Update dependency @babel/traverse to v7.23.2 [SECURITY]

[renovate[bot]]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@babel/traverse (source)	7.22.8 -> 7.23.2

GitHub Vulnerability Alerts

CVE-2023-45133

Impact

Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.

Known affected plugins are:

• @babel/plugin-transform-runtime
• @babel/preset-env when using its useBuiltIns option
• Any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator

No other plugins under the @babel/ namespace are impacted, but third-party plugins might be.

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/traverse@7.23.2.

Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.

Workarounds

• Upgrade @babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version.
• If you cannot upgrade @babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions:
  • @babel/plugin-transform-runtime v7.23.2
  • @babel/preset-env v7.23.2
  • @babel/helper-define-polyfill-provider v0.4.3
  • babel-plugin-polyfill-corejs2 v0.4.6
  • babel-plugin-polyfill-corejs3 v0.8.5
  • babel-plugin-polyfill-es-shims v0.10.0
  • babel-plugin-polyfill-regenerator v0.5.3

---

Release Notes

babel/babel (@​babel/traverse)

### [`v7.23.2`](https://togithub.com/babel/babel/blob/HEAD/CHANGELOG.md#v7232-2023-10-11) [Compare Source](https://togithub.com/babel/babel/compare/v7.23.0...v7.23.2) ##### :bug: Bug Fix - `babel-traverse` - [#​16033](https://togithub.com/babel/babel/pull/16033) Only evaluate own String/Number/Math methods ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) - `babel-preset-typescript` - [#​16022](https://togithub.com/babel/babel/pull/16022) Rewrite `.tsx` extension when using `rewriteImportExtensions` ([@​jimmydief](https://togithub.com/jimmydief)) - `babel-helpers` - [#​16017](https://togithub.com/babel/babel/pull/16017) Fix: fallback to typeof when toString is applied to incompatible object ([@​JLHwung](https://togithub.com/JLHwung)) - `babel-helpers`, `babel-plugin-transform-modules-commonjs`, `babel-runtime-corejs2`, `babel-runtime-corejs3`, `babel-runtime` - [#​16025](https://togithub.com/babel/babel/pull/16025) Avoid override mistake in namespace imports ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) ### [`v7.23.0`](https://togithub.com/babel/babel/blob/HEAD/CHANGELOG.md#v7230-2023-09-25) [Compare Source](https://togithub.com/babel/babel/compare/v7.22.20...v7.23.0) ##### :rocket: New Feature - `babel-plugin-proposal-import-wasm-source`, `babel-plugin-syntax-import-source`, `babel-plugin-transform-dynamic-import` - [#​15870](https://togithub.com/babel/babel/pull/15870) Support transforming `import source` for wasm ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) - `babel-helper-module-transforms`, `babel-helpers`, `babel-plugin-proposal-import-defer`, `babel-plugin-syntax-import-defer`, `babel-plugin-transform-modules-commonjs`, `babel-runtime-corejs2`, `babel-runtime-corejs3`, `babel-runtime`, `babel-standalone` - [#​15878](https://togithub.com/babel/babel/pull/15878) Implement `import defer` proposal transform support ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) - `babel-generator`, `babel-parser`, `babel-types` - [#​15845](https://togithub.com/babel/babel/pull/15845) Implement `import defer` parsing support ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) - [#​15829](https://togithub.com/babel/babel/pull/15829) Add parsing support for the "source phase imports" proposal ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) - `babel-generator`, `babel-helper-module-transforms`, `babel-parser`, `babel-plugin-transform-dynamic-import`, `babel-plugin-transform-modules-amd`, `babel-plugin-transform-modules-commonjs`, `babel-plugin-transform-modules-systemjs`, `babel-traverse`, `babel-types` - [#​15682](https://togithub.com/babel/babel/pull/15682) Add `createImportExpressions` parser option ([@​JLHwung](https://togithub.com/JLHwung)) - `babel-standalone` - [#​15671](https://togithub.com/babel/babel/pull/15671) Pass through nonce to the transformed script element ([@​JLHwung](https://togithub.com/JLHwung)) - `babel-helper-function-name`, `babel-helper-member-expression-to-functions`, `babel-helpers`, `babel-parser`, `babel-plugin-proposal-destructuring-private`, `babel-plugin-proposal-optional-chaining-assign`, `babel-plugin-syntax-optional-chaining-assign`, `babel-plugin-transform-destructuring`, `babel-plugin-transform-optional-chaining`, `babel-runtime-corejs2`, `babel-runtime-corejs3`, `babel-runtime`, `babel-standalone`, `babel-types` - [#​15751](https://togithub.com/babel/babel/pull/15751) Add support for optional chain in assignments ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) - `babel-helpers`, `babel-plugin-proposal-decorators` - [#​15895](https://togithub.com/babel/babel/pull/15895) Implement the "decorator metadata" proposal ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) - `babel-traverse`, `babel-types` - [#​15893](https://togithub.com/babel/babel/pull/15893) Add `t.buildUndefinedNode` ([@​liuxingbaoyu](https://togithub.com/liuxingbaoyu)) - `babel-preset-typescript` - [#​15913](https://togithub.com/babel/babel/pull/15913) Add `rewriteImportExtensions` option to TS preset ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) - `babel-parser` - [#​15896](https://togithub.com/babel/babel/pull/15896) Allow TS tuples to have both labeled and unlabeled elements ([@​yukukotani](https://togithub.com/yukukotani)) ##### :bug: Bug Fix - `babel-plugin-transform-block-scoping` - [#​15962](https://togithub.com/babel/babel/pull/15962) fix: `transform-block-scoping` captures the variables of the method in the loop ([@​liuxingbaoyu](https://togithub.com/liuxingbaoyu)) ##### :nail_care: Polish - `babel-traverse` - [#​15797](https://togithub.com/babel/babel/pull/15797) Expand evaluation of global built-ins in `@babel/traverse` ([@​lorenzoferre](https://togithub.com/lorenzoferre)) - `babel-plugin-proposal-explicit-resource-management` - [#​15985](https://togithub.com/babel/babel/pull/15985) Improve source maps for blocks with `using` declarations ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) ##### :microscope: Output optimization - `babel-core`, `babel-helper-module-transforms`, `babel-plugin-transform-async-to-generator`, `babel-plugin-transform-classes`, `babel-plugin-transform-dynamic-import`, `babel-plugin-transform-function-name`, `babel-plugin-transform-modules-amd`, `babel-plugin-transform-modules-commonjs`, `babel-plugin-transform-modules-umd`, `babel-plugin-transform-parameters`, `babel-plugin-transform-react-constant-elements`, `babel-plugin-transform-react-inline-elements`, `babel-plugin-transform-runtime`, `babel-plugin-transform-typescript`, `babel-preset-env` - [#​15984](https://togithub.com/babel/babel/pull/15984) Inline `exports.XXX =` update in simple variable declarations ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) ### [`v7.22.20`](https://togithub.com/babel/babel/blob/HEAD/CHANGELOG.md#v72220-2023-09-16) [Compare Source](https://togithub.com/babel/babel/compare/v7.22.19...v7.22.20) ##### :house: Internal - `babel-helper-validator-identifier` - [#​15973](https://togithub.com/babel/babel/pull/15973) Remove special-casing of U+200C and U+200D ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) - `babel-plugin-transform-dotall-regex` - [#​15974](https://togithub.com/babel/babel/pull/15974) Update Unicode test fixtures ([@​JLHwung](https://togithub.com/JLHwung)) ##### :leftwards_arrow_with_hook: Revert - `babel-helper-remap-async-to-generator`, `babel-helper-wrap-function`, `babel-plugin-proposal-explicit-resource-management`, `babel-plugin-proposal-function-sent`, `babel-plugin-transform-async-generator-functions`, `babel-plugin-transform-async-to-generator`, `babel-plugin-transform-block-scoping`, `babel-plugin-transform-class-properties`, `babel-plugin-transform-classes`, `babel-plugin-transform-parameters`, `babel-plugin-transform-runtime`, `babel-preset-env` - [#​15979](https://togithub.com/babel/babel/pull/15979) Revert "Improve output when wrapping functions" ([@​jjonescz](https://togithub.com/jjonescz)) ### [`v7.22.19`](https://togithub.com/babel/babel/releases/tag/v7.22.19) [Compare Source](https://togithub.com/babel/babel/compare/v7.22.18...v7.22.19) #### v7.22.19 (2023-09-14) Re-published 7.22.18, due to a releasing error. ### [`v7.22.18`](https://togithub.com/babel/babel/blob/HEAD/CHANGELOG.md#v72218-2023-09-14) [Compare Source](https://togithub.com/babel/babel/compare/v7.22.17...v7.22.18) ##### :bug: Bug Fix - `babel-helper-validator-identifier` - [#​15957](https://togithub.com/babel/babel/pull/15957) Update identifier name definitions to Unicode 15.1 ([@​JLHwung](https://togithub.com/JLHwung)) - `babel-helper-module-transforms`, `babel-plugin-transform-modules-amd`, `babel-plugin-transform-modules-commonjs`, `babel-plugin-transform-modules-umd` - [#​15898](https://togithub.com/babel/babel/pull/15898) Fix transform of named import with shadowed namespace import ([@​dhlolo](https://togithub.com/dhlolo)) ##### :leftwards_arrow_with_hook: Revert - [#​15965](https://togithub.com/babel/babel/pull/15965) Revert Node.js 20.6.0 bug workaround ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) ### [`v7.22.17`](https://togithub.com/babel/babel/blob/HEAD/CHANGELOG.md#v72217-2023-09-08) [Compare Source](https://togithub.com/babel/babel/compare/v7.22.15...v7.22.17) ##### :bug: Bug Fix - `babel-core` - [#​15947](https://togithub.com/babel/babel/pull/15947) Fix compatibility with Node.js 20.6 ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) - `babel-helper-module-transforms`, `babel-plugin-transform-modules-commonjs` - [#​15941](https://togithub.com/babel/babel/pull/15941) Fix compiling duplicate ns imports to lazy CommonJS ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) - `babel-types` - [#​15920](https://togithub.com/babel/babel/pull/15920) Make `ClassDeclaration["id"]` optional in babel-types ([@​jordanbtucker](https://togithub.com/jordanbtucker)) ##### :microscope: Output optimization - `babel-helper-remap-async-to-generator`, `babel-helper-wrap-function`, `babel-plugin-proposal-explicit-resource-management`, `babel-plugin-proposal-function-sent`, `babel-plugin-transform-async-generator-functions`, `babel-plugin-transform-async-to-generator`, `babel-plugin-transform-block-scoping`, `babel-plugin-transform-class-properties`, `babel-plugin-transform-classes`, `babel-plugin-transform-parameters`, `babel-plugin-transform-runtime`, `babel-preset-env` - [#​15922](https://togithub.com/babel/babel/pull/15922) Improve output when wrapping functions (e.g. `async` functions) ([@​liuxingbaoyu](https://togithub.com/liuxingbaoyu)) ### [`v7.22.15`](https://togithub.com/babel/babel/blob/HEAD/CHANGELOG.md#v72215-2023-09-04) [Compare Source](https://togithub.com/babel/babel/compare/v7.22.11...v7.22.15) ##### :bug: Bug Fix - `babel-core` - [#​15923](https://togithub.com/babel/babel/pull/15923) Only perform config loading re-entrancy check for cjs ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) ##### :house: Internal - `babel-cli`, `babel-core`, `babel-generator`, `babel-helper-builder-binary-assignment-operator-visitor`, `babel-helper-compilation-targets`, `babel-helper-create-class-features-plugin`, `babel-helper-create-regexp-features-plugin`, `babel-helper-member-expression-to-functions`, `babel-helper-module-imports`, `babel-helper-module-transforms`, `babel-helper-transform-fixture-test-runner`, `babel-helper-validator-identifier`, `babel-helper-validator-option`, `babel-helpers`, `babel-node`, `babel-parser`, `babel-plugin-bugfix-safari-id-destructuring-collision-in-function-expression`, `babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining`, `babel-plugin-proposal-decorators`, `babel-plugin-proposal-destructuring-private`, `babel-plugin-proposal-pipeline-operator`, `babel-plugin-transform-async-generator-functions`, `babel-plugin-transform-block-scoping`, `babel-plugin-transform-classes`, `babel-plugin-transform-destructuring`, `babel-plugin-transform-for-of`, `babel-plugin-transform-modules-commonjs`, `babel-plugin-transform-object-rest-spread`, `babel-plugin-transform-optional-chaining`, `babel-plugin-transform-parameters`, `babel-plugin-transform-property-mutators`, `babel-plugin-transform-react-jsx`, `babel-plugin-transform-runtime`, `babel-plugin-transform-typescript`, `babel-preset-env`, `babel-preset-flow`, `babel-preset-react`, `babel-preset-typescript`, `babel-register`, `babel-standalone`, `babel-template`, `babel-traverse`, `babel-types` - [#​15892](https://togithub.com/babel/babel/pull/15892) Add explicit `.ts`/`.js` extension to all imports in `src` ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) ### [`v7.22.11`](https://togithub.com/babel/babel/blob/HEAD/CHANGELOG.md#v72211-2023-08-24) [Compare Source](https://togithub.com/babel/babel/compare/v7.22.10...v7.22.11) ##### :bug: Bug Fix - `babel-plugin-transform-typescript` - [#​15882](https://togithub.com/babel/babel/pull/15882) Fix: fully remove TS nested type-only exported namespaces ([@​yangguansen](https://togithub.com/yangguansen)) - `babel-types` - [#​15867](https://togithub.com/babel/babel/pull/15867) fix: definition of TS function type params ([@​danez](https://togithub.com/danez)) - `babel-plugin-transform-async-generator-functions`, `babel-plugin-transform-class-static-block`, `babel-plugin-transform-dynamic-import`, `babel-plugin-transform-export-namespace-from`, `babel-plugin-transform-json-strings`, `babel-plugin-transform-logical-assignment-operators`, `babel-plugin-transform-nullish-coalescing-operator`, `babel-plugin-transform-numeric-separator`, `babel-plugin-transform-object-rest-spread`, `babel-plugin-transform-optional-catch-binding`, `babel-plugin-transform-optional-chaining`, `babel-plugin-transform-private-property-in-object` - [#​15858](https://togithub.com/babel/babel/pull/15858) fix(standalone): strip archived syntax plugins ([@​JLHwung](https://togithub.com/JLHwung)) - `babel-core` - [#​15850](https://togithub.com/babel/babel/pull/15850) Support configuring cache in ESM configs ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) ##### :house: Internal - `babel-parser` - [#​10940](https://togithub.com/babel/babel/pull/10940) Do not record trailing comma pos when `maybeAsyncArrow: false` ([@​JLHwung](https://togithub.com/JLHwung)) - `babel-core`, `babel-helper-compilation-targets`, `babel-parser`, `babel-plugin-proposal-destructuring-private`, `babel-plugin-syntax-decorators`, `babel-preset-env`, `babel-preset-react`, `babel-register`, `babel-traverse`, `babel-types` - [#​15872](https://togithub.com/babel/babel/pull/15872) enable jest/no-standalone-expect ([@​JLHwung](https://togithub.com/JLHwung)) - `babel-core`, `babel-helpers`, `babel-plugin-transform-async-generator-functions`, `babel-plugin-transform-modules-commonjs`, `babel-plugin-transform-regenerator`, `babel-preset-env`, `babel-runtime-corejs2`, `babel-runtime-corejs3`, `babel-runtime` - [#​15833](https://togithub.com/babel/babel/pull/15833) bump json5, terser and webpack, further minimize babel helpers ([@​JLHwung](https://togithub.com/JLHwung)) - Other - [#​15846](https://togithub.com/babel/babel/pull/15846) Use Babel 8.0 alpha to build babel ([@​JLHwung](https://togithub.com/JLHwung)) - [#​15856](https://togithub.com/babel/babel/pull/15856) Exclude redundant files from publish process ([@​JLHwung](https://togithub.com/JLHwung)) ##### :microscope: Output optimization - `babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining`, `babel-plugin-transform-class-properties`, `babel-plugin-transform-classes`, `babel-plugin-transform-optional-chaining`, `babel-preset-env` - [#​15871](https://togithub.com/babel/babel/pull/15871) Simplify `?.