Skip to content

Bump @babel/core from 7.29.0 to 7.29.7 via lockfile re-resolution#1171

Merged
ChanTsune merged 1 commit into
masterfrom
fix/babel-core-cve-2026-49356
Jul 3, 2026
Merged

Bump @babel/core from 7.29.0 to 7.29.7 via lockfile re-resolution#1171
ChanTsune merged 1 commit into
masterfrom
fix/babel-core-cve-2026-49356

Conversation

@ChanTsune

@ChanTsune ChanTsune commented Jul 3, 2026

Copy link
Copy Markdown
Owner

Bumps @babel/core from 7.29.0 to 7.29.7.

@babel/core is a transitive dependency (via jest/ts-jest). Dependabot could not open this update automatically because its resolution path would have downgraded jest from 30.4.2 to 26.6.3. Re-solving the lockfile bumps @babel/core to 7.29.7 within its existing semver range — no overrides were added and jest stays at 30.4.2.

Security fix

Resolves GHSA-4x5r-pxfx-6jf8 — @babel/core: Arbitrary File Read via sourceMappingURL Comment.

  • CVE: CVE-2026-49356
  • Severity: Low (CVSS 3.2)
  • Affected: @babel/core <= 7.29.0
  • Patched: @babel/core >= 7.29.6

Commits

  • Bump @babel/core from 7.29.0 to 7.29.7 via lockfile re-resolution

Verification

  • npm ls @babel/core → resolves to 7.29.7
  • npm ls jest → stays at 30.4.2 (no downgrade)
  • npm audit → no @babel/core findings
  • npm test → 2 suites / 5 tests passing

Re-resolve the transitive @babel/core dependency (via jest/ts-jest) to a
patched version. No overrides added and jest stays at 30.4.2.

Fixes GHSA-4x5r-pxfx-6jf8 (CVE-2026-49356).
@ChanTsune ChanTsune force-pushed the fix/babel-core-cve-2026-49356 branch from 00c6be3 to f778951 Compare July 3, 2026 13:58
@ChanTsune ChanTsune changed the title Bump @babel/core from 7.29.0 to 7.29.7 via overrides Bump @babel/core from 7.29.0 to 7.29.7 via lockfile re-resolution Jul 3, 2026
@ChanTsune ChanTsune merged commit 2a443ab into master Jul 3, 2026
8 checks passed
@ChanTsune ChanTsune deleted the fix/babel-core-cve-2026-49356 branch July 3, 2026 14:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant