Closed renovate[bot] closed 11 months ago
Latest commit: e5651edb2955d2088f5e2a72307c1a6bd8af9b25
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
Click here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
The latest updates on your projects. Learn more about Vercel for Git ↗︎
All modified and coverable lines are covered by tests :white_check_mark:
Comparison is base (
b094895
) 100.00% compared to head (e5651ed
) 96.79%. Report is 162 commits behind head on main.
:exclamation: Your organization needs to install the Codecov GitHub app to enable full functionality.
:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.
This PR contains the following updates:
7.23.0
->7.23.2
GitHub Vulnerability Alerts
CVE-2023-45133
Impact
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the
path.evaluate()
orpath.evaluateTruthy()
internal Babel methods.Known affected plugins are:
@babel/plugin-transform-runtime
@babel/preset-env
when using itsuseBuiltIns
option@babel/helper-define-polyfill-provider
, such asbabel-plugin-polyfill-corejs3
,babel-plugin-polyfill-corejs2
,babel-plugin-polyfill-es-shims
,babel-plugin-polyfill-regenerator
No other plugins under the
@babel/
namespace are impacted, but third-party plugins might be.Users that only compile trusted code are not impacted.
Patches
The vulnerability has been fixed in
@babel/traverse@7.23.2
.Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for
babel-traverse@6
.Workarounds
@babel/traverse
to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies.@babel/core
>=7.23.2 will automatically pull in a non-vulnerable version.@babel/traverse
and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected@babel/traverse
versions:@babel/plugin-transform-runtime
v7.23.2@babel/preset-env
v7.23.2@babel/helper-define-polyfill-provider
v0.4.3babel-plugin-polyfill-corejs2
v0.4.6babel-plugin-polyfill-corejs3
v0.8.5babel-plugin-polyfill-es-shims
v0.10.0babel-plugin-polyfill-regenerator
v0.5.3Release Notes
babel/babel (@babel/traverse)
### [`v7.23.2`](https://togithub.com/babel/babel/blob/HEAD/CHANGELOG.md#v7232-2023-10-11) [Compare Source](https://togithub.com/babel/babel/compare/v7.23.0...v7.23.2) ##### :bug: Bug Fix - `babel-traverse` - [#16033](https://togithub.com/babel/babel/pull/16033) Only evaluate own String/Number/Math methods ([@nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) - `babel-preset-typescript` - [#16022](https://togithub.com/babel/babel/pull/16022) Rewrite `.tsx` extension when using `rewriteImportExtensions` ([@jimmydief](https://togithub.com/jimmydief)) - `babel-helpers` - [#16017](https://togithub.com/babel/babel/pull/16017) Fix: fallback to typeof when toString is applied to incompatible object ([@JLHwung](https://togithub.com/JLHwung)) - `babel-helpers`, `babel-plugin-transform-modules-commonjs`, `babel-runtime-corejs2`, `babel-runtime-corejs3`, `babel-runtime` - [#16025](https://togithub.com/babel/babel/pull/16025) Avoid override mistake in namespace imports ([@nicolo-ribaudo](https://togithub.com/nicolo-ribaudo))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.