypto module import

• Replaced import * as crypto from 'crypto' (resolved by webpack to crypto-browserify) with an async sha256Hex() helper:
  • In Node.js: uses require(/* webpackIgnore: true */ 'crypto').createHash('sha256') so webpack doesn't bundle the call.
  • In browser/webworker contexts: falls back to globalThis.crypto.subtle.digest('SHA-256', ...) (SubtleCrypto).

async function sha256Hex(data: string): Promise<string | undefined> {
    try {
        return (require(/* webpackIgnore: true */ 'crypto') as typeof import('crypto'))
            .createHash('sha256').update(data).digest('hex');
    } catch {
        // Browser/webworker context: use SubtleCrypto
        const msgBuffer = new TextEncoder().encode(data);
        const hashBuffer = await globalThis.crypto.subtle.digest('SHA-256', msgBuffer);
        const hashArray = Array.from(new Uint8Array(hashBuffer));
        return hashArray.map(b => b.toString(16).padStart(2, '0')).join('');
    }
}

• Since SubtleCrypto.digest is async, getAvatarWithEnterpriseFallback and all downstream parsing functions (parseAccount, parseGraphQLComment, parseGraphQLReviewThread, parseGraphQLReviewEvent, parseGraphQLReviewers, parseCombinedTimelineEvents, etc.) in utils.ts, githubRepository.ts, pullRequestModel.ts, and issueModel.ts are updated to be async with appropriate await/Promise.all usage.

webpack.config.js — remove crypto-browserify from browser/webworker bundles

• Set crypto: false (was require.resolve("crypto-browserify")) in the resolve.fallback for both the webview (target: 'web') and extension webworker (target: 'webworker') configs.
• This eliminates crypto-browserify and its transitive deps (md5.js via create-hash/browser.js, hash.js via elliptic → browserify-sign) from all bundles. All affected webview/webworker code that needs randomness already uses globalThis.crypto directly (e.g. uuid's browser build).

---

⚡ Quickly spin up Copilot coding agent tasks from anywhere on your macOS or Windows machine with Raycast.

[rzhao271]

@copilot In browser, use subtlecrypto digest

[Copilot]

@copilot In browser, use subtlecrypto digest

Done in b244a34. sha256Hex now tries Node.js built-in crypto first, then falls back to globalThis.crypto.subtle.digest('SHA-256', ...) in browser/webworker contexts. Since SubtleCrypto.digest is async, the change cascades through getAvatarWithEnterpriseFallback and all downstream parse functions (parseAccount, parseGraphQLComment, parseGraphQLReviewThread, etc.) in utils.ts, githubRepository.ts, pullRequestModel.ts, and issueModel.ts.