CVE-2023-45133 has been published two days ago with a critical security vulnerability in @babel/traverse<7.23.2. That's not a high risk for this project, but I usually fix CVEs like this anyway by bumping to the latest dependency versions and making other adjustments if necessary.
This time, both my attempts of bumping this dev-dependency unfortunately failed due to babel-plugin-instanbul when instrumenting the code for getting the project's code coverage when running tests:
The newer babel versions either consume too much memory for the GitHub CI runners, or the istanbuljs babel plugin hangs forever when bumping the entire babel stack to the latest version, including @babel/core. Annoying... Especially since babel-plugin-istanbul seems to be unmaintained.
NW.js/Chromium should allow us to get the code coverage results natively without code instrumentation via the CDP bridge when running the tests, so istanbul-js is unnecessary and can get removed:
CVE-2023-45133 has been published two days ago with a critical security vulnerability in
@babel/traverse<7.23.2. That's not a high risk for this project, but I usually fix CVEs like this anyway by bumping to the latest dependency versions and making other adjustments if necessary.This time, both my attempts of bumping this dev-dependency unfortunately failed due to
babel-plugin-instanbulwhen instrumenting the code for getting the project's code coverage when running tests:The newer babel versions either consume too much memory for the GitHub CI runners, or the istanbuljs babel plugin hangs forever when bumping the entire babel stack to the latest version, including
@babel/core. Annoying... Especially sincebabel-plugin-istanbulseems to be unmaintained.NW.js/Chromium should allow us to get the code coverage results natively without code instrumentation via the CDP bridge when running the tests, so istanbul-js is unnecessary and can get removed: