changeset-bot[bot]
commented
11 months ago ⚠️ No Changeset found
Latest commit: e5651edb2955d2088f5e2a72307c1a6bd8af9b25
Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.
This PR includes no changesets
When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver typesClick here to learn what changesets are, and how to add one.
Click here if you're a maintainer who wants to add a changeset to this PR
vercel[bot]
codecov-commenter
This PR contains the following updates:
7.23.0->7.23.2GitHub Vulnerability Alerts
CVE-2023-45133
Impact
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the
path.evaluate()orpath.evaluateTruthy()internal Babel methods.Known affected plugins are:
@babel/plugin-transform-runtime@babel/preset-envwhen using itsuseBuiltInsoption@babel/helper-define-polyfill-provider, such asbabel-plugin-polyfill-corejs3,babel-plugin-polyfill-corejs2,babel-plugin-polyfill-es-shims,babel-plugin-polyfill-regeneratorNo other plugins under the
@babel/namespace are impacted, but third-party plugins might be.Users that only compile trusted code are not impacted.
Patches
The vulnerability has been fixed in
@babel/traverse@7.23.2.Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for
babel-traverse@6.Workarounds
@babel/traverseto v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies.@babel/core>=7.23.2 will automatically pull in a non-vulnerable version.@babel/traverseand are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected@babel/traverseversions:@babel/plugin-transform-runtimev7.23.2@babel/preset-envv7.23.2@babel/helper-define-polyfill-providerv0.4.3babel-plugin-polyfill-corejs2v0.4.6babel-plugin-polyfill-corejs3v0.8.5babel-plugin-polyfill-es-shimsv0.10.0babel-plugin-polyfill-regeneratorv0.5.3Release Notes
babel/babel (@babel/traverse)
### [`v7.23.2`](https://togithub.com/babel/babel/blob/HEAD/CHANGELOG.md#v7232-2023-10-11) [Compare Source](https://togithub.com/babel/babel/compare/v7.23.0...v7.23.2) ##### :bug: Bug Fix - `babel-traverse` - [#16033](https://togithub.com/babel/babel/pull/16033) Only evaluate own String/Number/Math methods ([@nicolo-ribaudo](https://togithub.com/nicolo-ribaudo)) - `babel-preset-typescript` - [#16022](https://togithub.com/babel/babel/pull/16022) Rewrite `.tsx` extension when using `rewriteImportExtensions` ([@jimmydief](https://togithub.com/jimmydief)) - `babel-helpers` - [#16017](https://togithub.com/babel/babel/pull/16017) Fix: fallback to typeof when toString is applied to incompatible object ([@JLHwung](https://togithub.com/JLHwung)) - `babel-helpers`, `babel-plugin-transform-modules-commonjs`, `babel-runtime-corejs2`, `babel-runtime-corejs3`, `babel-runtime` - [#16025](https://togithub.com/babel/babel/pull/16025) Avoid override mistake in namespace imports ([@nicolo-ribaudo](https://togithub.com/nicolo-ribaudo))Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by Mend Renovate. View repository job log here.