Use forked semver@6 with backported security fixes (#15742)

Use forked semver v6

eslint/babel-eslint-parser/package.json

@@ -32,9 +32,10 @@
   },
   "dependencies": {
     "@nicolo-ribaudo/eslint-scope-5-internals": "condition:BABEL_8_BREAKING ? : 5.1.1-v1",
+    "@nicolo-ribaudo/semver-v6": "condition:BABEL_8_BREAKING ? : ^6.3.3",
     "eslint-scope": "condition:BABEL_8_BREAKING ? ^7.1.1 : ",
     "eslint-visitor-keys": "condition:BABEL_8_BREAKING ? ^3.3.0 : ^2.1.0",
-    "semver": "condition:BABEL_8_BREAKING ? ^7.3.4 : ^6.3.0"
+    "semver": "condition:BABEL_8_BREAKING ? ^7.3.4 : "
   },
   "devDependencies": {
     "@babel/core": "workspace:^",

eslint/babel-eslint-parser/src/parse.cjs

@@ -1,6 +1,8 @@
 "use strict";
 
-const semver = require("semver");
+const semver = process.env.BABEL_8_BREAKING
+  ? require("semver")
+  : require("@nicolo-ribaudo/semver-v6");
 const convert = require("./convert/index.cjs");
 
 const babelParser = require(require.resolve("@babel/parser", {

lib/semver.d.ts

@@ -0,0 +1,4 @@
+declare module "@nicolo-ribaudo/semver-v6" {
+  export { default } from "semver";
+  export * from "semver";
+}

packages/babel-cli/package.json

@@ -42,10 +42,10 @@
   "devDependencies": {
     "@babel/core": "workspace:^",
     "@babel/helper-fixtures": "workspace:^",
+    "@nicolo-ribaudo/semver-v6": "^6.3.3",
     "@types/fs-readdir-recursive": "^1.1.0",
     "@types/glob": "^7.2.0",
-    "rimraf": "^3.0.0",
-    "semver": "^6.3.0"
+    "rimraf": "^3.0.0"
   },
   "bin": {
     "babel": "./bin/babel.js",

packages/babel-cli/test/index.js

@@ -1,7 +1,7 @@
 import readdir from "fs-readdir-recursive";
 import * as helper from "@babel/helper-fixtures";
 import rimraf from "rimraf";
-import semver from "semver";
+import semver from "@nicolo-ribaudo/semver-v6";
 import child from "child_process";
 import path from "path";
 import fs from "fs";

packages/babel-core/package.json

@@ -56,11 +56,12 @@
     "@babel/template": "workspace:^",
     "@babel/traverse": "workspace:^",
     "@babel/types": "workspace:^",
+    "@nicolo-ribaudo/semver-v6": "^6.3.3",
     "convert-source-map": "^1.7.0",
     "debug": "^4.1.0",
     "gensync": "^1.0.0-beta.2",
     "json5": "^2.2.2",
-    "semver": "condition:BABEL_8_BREAKING ? ^7.3.4 : ^6.3.0"
+    "semver": "condition:BABEL_8_BREAKING ? ^7.3.4 : "
   },
   "devDependencies": {
     "@babel/helper-transform-fixture-test-runner": "workspace:^",

packages/babel-core/src/config/files/module-types.ts

@@ -1,9 +1,12 @@
+/// <reference path="../../../../../lib/semver.d.ts" />
+
 import { isAsync, waitFor } from "../../gensync-utils/async";
 import type { Handler } from "gensync";
 import path from "path";
 import { pathToFileURL } from "url";
 import { createRequire } from "module";
-import semver from "semver";
+// TODO(Babel 8): Use "semver" directly
+import semver from "@nicolo-ribaudo/semver-v6";
 
 import { endHiddenCallStack } from "../../errors/rewrite-stack-trace";
 import ConfigError from "../../errors/config-error";

packages/babel-core/src/config/helpers/config-api.ts

@@ -1,4 +1,5 @@
-import semver from "semver";
+// TODO(Babel 8): Use "semver" directly
+import semver from "@nicolo-ribaudo/semver-v6";
 import type { Targets } from "@babel/helper-compilation-targets";
 
 import { version as coreVersion } from "../../";

packages/babel-core/src/transformation/file/file.ts

@@ -6,7 +6,8 @@ import traverse from "@babel/traverse";
 import { cloneNode, interpreterDirective } from "@babel/types";
 import type * as t from "@babel/types";
 import { getModuleName } from "@babel/helper-module-transforms";
-import semver from "semver";
+// TODO(Babel 8): Use "semver" directly
+import semver from "@nicolo-ribaudo/semver-v6";
 
 import type { NormalizedFile } from "../normalize-file";
 

packages/babel-core/test/config-ts.js

@@ -1,6 +1,6 @@
 import { loadPartialConfigSync } from "../lib/index.js";
 import path from "path";
-import semver from "semver";
+import semver from "@nicolo-ribaudo/semver-v6";
 import { USE_ESM, commonJS } from "$repo-utils";
 
 const { __dirname, require } = commonJS(import.meta.url);

packages/babel-helper-compilation-targets/package.json

@@ -24,9 +24,10 @@
   "dependencies": {
     "@babel/compat-data": "workspace:^",
     "@babel/helper-validator-option": "workspace:^",
+    "@nicolo-ribaudo/semver-v6": "^6.3.3",
     "browserslist": "^4.21.3",
     "lru-cache": "condition:BABEL_8_BREAKING ? ^7.14.1 : ^5.1.1",
-    "semver": "condition:BABEL_8_BREAKING ? ^7.3.4 : ^6.3.0"
+    "semver": "condition:BABEL_8_BREAKING ? ^7.3.4 : "
   },
   "peerDependencies": {
     "@babel/core": "^7.0.0"

packages/babel-helper-compilation-targets/src/debug.ts

@@ -1,4 +1,7 @@
-import semver from "semver";
+/// <reference path="../../../lib/semver.d.ts" />
+
+// TODO(Babel 8): Use "semver" directly
+import semver from "@nicolo-ribaudo/semver-v6";
 import { prettifyVersion } from "./pretty";
 import {
   semverify,

packages/babel-helper-compilation-targets/src/filter-items.ts

@@ -1,4 +1,5 @@
-import semver from "semver";
+// TODO(Babel 8): Use "semver" directly
+import semver from "@nicolo-ribaudo/semver-v6";
 
 import pluginsCompatData from "@babel/compat-data/plugins";
 

packages/babel-helper-compilation-targets/src/pretty.ts

@@ -1,4 +1,5 @@
-import semver from "semver";
+// TODO(Babel 8): Use "semver" directly
+import semver from "@nicolo-ribaudo/semver-v6";
 import { unreleasedLabels } from "./targets";
 import type { Targets, Target } from "./types";
 

packages/babel-helper-compilation-targets/src/utils.ts

@@ -1,4 +1,5 @@
-import semver from "semver";
+// TODO(Babel 8): Use "semver" directly
+import semver from "@nicolo-ribaudo/semver-v6";
 import { OptionValidator } from "@babel/helper-validator-option";
 import { unreleasedLabels } from "./targets";
 import type { Target, Targets } from "./types";

packages/babel-helper-create-class-features-plugin/package.json

@@ -26,7 +26,8 @@
     "@babel/helper-replace-supers": "workspace:^",
     "@babel/helper-skip-transparent-expression-wrappers": "workspace:^",
     "@babel/helper-split-export-declaration": "workspace:^",
-    "semver": "condition:BABEL_8_BREAKING ? ^7.3.4 : ^6.3.0"
+    "@nicolo-ribaudo/semver-v6": "^6.3.3",
+    "semver": "condition:BABEL_8_BREAKING ? ^7.3.4 : "
   },
   "peerDependencies": {
     "@babel/core": "^7.0.0"

packages/babel-helper-create-class-features-plugin/src/index.ts

@@ -1,10 +1,13 @@
+/// <reference path="../../../lib/semver.d.ts" />
+
 import { types as t } from "@babel/core";
 import type { PluginAPI, PluginObject } from "@babel/core";
 import type { NodePath } from "@babel/traverse";
 import nameFunction from "@babel/helper-function-name";
 import splitExportDeclaration from "@babel/helper-split-export-declaration";
 
-import semver from "semver";
+// TODO(Babel 8): Use "semver" directly
+import semver from "@nicolo-ribaudo/semver-v6";
 
 import {
   buildPrivateNamesNodes,

packages/babel-helper-create-regexp-features-plugin/package.json

@@ -19,8 +19,9 @@
   ],
   "dependencies": {
     "@babel/helper-annotate-as-pure": "workspace:^",
+    "@nicolo-ribaudo/semver-v6": "^6.3.3",
     "regexpu-core": "^5.3.1",
-    "semver": "condition:BABEL_8_BREAKING ? ^7.3.4 : ^6.3.0"
+    "semver": "condition:BABEL_8_BREAKING ? ^7.3.4 : "
   },
   "peerDependencies": {
     "@babel/core": "^7.0.0"

packages/babel-helper-create-regexp-features-plugin/src/index.ts

@@ -1,9 +1,12 @@
+/// <reference path="../../../lib/semver.d.ts" />
+
 import rewritePattern from "regexpu-core";
 import type { NodePath } from "@babel/traverse";
 import { types as t, type PluginObject } from "@babel/core";
 import annotateAsPure from "@babel/helper-annotate-as-pure";
 
-import semver from "semver";
+// TODO(Babel 8): Use "semver" directly
+import semver from "@nicolo-ribaudo/semver-v6";
 
 import {
   featuresKey,

packages/babel-helper-fixtures/package.json

@@ -15,7 +15,8 @@
   "homepage": "https://babel.dev/docs/en/next/babel-helper-fixtures",
   "main": "./lib/index.js",
   "dependencies": {
-    "semver": "condition:BABEL_8_BREAKING ? ^7.3.4 : ^6.3.0"
+    "@nicolo-ribaudo/semver-v6": "^6.3.3",
+    "semver": "condition:BABEL_8_BREAKING ? ^7.3.4 : "
   },
   "devDependencies": {
     "@types/semver": "^7.3.4"

packages/babel-helper-fixtures/src/index.ts

@@ -1,4 +1,7 @@
-import semver from "semver";
+/// <reference path="../../../lib/semver.d.ts" />
+
+// TODO(Babel 8): Use "semver" directly
+import semver from "@nicolo-ribaudo/semver-v6";
 import path from "path";
 import fs from "fs";
 import { fileURLToPath } from "url";

packages/babel-plugin-transform-runtime/package.json

@@ -22,10 +22,11 @@
   "dependencies": {
     "@babel/helper-module-imports": "workspace:^",
     "@babel/helper-plugin-utils": "workspace:^",
+    "@nicolo-ribaudo/semver-v6": "^6.3.3",
     "babel-plugin-polyfill-corejs2": "^0.4.3",
     "babel-plugin-polyfill-corejs3": "^0.8.1",
     "babel-plugin-polyfill-regenerator": "^0.5.0",
-    "semver": "condition:BABEL_8_BREAKING ? ^7.3.4 : ^6.3.0"
+    "semver": "condition:BABEL_8_BREAKING ? ^7.3.4 : "
   },
   "peerDependencies": {
     "@babel/core": "^7.0.0-0"

packages/babel-plugin-transform-runtime/src/helpers.ts

@@ -1,4 +1,7 @@
-import semver from "semver";
+/// <reference path="../../../lib/semver.d.ts" />
+
+// TODO(Babel 8): Use "semver" directly
+import semver from "@nicolo-ribaudo/semver-v6";
 
 export function hasMinVersion(
   minVersion: string,

packages/babel-preset-env/package.json

@@ -91,11 +91,12 @@
     "@babel/plugin-transform-unicode-sets-regex": "workspace:^",
     "@babel/preset-modules": "^0.1.5",
     "@babel/types": "workspace:^",
+    "@nicolo-ribaudo/semver-v6": "^6.3.3",
     "babel-plugin-polyfill-corejs2": "^0.4.3",
     "babel-plugin-polyfill-corejs3": "^0.8.1",
     "babel-plugin-polyfill-regenerator": "^0.5.0",
     "core-js-compat": "^3.31.0",
-    "semver": "condition:BABEL_8_BREAKING ? ^7.3.4 : ^6.3.0"
+    "semver": "condition:BABEL_8_BREAKING ? ^7.3.4 : "
   },
   "peerDependencies": {
     "@babel/core": "^7.0.0-0"

packages/babel-preset-env/src/filter-items.ts

@@ -1,4 +1,7 @@
-import semver from "semver";
+/// <reference path="../../../lib/semver.d.ts" />
+
+// TODO(Babel 8): Use "semver" directly
+import semver from "@nicolo-ribaudo/semver-v6";
 import { minVersions } from "./available-plugins";
 
 const has = Function.call.bind(Object.hasOwnProperty);

packages/babel-preset-env/src/index.ts

@@ -1,4 +1,5 @@
-import semver, { type SemVer } from "semver";
+// TODO(Babel 8): Use "semver" directly
+import semver, { type SemVer } from "@nicolo-ribaudo/semver-v6";
 import { logPlugin } from "./debug";
 import getOptionSpecificExcludesFor from "./get-option-specific-excludes";
 import {

packages/babel-preset-env/src/normalize-options.ts

@@ -1,4 +1,5 @@
-import semver, { type SemVer } from "semver";
+// TODO(Babel 8): Use "semver" directly
+import semver, { type SemVer } from "@nicolo-ribaudo/semver-v6";
 import corejs2Polyfills from "@babel/compat-data/corejs2-built-ins";
 // @ts-expect-error Fixme: TS can not infer types from ../data/core-js-compat.js
 // but we can't import core-js-compat/data.json because JSON imports do