chore(SEC-11604): security upgrades for eth_sandbox

[phantom-autopilot]

Summary

Resolves Linear ticket SEC-11604 — upgrades @babel/traverse to address the CRITICAL advisory GHSA-67hx-6x53-jw92.

Advisory addressed

Advisory	Severity	Package	Installed	Advisory Fix	Resolved To
GHSA-67hx-6x53-jw92	CRITICAL	@babel/traverse	7.19.4	7.23.2	7.29.7

Approach

@babel/traverse is a transitive dependency (pulled in via react-scripts). Added an overrides entry to package.json constraining @babel/traverse to ^7.23.2, which forces all nested resolutions to a patched version. The lockfile was regenerated with npm install and resolved to 7.29.7.

Verification

• npm install — clean install, no conflicts
• npm run tsc — passes
• npm run build — production build succeeds
• npm test — no tests in repo (No tests found, exiting with code 0)
• npm audit — GHSA-67hx-6x53-jw92 no longer present

Test plan

• Lockfile resolves @babel/traverse to a version >= 7.23.2
• Project builds successfully (npm run build)
• Type-check passes (npm run tsc)
• Test suite passes (no tests defined)
• Target advisory absent from npm audit output

🤖 Generated with Claude Code

Summary by CodeRabbit

• Chores
  • Updated dependency pinning to improve build stability.

[phantom-autopilot]

PR opened by agent

Execution log

#25

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 4b56f242-a250-45e3-be22-95b2ae95c352

📥 Commits

Reviewing files that changed from the base of the PR and between 46b448d and 538d99d.

⛔ Files ignored due to path filters (1)

• package-lock.json is excluded by !**/package-lock.json

📒 Files selected for processing (1)

• package.json

---

📝 Walkthrough

Walkthrough

This PR adds an npm overrides entry to package.json that pins the @babel/traverse dependency to version ^7.23.2. This configuration ensures a specific version of the Babel traverse utility is used, regardless of which transitive dependency declares it.

Changes

Dependency Management

Layer / File(s)	Summary
Babel traverse override package.json	npm overrides configuration block added to pin @babel/traverse to version ^7.23.2.

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title references SEC-11604 and mentions security upgrades, which aligns with the PR objective of resolving a critical security advisory for @babel/traverse. However, it is generic about 'security upgrades for eth_sandbox' without specifying the core change of pinning @babel/traverse version.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch autopilot2/sec-11604_critical-upgrade-babel-traverse-in-phantom-eth-sandbox-ghsa

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[phantom-autopilot]

PR opened by agent

Execution log

Draft PR: #25