Skip to content

ACT-3656: fix @babel/core GHSA-4x5r-pxfx-6jf8#111

Draft
robertvangor wants to merge 1 commit into
mainfrom
ACT-3656/fix-babel-core-ghsa-4x5r-pxfx-6jf8
Draft

ACT-3656: fix @babel/core GHSA-4x5r-pxfx-6jf8#111
robertvangor wants to merge 1 commit into
mainfrom
ACT-3656/fix-babel-core-ghsa-4x5r-pxfx-6jf8

Conversation

@robertvangor

@robertvangor robertvangor commented Jul 16, 2026

Copy link
Copy Markdown

Corresponding ticket and security links

What has been done?

  • Raises the direct @babel/core floor from ^7.20.12 to ^7.29.6.
  • Regenerates the npm lockfile; the installed graph resolves @babel/core@7.29.7 and its coherent Babel internals.
  • Keeps the change limited to this Babel advisory.

Why was this done?

Versions through 7.29.0 can read an outside source map when compiling attacker-controlled input containing a crafted sourceMappingURL. The package is development-only, but upgrading removes the unsafe build-tool behavior and closes Dependabot alert #60.

How to test the changes

  1. npm ci
  2. npm ls @babel/core --all — only 7.29.7 is installed.
  3. Run the disposable source-map sentinel check:
    • 7.29.0: relative-parent and absolute-outside maps both exposed the sentinel.
    • 7.29.7: neither path exposed the sentinel.
  4. npm run lint
  5. npm test -- --runInBand — 6 suites and 158 tests pass.
  6. npm run test:coverage — 99.39% statement/line coverage, 82.48% branch coverage, 100% function coverage.
  7. npm pack --dry-run — package contents generated successfully.

Rollout and risk

This is a development-only package update. No environment deployment is required or performed. Rollback is a revert of this PR. Four unrelated pre-existing npm audit findings remain and are outside this single-advisory scope.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant