Security check: not affected by GHSA-fv7c-fp4j-7gwp (Babel) #32
LakshmanTurlapati
announced in
Announcements
Replies: 0 comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
Uh oh!
There was an error while loading. Please reload this page.
-
GHSA-fv7c-fp4j-7gwp landed on the npm advisory database this week. It is a high-severity (CVSS 8.2) code-generation issue in
@babel/plugin-transform-modules-systemjs, affecting versions 7.12.0 through 7.29.3 as well as the 8.0.0-alpha series. The vulnerability also reaches@babel/preset-envwhen it is configured withmodules: "systemjs". The fix landed in 7.29.4.We ran a deeper audit across every part of this repository that could pull the vulnerable package directly or transitively.
Lockfile audit
@babel/plugin-transform-modules-systemjs@babel/preset-envsystemjsconfigpackage-lock.json(root)mcp/package-lock.jsonshowcase/server/package-lock.jsonshowcase/angular/package-lock.jsonThe first three lockfiles carry no
@babel/*dependencies at all. The Angular showcase lockfile transitively pulls in 81@babel/*packages (core, generator, parser, traverse, helpers, and so on) as part of the standard Angular build toolchain. Neither the vulnerable plugin nor thepreset-envwrapper is anywhere in that tree.MCP server package audit (
fsb-mcp-server)Runtime dependencies:
@modelcontextprotocol/sdk,ws,zod,strip-json-comments,smol-toml,yaml. Development dependencies:tsx,typescript. The package builds withtsc, not Babel. There is no Babel layer in the published artifact.FSB Skill (OpenClaw) audit
The
skills/FSB Skill/package contains 16 files: SKILL.md, USAGE.md, seven markdown references, three Node.mjsscripts (doctor, print-stdio, install-host), and two README files. The scripts use plain Node ESM imports (node:child_process,node:readline,node:process) with no bundler and no transpilation step. The published artifactdist/skill/FSB-Skill-0.9.61.zipis approximately 49KB and contains the same 16 source files. There is nonode_modules, nopackage.json, and no compiled output inside the skill package.Whole-repository configuration audit
plugin-transform-modules-systemjs: zero (excludingshowcase/angular/.angular/cache/, which is a generated build cache and not part of the source tree).preset-env: zero.modules: "systemjs": zero.babel.config.*files: none exist in the repository..babelrc*files: none exist in the repository.Conclusion
FSB is not affected by GHSA-fv7c-fp4j-7gwp. No dependency upgrade is required for this advisory.
The advisory itself notes that users who only compile trusted code are not impacted. Our build pipelines only compile first-party code from this repository, so the attack surface would be moot even if the package were present.
We will keep watching the npm audit feed.
Beta Was this translation helpful? Give feedback.
All reactions