Join GitHub today
GitHub is home to over 36 million developers working together to host and review code, manage projects, and build software together.Sign up
1 vulnerability required manual review and could not be updated #10176
OS: ubuntu 18.04.2 LTS
Hey @usama-asfar! We really appreciate you taking the time to report an issue. The collaborators
Yes, but we will only release new v6 versions for critical security vulnerabilities. This has been fixed in Babel 7.
This vulnerability only affects
It should run something like this:
But if the attacker can run an arbitrary command, you have bigger problems
For this reason, this vulnerability is even lower for Babel users than how it is specified in the report.
For reference, this is the braces bug fix: micromatch/braces@abdafb0
referenced this issue
Jul 12, 2019
I have setup a repo, installed babel/cli 7.5 and it turns out there are 22 prototype pollution reports comes from chokidar 2 only.
Recently chokidar has released v3 with far less dependencies and better performance. Hopefully we can get rid of the affected dependency by upgrading chokidar to v3.
However, chokidar v3 dropped Node.js 6 support, which should be a reason why we would not update chokidar to v3 on Babel 7.
@nicolo-ribaudo Should we target chokidar v3 upgrade to Babel 8?