Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update @babel/core to 7.23.2 and dedupe babel deps #33355

Merged
merged 4 commits into from
Oct 13, 2023
Merged

Update @babel/core to 7.23.2 and dedupe babel deps #33355

merged 4 commits into from
Oct 13, 2023

Conversation

ravicious
Copy link
Member

@ravicious ravicious commented Oct 12, 2023
edited
Loading

This fixes arbitrary code execution in Babel (GHSA-67hx-6x53-jw92). Arguably, we don't seem to be vulnerable as we don't use neither @babel/plugin-transform-runtime nor useBuiltIns and we don't use Babel polyfills.

Unfortunately, Yarn v1 doesn't hoist deps correctly, so just changing the version range in web/packages/build/package.json wasn't enough. I noticed that there's a lot of overlapping ranges between our Babel deps and Babel deps used by Storybook. npx yarn-deduplicate yarn.lock --scopes @babel deduplicated them nicely. I also took the time to deduplicate browserslist and caniuse-lite since updates of those packages are fairly straightforward to check.

I verified that things are still compiling correctly by running yarn storybook, yarn start-term and make build/teleport.

@ravicious ravicious mentioned this pull request Oct 12, 2023
Open
@ravicious ravicious added this pull request to the merge queue Oct 13, 2023
Merged via the queue into master with commit 37b742a Oct 13, 2023
34 checks passed
@ravicious ravicious deleted the ravicious/babel branch October 13, 2023 08:57
@public-teleport-github-review-bot
Copy link

@ravicious See the table below for backport results.

Branch Result
branch/v12 Failed
branch/v13 Create PR
branch/v14 Create PR

This was referenced Oct 13, 2023
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jentfoo jentfoo jentfoo approved these changes

@ryanclark ryanclark ryanclark approved these changes

@gzdunek gzdunek gzdunek approved these changes

Assignees
No one assigned
Labels
backport/branch/v13 backport/branch/v14 size/sm ui
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@ravicious @jentfoo @ryanclark @gzdunek