ACT-3656: fix @babel/core GHSA-4x5r-pxfx-6jf8#111
Draft
robertvangor wants to merge 1 commit into
Draft
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Corresponding ticket and security links
What has been done?
@babel/corefloor from^7.20.12to^7.29.6.@babel/core@7.29.7and its coherent Babel internals.Why was this done?
Versions through 7.29.0 can read an outside source map when compiling attacker-controlled input containing a crafted
sourceMappingURL. The package is development-only, but upgrading removes the unsafe build-tool behavior and closes Dependabot alert #60.How to test the changes
npm cinpm ls @babel/core --all— only7.29.7is installed.7.29.0: relative-parent and absolute-outside maps both exposed the sentinel.7.29.7: neither path exposed the sentinel.npm run lintnpm test -- --runInBand— 6 suites and 158 tests pass.npm run test:coverage— 99.39% statement/line coverage, 82.48% branch coverage, 100% function coverage.npm pack --dry-run— package contents generated successfully.Rollout and risk
This is a development-only package update. No environment deployment is required or performed. Rollback is a revert of this PR. Four unrelated pre-existing npm audit findings remain and are outside this single-advisory scope.