Skip to content

fix: @babel/preset-env vulnerabilities (v3.0.4)#670

Merged
anguyen-yext2 merged 7 commits into
mainfrom
vuln-44410
May 20, 2026
Merged

fix: @babel/preset-env vulnerabilities (v3.0.4)#670
anguyen-yext2 merged 7 commits into
mainfrom
vuln-44410

Conversation

@anguyen-yext2
Copy link
Copy Markdown
Contributor

@anguyen-yext2 anguyen-yext2 commented May 12, 2026

@babel/preset-env@7.23.2 depends on @babel/plugin-transform-modules-systemjs@7.29.0, which has vulnerabilities. The latest @babel/preset-env version fixed this

@anguyen-yext2
fix: @babel/preset-env vulnerabilities (v3.0.4)
b5e794d 
@babel/preset-env@7.23.2 depends on @babel/plugin-transform-modules-systemjs@7.29.0, which has vulnerabilities.
The latest @babel/preset-env version fixed this
@anguyen-yext2 anguyen-yext2 requested a review from a team as a code owner May 12, 2026 18:03
Fondryext
Fondryext reviewed May 18, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@Fondryext Fondryext left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just fyi, the version bump looks good but those test failures are real, so the packages need to be remade, or maybe there really is a version conflict.

anguyen-yext2 and others added 2 commits May 18, 2026 12:33
@anguyen-yext2
rm node_modules and package-lock.json, reran
9059cd6 
> @yext/search-ui-react@3.0.3 prepare
> husky

added 2 packages, and audited 1678 packages in 2s

367 packages are looking for funding
  run `npm fund` for details

18 vulnerabilities (5 low, 4 moderate, 9 high)

To address issues that do not require attention, run:
  npm audit fix

To address all issues possible (including breaking changes), run:
  npm audit fix --force

Some issues need review, and may require choosing
a different dependency.

Run `npm audit` for details.
@github-actions
Automated update to THIRD-PARTY-NOTICES from github action's 3rd part…
5799413 
…y notices check
semgrep-code-yext[bot]
semgrep-code-yext Bot reviewed May 18, 2026
View reviewed changes
Comment thread package-lock.json
@@ -16757,13 +16788,13 @@
"license": "MIT"
},
"node_modules/mapbox-gl": {
Copy link
Copy Markdown

@semgrep-code-yext semgrep-code-yext Bot May 18, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Legal Risk

mapbox-gl 3.24.0 was released under the non-standard license, a license that
is currently prohibited by your organization. Merging is blocked until this is resolved.

Recommendation

Reach out to your security team or Semgrep admin to address this issue. In special cases, exceptions may be made for dependencies with violating licenses, however, the general recommendation is to avoid using a dependency under such a license.

@anguyen-yext2
Copy link
Copy Markdown
Contributor Author

anguyen-yext2 commented May 18, 2026

Just fyi, the version bump looks good but those test failures are real, so the packages need to be remade, or maybe there really is a version conflict.

I might be wrong, but I don't think my change caused this. The same failure occurred in the last search-ui-react PR too.
Run npm ci --ignore-scripts succeeded in current-coverage, but idk why the same command failed in base-coverage.

@anguyen-yext2 anguyen-yext2 merged commit bdf754d into main May 20, 2026
20 of 22 checks passed
@anguyen-yext2 anguyen-yext2 deleted the vuln-44410 branch May 20, 2026 16:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Fondryext Fondryext Fondryext approved these changes

+1 more reviewer

@semgrep-code-yext semgrep-code-yext[bot] semgrep-code-yext[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@anguyen-yext2 @Fondryext