` output when chain result is ignored ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) ### [`v7.22.10`](https://togithub.com/babel/babel/blob/HEAD/CHANGELOG.md#v72210-2023-08-07) [Compare Source](https://togithub.com/babel/babel/compare/v7.22.8...v7.22.10) ##### :bug: Bug Fix - `babel-plugin-transform-typescript` - [#​15799](https://togithub.com/babel/babel/pull/15799) \[ts] Strip type-only namespaces ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) - [#​15798](https://togithub.com/babel/babel/pull/15798) \[ts] Fix compiling extended exported nested namespace ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) - `babel-helper-create-class-features-plugin`, `babel-plugin-proposal-decorators`, `babel-plugin-proposal-destructuring-private`, `babel-plugin-transform-class-properties`, `babel-plugin-transform-class-static-block`, `babel-plugin-transform-new-target`, `babel-plugin-transform-private-methods`, `babel-preset-env` - [#​15701](https://togithub.com/babel/babel/pull/15701) Memoize class binding when compiling private methods and static elements ([@​JLHwung](https://togithub.com/JLHwung)) ##### :nail_care: Polish - `babel-cli` - [#​15824](https://togithub.com/babel/babel/pull/15824) Add `meta` object to `@babel/eslint-plugin` ([@​JLHwung](https://togithub.com/JLHwung)) - `babel-traverse`, `babel-types` - [#​15661](https://togithub.com/babel/babel/pull/15661) Improve the type definition of `path.isX` ([@​liuxingbaoyu](https://togithub.com/liuxingbaoyu)) - `babel-generator`, `babel-types` - [#​15776](https://togithub.com/babel/babel/pull/15776) improve SourceLocation typing ([@​JLHwung](https://togithub.com/JLHwung)) ##### :house: Internal - Other - [#​15818](https://togithub.com/babel/babel/pull/15818) build: generate flow typings in prepublish job ([@​JLHwung](https://togithub.com/JLHwung)) - [#​15777](https://togithub.com/babel/babel/pull/15777) chore: bump dev dependencies and remove .eslintignore ([@​JLHwung](https://togithub.com/JLHwung)) - `babel-cli`, `babel-core`, `babel-generator`, `babel-helper-builder-react-jsx`, `babel-preset-env`, `babel-standalone` - [#​15794](https://togithub.com/babel/babel/pull/15794) Enable `@typescript-eslint/no-redundant-type-constituents` rule ([@​JLHwung](https://togithub.com/JLHwung)) - `babel-helper-compilation-targets` - [#​15811](https://togithub.com/babel/babel/pull/15811) Remove `@babel/core` peerDep from `helper-compilation-targets` ([@​nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) - `babel-parser` - [#​15793](https://togithub.com/babel/babel/pull/15793) Use const enum in babel-parser ([@​JLHwung](https://togithub.com/JLHwung)) - `babel-plugin-transform-runtime`, `babel-traverse`, `babel-types` - [#​15716](https://togithub.com/babel/babel/pull/15716) chore: Use `typescript-eslint@v6` with reworked configs ([@​JoshuaKGoldberg](https://togithub.com/JoshuaKGoldberg)) ##### :microscope: Output optimization - `babel-plugin-transform-block-scoping`, `babel-plugin-transform-parameters`, `babel-plugin-transform-regenerator` - [#​15746](https://togithub.com/babel/babel/pull/15746) Reduce `transform-block-scoping` loops output size ([@​liuxingbaoyu](https://togithub.com/liuxingbaoyu))

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by Mend Renovate. View repository job log here.