Skip to content

fix(changelog): Update unreleased marker#184

Merged
tonyo merged 1 commit into
masterfrom
fix/changelog-unreleased
Feb 24, 2021
Merged

fix(changelog): Update unreleased marker#184
tonyo merged 1 commit into
masterfrom
fix/changelog-unreleased

Conversation

@tonyo

@tonyo tonyo commented Feb 24, 2021

Copy link
Copy Markdown
Contributor

Ideally we should allow the original too, but let's unblock the release for now.
Without it, craft doesn't process this changelog properly.

@tonyo tonyo enabled auto-merge (squash) February 24, 2021 18:34
@tonyo tonyo merged commit e3b9b12 into master Feb 24, 2021
@tonyo tonyo deleted the fix/changelog-unreleased branch February 24, 2021 18:35
BYK added a commit that referenced this pull request Jul 1, 2026
…#839)

## Summary

Resolves the only open Dependabot alert on the repo (**#184**).

- **Package:** \`@babel/core\` (transitive, dev-scope, root
\`pnpm-lock.yaml\`)
- **Advisory:**
[GHSA-4x5r-pxfx-6jf8](GHSA-4x5r-pxfx-6jf8)
/ CVE-2026-49356 — *Arbitrary File Read via sourceMappingURL Comment*
(low severity)
- **Vulnerable:** \`<= 7.29.0\` (was resolving to \`7.28.5\`) →
**patched:** \`7.29.6\`

Dependency chain:

\`\`\`
@sentry/esbuild-plugin@2.23.1  (direct devDep)
  └─ @sentry/bundler-plugin-core@2.23.1
       └─ @babel/core  (vulnerable)
\`\`\`

## Fix

Added a \`pnpm.overrides\` entry \`"@babel/core": "^7.29.6"\`, following
the repo's established pattern for transitive-dependency
vulnerabilities. \`pnpm install\` bumped the whole \`@babel/*\`
toolchain to \`7.29.7\` in lockstep.

Compatibility: the consumer \`@sentry/bundler-plugin-core@2.23.1\`
declares \`@babel/core: ^7.18.5\` (and the internal
\`@babel/helper-module-transforms\` peer range is \`^7.0.0\`);
\`7.29.7\` satisfies both, and \`^7.29.6\` stays within the 7.x major so
it cannot regress into the vulnerable range or the separate
\`8.0.0-alpha … <8.0.0-rc.5\` vulnerable range. A bare \`@babel/core\`
override key is correct here since there is a single copy in the
lockfile. Upgrading \`@sentry/esbuild-plugin\` itself was rejected as it
would require a 3-major jump (2.x → 5.x).

Notes:
- \`docs/pnpm-lock.yaml\` does not contain \`@babel/core\` — no change
needed there.
- GitHub's *security advisories* endpoint returns \`[]\` (none
authored).

## Verification

- \`pnpm build\` — succeeds
- \`pnpm test\` — 1025 passed, 1 skipped (57 files)
- \`pnpm lint\` — 0 errors (7 pre-existing warnings, unrelated)
- \`grep "@babel/core@" pnpm-lock.yaml\` — only \`7.29.7\` remains;
\`7.28.5\` gone
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants