Skip to content

fix(deps): bump @babel/core to ^7.29.6 to resolve GHSA-4x5r-pxfx-6jf8#839

Merged
BYK merged 2 commits into
masterfrom
fix/dependabot-babel-core-file-read
Jul 1, 2026
Merged

fix(deps): bump @babel/core to ^7.29.6 to resolve GHSA-4x5r-pxfx-6jf8#839
BYK merged 2 commits into
masterfrom
fix/dependabot-babel-core-file-read

Conversation

@BYK

@BYK BYK commented Jul 1, 2026

Copy link
Copy Markdown
Member

Summary

Resolves the only open Dependabot alert on the repo (#184).

  • Package: `@babel/core` (transitive, dev-scope, root `pnpm-lock.yaml`)
  • Advisory: GHSA-4x5r-pxfx-6jf8 / CVE-2026-49356Arbitrary File Read via sourceMappingURL Comment (low severity)
  • Vulnerable: `<= 7.29.0` (was resolving to `7.28.5`) → patched: `7.29.6`

Dependency chain:

```
@sentry/esbuild-plugin@2.23.1 (direct devDep)
└─ @sentry/bundler-plugin-core@2.23.1
└─ @babel/core (vulnerable)
```

Fix

Added a `pnpm.overrides` entry `"@babel/core": "^7.29.6"`, following the repo's established pattern for transitive-dependency vulnerabilities. `pnpm install` bumped the whole `@babel/*` toolchain to `7.29.7` in lockstep.

Compatibility: the consumer `@sentry/bundler-plugin-core@2.23.1` declares `@babel/core: ^7.18.5` (and the internal `@babel/helper-module-transforms` peer range is `^7.0.0`); `7.29.7` satisfies both, and `^7.29.6` stays within the 7.x major so it cannot regress into the vulnerable range or the separate `8.0.0-alpha … <8.0.0-rc.5` vulnerable range. A bare `@babel/core` override key is correct here since there is a single copy in the lockfile. Upgrading `@sentry/esbuild-plugin` itself was rejected as it would require a 3-major jump (2.x → 5.x).

Notes:

  • `docs/pnpm-lock.yaml` does not contain `@babel/core` — no change needed there.
  • GitHub's security advisories endpoint returns `[]` (none authored).

Verification

  • `pnpm build` — succeeds
  • `pnpm test` — 1025 passed, 1 skipped (57 files)
  • `pnpm lint` — 0 errors (7 pre-existing warnings, unrelated)
  • `grep "@babel/core@" pnpm-lock.yaml` — only `7.29.7` remains; `7.28.5` gone

Adds a pnpm override forcing @babel/core to a patched version, resolving
the arbitrary file read via sourceMappingURL comment vulnerability
(CVE-2026-49356, low severity) pulled in transitively via
@sentry/esbuild-plugin -> @sentry/bundler-plugin-core.

Closes Dependabot alert #184.
@BYK BYK merged commit 035046d into master Jul 1, 2026
23 checks passed
@BYK BYK deleted the fix/dependabot-babel-core-file-read branch July 1, 2026 13:19
BYK added a commit that referenced this pull request Jul 1, 2026
## Summary

Resolves 3 Dependabot alerts (**#186, #187, #188**), all the same
advisory across both projects.

- **Advisory:**
[GHSA-h67p-54hq-rp68](GHSA-h67p-54hq-rp68)
/ CVE-2026-53550 — *js-yaml: Quadratic-complexity DoS in merge key
handling via repeated aliases* (medium severity)
- **Vulnerable:** \`>= 4.0.0, <= 4.1.1\` → **patched:** \`4.2.0\`

These alerts were opened by the post-merge rescan right after #839
landed (newly-published advisory), not caused by that change.

## Fix

| Alert | Manifest | Relationship | Change |
|---|---|---|---|
| #187 | root \`package.json\` | direct devDep | bump pinned \`js-yaml\`
\`4.1.1\` → \`4.2.0\` |
| #188 | root \`pnpm-lock.yaml\` | direct devDep | regenerated →
\`4.2.0\` |
| #186 | \`docs/pnpm-lock.yaml\` | transitive (astro/starlight) |
\`pnpm.overrides\` \`js-yaml: ^4.2.0\` → resolves to \`4.3.0\` |

- Root uses an exact pin (matching the repo's pinned-devDep convention,
e.g. \`tar\`); docs uses an override (matching the docs override style)
since js-yaml is transitive there.
- Both lockfile diffs are 100% js-yaml-scoped — no unrelated drift. No
\`@babel/core\`/other packages touched.

## Verification

- Root: \`pnpm build\` ✅, \`pnpm test\` ✅ (1025 passed, 1 skipped),
\`pnpm lint\` ✅ (0 errors), \`pnpm format:check\` ✅ (tracked files)
- Docs: \`pnpm build\` ✅ (27 pages built)
- \`grep "js-yaml@" pnpm-lock.yaml docs/pnpm-lock.yaml\` — only
\`4.2.0\`/\`4.3.0\` remain; \`4.1.1\` gone. (\`@types/js-yaml\` is
type-defs only, not the vulnerable package.)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant