chore(deps): aggregate dependabot updates#4032
Merged
Merged
Conversation
Bumps [vm2](https://github.com/patriksimek/vm2) from 3.10.3 to 3.11.3. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/patriksimek/vm2/releases">vm2's releases</a>.</em></p> <blockquote> <h2>v3.11.3</h2> <h2>What's Changed</h2> <h3>Security fix</h3> <ul> <li><strong>GHSA-248r-7h7q-cr24</strong> — Async generator <code>yield*</code>-return thenable exception capture (RCE)</li> </ul> <h2>Documentation</h2> <ul> <li><a href="https://github.com/patriksimek/vm2/blob/main/docs/ATTACKS.md"><code>docs/ATTACKS.md</code></a> updated through Category 29.</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/patriksimek/vm2/compare/v3.11.2...v3.11.3">https://github.com/patriksimek/vm2/compare/v3.11.2...v3.11.3</a></p> <h2>v3.11.2</h2> <h2>What's Changed</h2> <h3>Security fixes</h3> <ul> <li><strong>GHSA-9vg3-4rfj-wgcm</strong> — Sandbox-realm null-proto write-through via <code>bridge.from()</code> set trap (RCE)</li> <li><strong>GHSA-2cm2-m3w5-gp2f</strong> — Internal state reachable via computed-key access on <code>globalThis</code></li> <li><strong>GHSA-9qj6-qjgg-37qq</strong> — Bridge saved-state leak via sandbox-installed <code>Array.prototype[N]</code> setter (RCE)</li> </ul> <h2>Documentation</h2> <ul> <li><a href="https://github.com/patriksimek/vm2/blob/main/docs/ATTACKS.md"><code>docs/ATTACKS.md</code></a> updated through Category 28, plus a new Defense Invariant<br /> ("Bridge-internal containers must not invoke sandbox code").</li> </ul> <p><strong>Full Changelog</strong>: <a href="https://github.com/patriksimek/vm2/compare/v3.11.1...v3.11.2">https://github.com/patriksimek/vm2/compare/v3.11.1...v3.11.2</a></p> <h2>v3.11.1</h2> <p>Single advisory closed plus prominent documentation of an existing escape hatch. Patch release — no API changes for valid configurations.</p> <p><strong>Embedders running untrusted code with <code>nesting: true</code> should read the new README section.</strong></p> <h2>What's Changed</h2> <h3>Security fix</h3> <ul> <li><strong>GHSA-8hg8-63c5-gwmx</strong> — <code>nesting: true</code> bypassed <code>require: false</code>, allowing sandbox-to-host RCE via inner NodeVM construction. The contradictory option pair <code>{ nesting: true, require: false }</code> now throws <code>VMError</code> at <code>new NodeVM(...)</code> time citing the advisory. Same shape as the GHSA-cp6g eager FileSystem-contract probe — surface contradictory configuration at the API surface, not silently produce an unsandboxed sandbox.</li> </ul> <h3>Documentation</h3> <ul> <li>New README section <strong><a href="https://github.com/patriksimek/vm2#5-nesting-true-is-an-escape-hatch">"<code>nesting: true</code> is an escape hatch"</a></strong> under Hardening recommendations. Spells out the inner-VM independence: a nested VM's <code>require</code> config is chosen by the sandbox code that constructs it, not constrained by the outer VM. <strong>Do not enable <code>nesting: true</code> for untrusted code.</strong></li> <li>JSDoc on the <code>nesting</code> option (<code>lib/nodevm.js</code>) upgraded to match.</li> <li><a href="https://github.com/patriksimek/vm2/blob/main/docs/ATTACKS.md"><code>docs/ATTACKS.md</code></a> gains <a href="https://github.com/patriksimek/vm2/blob/main/docs/ATTACKS.md#attack-category-25-nodevm-nesting-true--require-false-configuration-trap">Category 25</a> documenting the configuration trap, plus a matching row in the "How The Bridge Defends" table.</li> </ul> <h2>Upgrade Notes</h2> <ul> <li><strong>If you set <code>{ nesting: true, require: false }</code></strong> anywhere in your codebase, <code>new NodeVM(...)</code> now throws. Either drop <code>nesting: true</code> (if you wanted deny-all), or replace <code>require: false</code> with an explicit <code>require</code> config (e.g. <code>require: { builtin: [] }</code>) to acknowledge that vm2 will be requireable. The error message is actionable and links to the README section.</li> <li><strong>No other configurations are affected.</strong> Bare <code>new NodeVM({ nesting: true })</code> continues to work as documented; this is the documented escape hatch and is not closed by this patch (out of scope — would change <code>nesting: true</code> semantics substantially).</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/patriksimek/vm2/blob/main/CHANGELOG.md">vm2's changelog</a>.</em></p> <blockquote> <h2>[3.11.3]</h2> <p>Single advisory closed. Patch release — no API changes.</p> <h3>Security fix</h3> <ul> <li><strong>GHSA-248r-7h7q-cr24</strong> — async generator <code>yield*</code>-return thenable exception capture. Calling <code>i.return(thenable)</code> on an async generator delegating to a no-<code>return</code> inner iterator let V8's <code>PromiseResolveThenableJob</code> capture synchronous throws from the thenable's <code>.then</code> and surface them to sandbox code as iterator results — bypassing both the transformer's <code>catch</code> instrumentation and the <code>globalPromise.prototype.then</code> rejection sanitiser. Two-layer defense on <code>%AsyncGeneratorPrototype%.next/.return/.throw</code> in <code>lib/setup-sandbox.js</code>: every iterator-result promise routes value and rejection through <code>handleException</code>, and every thenable argument is replaced with a sandbox-realm wrapper whose <code>.then</code> is a fixed <code>safeThen</code> that sanitises sync throws and recursively re-wraps any nested thenable handed to <code>resolve(...)</code>. When <code>safeThen</code> reads <code>value.then</code> and it is non-function, the wrapper always resolves with a <code>{__proto__: null}</code> shadow so V8's re-read of <code>.then</code> cannot observe attacker-controlled values — closing every counting/self-replacing-getter TOCTOU variant. Trade-off: identity is not preserved for non-thenable values passed to <code>i.return(x)</code>. ATTACKS.md Category 29.</li> </ul> <h2>[3.11.2]</h2> <p>Three advisories closed. Patch release — no API changes.</p> <h3>Security fixes</h3> <ul> <li><strong>GHSA-2cm2-m3w5-gp2f</strong> — Internal state reachable via computed property access on <code>globalThis</code>. The previous fix (GHSA-wp5r-2gw5-m7q7) tightened the transformer's identifier-rejection but left <code>globalThis['VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL']</code> and every reflective probe of the global object (bracket access, <code>Reflect.get</code>, <code>Object.getOwnPropertyDescriptor</code>, <code>Object.getOwnPropertyNames</code> enumeration) returning the live state object — the transformer is a syntactic gate and cannot see through dynamic property keys. Structural fix: the bootstrap script (<code>vm.js</code>'s setupSandboxScript source) now declares <code>let VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL</code> at the script's top level, which lands the binding in the context's <code>[[GlobalLexicalEnvironment]]</code> — reachable as a bare identifier from every script (so transformer-emitted catch handlers still resolve), but absent from <code>globalThis</code>'s own-property table (so every computed-key probe returns <code>undefined</code>). The <code>defineProperty</code> install in <code>setup-sandbox.js</code> is removed entirely; the bootstrap IIFE assigns into the outer <code>let</code> instead. Supersedes GHSA-wp5r-2gw5-m7q7's identifier-only mitigation by closing the entire computed-key class. ATTACKS.md Category 27.</li> <li><strong>GHSA-9vg3-4rfj-wgcm</strong> — Sandbox breakout via null-proto throw / <code>handleException</code>. The post-GHSA-mpf8 hardening switched <code>handleException</code> and <code>globalPromise.prototype.then</code> onFulfilled to wrap caught/resolved values with <code>bridge.from()</code> for "symmetry". <code>from()</code> builds a sandbox-side proxy whose target the bridge treats as host-realm; calling it on a sandbox-realm null-proto value (<code>{__proto__: null}</code> thrown or <code>Promise.resolve</code>-d by sandbox JS) produced a proxy whose <code>set</code> trap unwrapped sandbox proxies of host references (e.g. <code>Buffer.prototype.inspect</code>) back to their raw host originals and stored them on the underlying sandbox object — readable via the original sandbox reference and pivot to host <code>Function</code> constructor → RCE. Three callsites in <code>lib/setup-sandbox.js</code> reverted to <code>ensureThis()</code> semantics; the host-Promise rejection sanitizer composes <code>from()</code> outside <code>handleException</code> so the GHSA-mpf8 invariant (host null-proto rejection values must reach sandbox callbacks bridge-wrapped) is preserved. ATTACKS.md Category 26.</li> <li><strong>GHSA-9qj6-qjgg-37qq</strong> — sandbox breakout via the species-defense helper <code>neutralizeArraySpeciesBatch</code>. The helper appended saved-state records to a fresh <code>[]</code> literal that — being allocated by the sandbox-side bridge closure — inherited sandbox <code>Array.prototype</code>. A sandbox-installed setter on <code>Array.prototype[N]</code> therefore captured the next <code>saved[saved.length] = c</code> write and exposed <code>c.arr</code> (a host-realm proxy) directly to attacker code, leading to host <code>Function</code> extraction and RCE. Fixed in <code>lib/bridge.js</code> by writing every saved-state entry through <code>thisReflectDefineProperty</code> so the appended slot is an own data property and no <code>Array.prototype[N]</code> setter is ever invoked while the bridge holds raw saved state. ATTACKS.md gains a new Defense Invariant ("Bridge-internal containers must not invoke sandbox code") codifying the cross-cutting principle.</li> </ul> <h2>[3.11.1]</h2> <p>Single advisory closed plus prominent documentation of an existing escape hatch. Patch release — no API changes for valid configurations.</p> <h3>Security fix</h3> <ul> <li><strong>GHSA-8hg8-63c5-gwmx</strong> — <code>nesting: true</code> bypassed <code>require: false</code>, allowing sandbox-to-host RCE via inner NodeVM construction. The contradictory option pair <code>{ nesting: true, require: false }</code> now throws <code>VMError</code> at <code>new NodeVM(...)</code> time citing the advisory. Same shape as the GHSA-cp6g eager FileSystem-contract probe — surface contradictory configuration at the API surface, not silently produce an unsandboxed sandbox. ATTACKS.md Category 25.</li> </ul> <h3>Documentation</h3> <ul> <li>New README section <strong>"<code>nesting: true</code> is an escape hatch"</strong> under Hardening recommendations. Explains that <code>nesting: true</code> lets sandbox code <code>require('vm2')</code> and construct nested NodeVMs whose <code>require</code> config is chosen by the sandbox (not constrained by the outer config — by design of nesting). <strong>Do not enable <code>nesting: true</code> for untrusted code.</strong></li> <li>JSDoc on the <code>nesting</code> option (<code>lib/nodevm.js</code>) upgraded to spell out the escape-hatch semantics and the GHSA-8hg8 contradictory-pair rejection.</li> <li>ATTACKS.md gains Category 25 documenting the configuration trap and a matching row in the "How The Bridge Defends" table.</li> </ul> <h3>Upgrade notes</h3> <ul> <li><strong>If you set <code>{ nesting: true, require: false }</code></strong> anywhere in your codebase, <code>new NodeVM(...)</code> now throws. Either drop <code>nesting: true</code> (if you wanted deny-all), or replace <code>require: false</code> with an explicit <code>require</code> config (e.g. <code>require: { builtin: [] }</code>) to acknowledge that vm2 will be requireable. The error message is actionable and links to the README section.</li> <li><strong>No other configurations are affected.</strong> Bare <code>new NodeVM({ nesting: true })</code> continues to work as documented; this is the documented escape hatch and is not closed by this patch (out of scope — would change <code>nesting: true</code> semantics substantially).</li> </ul> <h3>What this fix does NOT close</h3> <p><code>nesting: true</code> itself remains an escape hatch for any non-trivial <code>require</code> config. The fix closes the <strong>specific contradictory pair</strong> flagged by the advisory; the broader recommendation is in the new README section: do not enable <code>nesting: true</code> when running untrusted code. Constraint propagation from outer to inner NodeVM (where the outer's <code>require</code> config would constrain inner construction) was considered and deferred — it would change the documented semantics of <code>nesting: true</code> and is a major-version-shaped change.</p> <h2>[3.11.0]</h2> <p>Coordinated security release closing 13 advisories, plus a new <code>bufferAllocLimit</code> option and a <code>realpath()</code> method on the FileSystem adapter contract. Minor version bump because of the new public option and the FileSystem contract addition; no incompatible changes to the existing public API surface. Embedders running untrusted code in memory-constrained environments should review the new <code>bufferAllocLimit</code> option and the README's <a href="https://github.com/patriksimek/vm2/blob/main/README.md#hardening-recommendations">Hardening recommendations</a> section.</p> <h3>Upgrade notes</h3> <ul> <li><strong>Custom <code>fs</code> adapters with <code>require.root</code></strong> must implement <code>realpathSync</code> (or <code>realpath()</code> on a fully custom <code>FileSystem</code> class). Without it, <code>new NodeVM({require: {root, fs: customAdapter}})</code> now throws a <code>VMError</code> at construction, citing GHSA-cp6g-6699-wx9c. The eager probe converts what was previously silent deny-by-default at every later <code>require()</code> into a single, clearly-labelled construction-time error. Default <code>fs</code> users are unaffected — <code>DefaultFileSystem</code> and <code>VMFileSystem</code> ship <code>realpath()</code> out of the box.</li> <li><strong>Embedders running untrusted async code</strong> should install a host-side <code>unhandledRejection</code> handler. The GHSA-hw58 fix closes synchronous executor throws but cannot reach async-function / async-generator / <code>await using</code> rejection paths (V8 creates rejection promises via the realm's intrinsic <code>Promise</code>). See README's Hardening recommendations and ATTACKS.md Category 22.</li> <li><strong>Embedders running untrusted code in memory-constrained environments</strong> should opt into a finite <code>bufferAllocLimit</code> (e.g. <code>32 * 1024 * 1024</code>) as part of layered DoS defense. Default remains <code>Infinity</code> for backwards compatibility.</li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/patriksimek/vm2/commit/093494c0c3ef2390d2e56909f9d56e290e6f18b0"><code>093494c</code></a> fix(GHSA-248r-7h7q-cr24): close async generator yield*-return thenable except...</li> <li><a href="https://github.com/patriksimek/vm2/commit/7a552e89e88bf34e0c3a33916aa7900efd9fd2f4"><code>7a552e8</code></a> chore: bump to 3.11.2</li> <li><a href="https://github.com/patriksimek/vm2/commit/ca195f0178989d6f59eafb7af965806f829e20f7"><code>ca195f0</code></a> fix(GHSA-9qj6-qjgg-37qq): bridge saved-state leak via Array.prototype[N] setter</li> <li><a href="https://github.com/patriksimek/vm2/commit/99d410bb7e0d607c56e68b420720a586dc0dd300"><code>99d410b</code></a> fix(GHSA-2cm2-m3w5-gp2f): bind internal state in GlobalLexicalEnvironment</li> <li><a href="https://github.com/patriksimek/vm2/commit/c33c2bb19a822847f4e01d8d87b28dd5b2c86b3e"><code>c33c2bb</code></a> fix(GHSA-9vg3-4rfj-wgcm): null-proto throw write-through via bridge from()</li> <li><a href="https://github.com/patriksimek/vm2/commit/46cbbdde4e19b743974c942278080231004146ca"><code>46cbbdd</code></a> fix(GHSA-8hg8-63c5-gwmx): reject contradictory { nesting: true, require: fals...</li> <li><a href="https://github.com/patriksimek/vm2/commit/fc0da548e63e96944b62f9b489d272d77a9d7f32"><code>fc0da54</code></a> fix: enhance CallSite path leak tests for Node 14+ and Node 16+ compatibility</li> <li><a href="https://github.com/patriksimek/vm2/commit/fca270df73b64a88e2f9ce71ac17663b6eaf814e"><code>fca270d</code></a> fix: ensure compatibility with Node 8 by replacing recursive mkdir with expli...</li> <li><a href="https://github.com/patriksimek/vm2/commit/5cc3037848f9ebd693c53c02cb136ce25c31abb7"><code>5cc3037</code></a> fix: update test pipeline</li> <li><a href="https://github.com/patriksimek/vm2/commit/4e9fa062edd597ed9cd82c0cd96d7f9c78552d01"><code>4e9fa06</code></a> chore: update mocha</li> <li>Additional commits viewable in <a href="https://github.com/patriksimek/vm2/compare/v3.10.3...v3.11.3">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/software-mansion/react-native-screens/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…9 to 7.29.4 in /FabricExample (#4029) Bumps [@babel/plugin-transform-modules-systemjs](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs) from 7.25.9 to 7.29.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/babel/babel/releases">@babel/plugin-transform-modules-systemjs's releases</a>.</em></p> <blockquote> <h2>v7.29.4 (2026-05-05)</h2> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-plugin-transform-modules-systemjs</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17974">#17974</a> [7.x backport]fix(systemjs): improve module string name support (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>Committers: 1</h4> <ul> <li>Huáng Jùnliàng (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> <h2>v7.29.3 (2026-04-30)</h2> <h4>:eyeglasses: Spec Compliance</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17923">#17923</a> Support flow extends bound (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-helper-create-class-features-plugin</code>, <code>babel-plugin-proposal-decorators</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17931">#17931</a> fix(decorators): replace super within all removed static elements (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> <li><code>babel-register</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17915">#17915</a> Fix thread synchronization issues in <code>@babel/register</code> (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-compat-data</code>, <code>babel-plugin-bugfix-safari-rest-destructuring-rhs-array</code>, <code>babel-preset-env</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17788">#17788</a> Add bugfix plugin for Safari array rest destructuring bug (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:nail_care: Polish</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17782">#17782</a> Improve trailing comma comment handling (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:memo: Documentation</h4> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17847">#17847</a> Replace npmjs.com links with npmx.dev (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> </ul> <h4>:running_woman: Performance</h4> <ul> <li><code>babel-helper-import-to-platform-api</code>, <code>babel-plugin-proposal-import-wasm-source</code>, <code>babel-plugin-transform-json-modules</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17818">#17818</a> Load async Wasm and JSON imports in parallel (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> </ul> </li> </ul> <h4>Committers: 4</h4> <ul> <li>Babel Bot (<a href="https://github.com/babel-bot"><code>@babel-bot</code></a>)</li> <li>Huáng Jùnliàng (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> <li>Nicolò Ribaudo (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> <li><a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a></li> </ul> <h2>v7.29.2 (2026-03-16)</h2> <h4>:eyeglasses: Spec Compliance</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17840">#17840</a> [7.x backport] async x => {} must be in leading pos (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-helpers</code>, <code>babel-plugin-transform-async-generator-functions</code>, <code>babel-preset-env</code>, <code>babel-runtime-corejs3</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17805">#17805</a> [7.x backport] fix: Properly handle await in finally (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-preset-env</code></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/babel/babel/commit/a458f66074b97d54773db8159af673d23b26079b"><code>a458f66</code></a> v7.29.4</li> <li><a href="https://github.com/babel/babel/commit/32ebd5aaf2526ddd176fd6a3d1e3dc594abdc8d9"><code>32ebd5a</code></a> [7.x backport]fix(systemjs): improve module string name support (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17974">#17974</a>)</li> <li><a href="https://github.com/babel/babel/commit/aa8394e454337d118ac3d40bfa3ee1a3cb3f3ed2"><code>aa8394e</code></a> v7.29.0</li> <li><a href="https://github.com/babel/babel/commit/0053db620c05acf0036f593b5aaf4e372daa79d0"><code>0053db6</code></a> Update polyfill packages (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17727">#17727</a>)</li> <li><a href="https://github.com/babel/babel/commit/61647ae2397c82c3c71f077b5ab109106a5cac0f"><code>61647ae</code></a> v7.28.5</li> <li><a href="https://github.com/babel/babel/commit/a177d551adba99773f4ff00ea9bf46550def6132"><code>a177d55</code></a> [Babel 8] Use <code>t.traverseFast</code> to replace some <code>path.traverse</code> (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17518">#17518</a>)</li> <li><a href="https://github.com/babel/babel/commit/eebd3a06021c13d335b5b0bd79734df3abbea678"><code>eebd3a0</code></a> v7.27.1</li> <li><a href="https://github.com/babel/babel/commit/317e332e650bc04907bc787ab79f930288a3e71e"><code>317e332</code></a> Enforce node protocol import (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17207">#17207</a>)</li> <li><a href="https://github.com/babel/babel/commit/fdc0fb59e119ee0b38bced63867a344a5b4bc2f3"><code>fdc0fb5</code></a> [Babel 8] Bump nodejs requirements to <code>^20.19.0 || >= 22.12.0</code> (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17204">#17204</a>)</li> <li><a href="https://github.com/babel/babel/commit/cd24cc07ef6558b7f6510f9177f6393c91b0549f"><code>cd24cc0</code></a> chore: Update TS 5.7 (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17053">#17053</a>)</li> <li>See full diff in <a href="https://github.com/babel/babel/commits/v7.29.4/packages/babel-plugin-transform-modules-systemjs">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new releaser for <code>@babel/plugin-transform-modules-systemjs</code> since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/software-mansion/react-native-screens/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…9 to 7.29.4 (#4025) Bumps [@babel/plugin-transform-modules-systemjs](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs) from 7.25.9 to 7.29.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/babel/babel/releases">@babel/plugin-transform-modules-systemjs's releases</a>.</em></p> <blockquote> <h2>v7.29.4 (2026-05-05)</h2> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-plugin-transform-modules-systemjs</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17974">#17974</a> [7.x backport]fix(systemjs): improve module string name support (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>Committers: 1</h4> <ul> <li>Huáng Jùnliàng (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> <h2>v7.29.3 (2026-04-30)</h2> <h4>:eyeglasses: Spec Compliance</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17923">#17923</a> Support flow extends bound (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-helper-create-class-features-plugin</code>, <code>babel-plugin-proposal-decorators</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17931">#17931</a> fix(decorators): replace super within all removed static elements (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> <li><code>babel-register</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17915">#17915</a> Fix thread synchronization issues in <code>@babel/register</code> (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-compat-data</code>, <code>babel-plugin-bugfix-safari-rest-destructuring-rhs-array</code>, <code>babel-preset-env</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17788">#17788</a> Add bugfix plugin for Safari array rest destructuring bug (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:nail_care: Polish</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17782">#17782</a> Improve trailing comma comment handling (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:memo: Documentation</h4> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17847">#17847</a> Replace npmjs.com links with npmx.dev (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> </ul> <h4>:running_woman: Performance</h4> <ul> <li><code>babel-helper-import-to-platform-api</code>, <code>babel-plugin-proposal-import-wasm-source</code>, <code>babel-plugin-transform-json-modules</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17818">#17818</a> Load async Wasm and JSON imports in parallel (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> </ul> </li> </ul> <h4>Committers: 4</h4> <ul> <li>Babel Bot (<a href="https://github.com/babel-bot"><code>@babel-bot</code></a>)</li> <li>Huáng Jùnliàng (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> <li>Nicolò Ribaudo (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> <li><a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a></li> </ul> <h2>v7.29.2 (2026-03-16)</h2> <h4>:eyeglasses: Spec Compliance</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17840">#17840</a> [7.x backport] async x => {} must be in leading pos (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-helpers</code>, <code>babel-plugin-transform-async-generator-functions</code>, <code>babel-preset-env</code>, <code>babel-runtime-corejs3</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17805">#17805</a> [7.x backport] fix: Properly handle await in finally (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-preset-env</code></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/babel/babel/commit/a458f66074b97d54773db8159af673d23b26079b"><code>a458f66</code></a> v7.29.4</li> <li><a href="https://github.com/babel/babel/commit/32ebd5aaf2526ddd176fd6a3d1e3dc594abdc8d9"><code>32ebd5a</code></a> [7.x backport]fix(systemjs): improve module string name support (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17974">#17974</a>)</li> <li><a href="https://github.com/babel/babel/commit/aa8394e454337d118ac3d40bfa3ee1a3cb3f3ed2"><code>aa8394e</code></a> v7.29.0</li> <li><a href="https://github.com/babel/babel/commit/0053db620c05acf0036f593b5aaf4e372daa79d0"><code>0053db6</code></a> Update polyfill packages (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17727">#17727</a>)</li> <li><a href="https://github.com/babel/babel/commit/61647ae2397c82c3c71f077b5ab109106a5cac0f"><code>61647ae</code></a> v7.28.5</li> <li><a href="https://github.com/babel/babel/commit/a177d551adba99773f4ff00ea9bf46550def6132"><code>a177d55</code></a> [Babel 8] Use <code>t.traverseFast</code> to replace some <code>path.traverse</code> (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17518">#17518</a>)</li> <li><a href="https://github.com/babel/babel/commit/eebd3a06021c13d335b5b0bd79734df3abbea678"><code>eebd3a0</code></a> v7.27.1</li> <li><a href="https://github.com/babel/babel/commit/317e332e650bc04907bc787ab79f930288a3e71e"><code>317e332</code></a> Enforce node protocol import (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17207">#17207</a>)</li> <li><a href="https://github.com/babel/babel/commit/fdc0fb59e119ee0b38bced63867a344a5b4bc2f3"><code>fdc0fb5</code></a> [Babel 8] Bump nodejs requirements to <code>^20.19.0 || >= 22.12.0</code> (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17204">#17204</a>)</li> <li><a href="https://github.com/babel/babel/commit/cd24cc07ef6558b7f6510f9177f6393c91b0549f"><code>cd24cc0</code></a> chore: Update TS 5.7 (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17053">#17053</a>)</li> <li>See full diff in <a href="https://github.com/babel/babel/commits/v7.29.4/packages/babel-plugin-transform-modules-systemjs">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new releaser for <code>@babel/plugin-transform-modules-systemjs</code> since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/software-mansion/react-native-screens/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…1 to 7.29.4 in /docs (#4003) Bumps [@babel/plugin-transform-modules-systemjs](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs) from 7.27.1 to 7.29.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/babel/babel/releases">@babel/plugin-transform-modules-systemjs's releases</a>.</em></p> <blockquote> <h2>v7.29.4 (2026-05-05)</h2> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-plugin-transform-modules-systemjs</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17974">#17974</a> [7.x backport]fix(systemjs): improve module string name support (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>Committers: 1</h4> <ul> <li>Huáng Jùnliàng (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> <h2>v7.29.3 (2026-04-30)</h2> <h4>:eyeglasses: Spec Compliance</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17923">#17923</a> Support flow extends bound (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-helper-create-class-features-plugin</code>, <code>babel-plugin-proposal-decorators</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17931">#17931</a> fix(decorators): replace super within all removed static elements (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> <li><code>babel-register</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17915">#17915</a> Fix thread synchronization issues in <code>@babel/register</code> (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-compat-data</code>, <code>babel-plugin-bugfix-safari-rest-destructuring-rhs-array</code>, <code>babel-preset-env</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17788">#17788</a> Add bugfix plugin for Safari array rest destructuring bug (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:nail_care: Polish</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17782">#17782</a> Improve trailing comma comment handling (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:memo: Documentation</h4> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17847">#17847</a> Replace npmjs.com links with npmx.dev (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> </ul> <h4>:running_woman: Performance</h4> <ul> <li><code>babel-helper-import-to-platform-api</code>, <code>babel-plugin-proposal-import-wasm-source</code>, <code>babel-plugin-transform-json-modules</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17818">#17818</a> Load async Wasm and JSON imports in parallel (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> </ul> </li> </ul> <h4>Committers: 4</h4> <ul> <li>Babel Bot (<a href="https://github.com/babel-bot"><code>@babel-bot</code></a>)</li> <li>Huáng Jùnliàng (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> <li>Nicolò Ribaudo (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> <li><a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a></li> </ul> <h2>v7.29.2 (2026-03-16)</h2> <h4>:eyeglasses: Spec Compliance</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17840">#17840</a> [7.x backport] async x => {} must be in leading pos (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-helpers</code>, <code>babel-plugin-transform-async-generator-functions</code>, <code>babel-preset-env</code>, <code>babel-runtime-corejs3</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17805">#17805</a> [7.x backport] fix: Properly handle await in finally (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-preset-env</code></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/babel/babel/commit/a458f66074b97d54773db8159af673d23b26079b"><code>a458f66</code></a> v7.29.4</li> <li><a href="https://github.com/babel/babel/commit/32ebd5aaf2526ddd176fd6a3d1e3dc594abdc8d9"><code>32ebd5a</code></a> [7.x backport]fix(systemjs): improve module string name support (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17974">#17974</a>)</li> <li><a href="https://github.com/babel/babel/commit/aa8394e454337d118ac3d40bfa3ee1a3cb3f3ed2"><code>aa8394e</code></a> v7.29.0</li> <li><a href="https://github.com/babel/babel/commit/0053db620c05acf0036f593b5aaf4e372daa79d0"><code>0053db6</code></a> Update polyfill packages (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17727">#17727</a>)</li> <li><a href="https://github.com/babel/babel/commit/61647ae2397c82c3c71f077b5ab109106a5cac0f"><code>61647ae</code></a> v7.28.5</li> <li><a href="https://github.com/babel/babel/commit/a177d551adba99773f4ff00ea9bf46550def6132"><code>a177d55</code></a> [Babel 8] Use <code>t.traverseFast</code> to replace some <code>path.traverse</code> (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17518">#17518</a>)</li> <li>See full diff in <a href="https://github.com/babel/babel/commits/v7.29.4/packages/babel-plugin-transform-modules-systemjs">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new releaser for <code>@babel/plugin-transform-modules-systemjs</code> since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/software-mansion/react-native-screens/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
…9 to 7.29.4 in /TVOSExample (#4002) Bumps [@babel/plugin-transform-modules-systemjs](https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs) from 7.25.9 to 7.29.4. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/babel/babel/releases">@babel/plugin-transform-modules-systemjs's releases</a>.</em></p> <blockquote> <h2>v7.29.4 (2026-05-05)</h2> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-plugin-transform-modules-systemjs</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17974">#17974</a> [7.x backport]fix(systemjs): improve module string name support (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>Committers: 1</h4> <ul> <li>Huáng Jùnliàng (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> <h2>v7.29.3 (2026-04-30)</h2> <h4>:eyeglasses: Spec Compliance</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17923">#17923</a> Support flow extends bound (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-helper-create-class-features-plugin</code>, <code>babel-plugin-proposal-decorators</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17931">#17931</a> fix(decorators): replace super within all removed static elements (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> <li><code>babel-register</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17915">#17915</a> Fix thread synchronization issues in <code>@babel/register</code> (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-compat-data</code>, <code>babel-plugin-bugfix-safari-rest-destructuring-rhs-array</code>, <code>babel-preset-env</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17788">#17788</a> Add bugfix plugin for Safari array rest destructuring bug (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:nail_care: Polish</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17782">#17782</a> Improve trailing comma comment handling (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:memo: Documentation</h4> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17847">#17847</a> Replace npmjs.com links with npmx.dev (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> </ul> <h4>:running_woman: Performance</h4> <ul> <li><code>babel-helper-import-to-platform-api</code>, <code>babel-plugin-proposal-import-wasm-source</code>, <code>babel-plugin-transform-json-modules</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17818">#17818</a> Load async Wasm and JSON imports in parallel (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> </ul> </li> </ul> <h4>Committers: 4</h4> <ul> <li>Babel Bot (<a href="https://github.com/babel-bot"><code>@babel-bot</code></a>)</li> <li>Huáng Jùnliàng (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> <li>Nicolò Ribaudo (<a href="https://github.com/nicolo-ribaudo"><code>@nicolo-ribaudo</code></a>)</li> <li><a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a></li> </ul> <h2>v7.29.2 (2026-03-16)</h2> <h4>:eyeglasses: Spec Compliance</h4> <ul> <li><code>babel-parser</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17840">#17840</a> [7.x backport] async x => {} must be in leading pos (<a href="https://github.com/JLHwung"><code>@JLHwung</code></a>)</li> </ul> </li> </ul> <h4>:bug: Bug Fix</h4> <ul> <li><code>babel-helpers</code>, <code>babel-plugin-transform-async-generator-functions</code>, <code>babel-preset-env</code>, <code>babel-runtime-corejs3</code> <ul> <li><a href="https://redirect.github.com/babel/babel/pull/17805">#17805</a> [7.x backport] fix: Properly handle await in finally (<a href="https://github.com/liuxingbaoyu"><code>@liuxingbaoyu</code></a>)</li> </ul> </li> <li><code>babel-preset-env</code></li> </ul> <!-- raw HTML omitted --> </blockquote> <p>... (truncated)</p> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/babel/babel/commit/a458f66074b97d54773db8159af673d23b26079b"><code>a458f66</code></a> v7.29.4</li> <li><a href="https://github.com/babel/babel/commit/32ebd5aaf2526ddd176fd6a3d1e3dc594abdc8d9"><code>32ebd5a</code></a> [7.x backport]fix(systemjs): improve module string name support (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17974">#17974</a>)</li> <li><a href="https://github.com/babel/babel/commit/aa8394e454337d118ac3d40bfa3ee1a3cb3f3ed2"><code>aa8394e</code></a> v7.29.0</li> <li><a href="https://github.com/babel/babel/commit/0053db620c05acf0036f593b5aaf4e372daa79d0"><code>0053db6</code></a> Update polyfill packages (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17727">#17727</a>)</li> <li><a href="https://github.com/babel/babel/commit/61647ae2397c82c3c71f077b5ab109106a5cac0f"><code>61647ae</code></a> v7.28.5</li> <li><a href="https://github.com/babel/babel/commit/a177d551adba99773f4ff00ea9bf46550def6132"><code>a177d55</code></a> [Babel 8] Use <code>t.traverseFast</code> to replace some <code>path.traverse</code> (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17518">#17518</a>)</li> <li><a href="https://github.com/babel/babel/commit/eebd3a06021c13d335b5b0bd79734df3abbea678"><code>eebd3a0</code></a> v7.27.1</li> <li><a href="https://github.com/babel/babel/commit/317e332e650bc04907bc787ab79f930288a3e71e"><code>317e332</code></a> Enforce node protocol import (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17207">#17207</a>)</li> <li><a href="https://github.com/babel/babel/commit/fdc0fb59e119ee0b38bced63867a344a5b4bc2f3"><code>fdc0fb5</code></a> [Babel 8] Bump nodejs requirements to <code>^20.19.0 || >= 22.12.0</code> (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17204">#17204</a>)</li> <li><a href="https://github.com/babel/babel/commit/cd24cc07ef6558b7f6510f9177f6393c91b0549f"><code>cd24cc0</code></a> chore: Update TS 5.7 (<a href="https://github.com/babel/babel/tree/HEAD/packages/babel-plugin-transform-modules-systemjs/issues/17053">#17053</a>)</li> <li>See full diff in <a href="https://github.com/babel/babel/commits/v7.29.4/packages/babel-plugin-transform-modules-systemjs">compare view</a></li> </ul> </details> <details> <summary>Maintainer changes</summary> <p>This version was pushed to npm by <a href="https://www.npmjs.com/~GitHub%20Actions">GitHub Actions</a>, a new releaser for <code>@babel/plugin-transform-modules-systemjs</code> since your current version.</p> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/software-mansion/react-native-screens/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Bumps [postcss](https://github.com/postcss/postcss) from 8.5.3 to 8.5.14. <details> <summary>Release notes</summary> <p><em>Sourced from <a href="https://github.com/postcss/postcss/releases">postcss's releases</a>.</em></p> <blockquote> <h2>8.5.14</h2> <ul> <li>Fixed custom syntax regression (by <a href="https://github.com/43081j"><code>@43081j</code></a>).</li> </ul> <h2>8.5.13</h2> <ul> <li>Fixed <code>postcss-scss</code> commend regression.</li> </ul> <h2>8.5.12</h2> <ul> <li>Fixed reading any file via user-generated CSS.</li> <li>Added <code>opts.unsafeMap</code> to disable checks.</li> </ul> <h2>8.5.11</h2> <ul> <li>Fixed nested brackets parsing performance (by <a href="https://github.com/offset"><code>@offset</code></a>).</li> </ul> <h2>8.5.10</h2> <ul> <li>Fixed XSS via unescaped <code></style></code> in non-bundler cases (by <a href="https://github.com/TharVid"><code>@TharVid</code></a>).</li> </ul> <h2>8.5.9</h2> <ul> <li>Speed up source map encoding paring in case of the error.</li> </ul> <h2>8.5.8</h2> <ul> <li>Fixed <code>Processor#version</code>.</li> </ul> <h2>8.5.7</h2> <ul> <li>Improved source map annotation cleaning performance (by CodeAnt AI).</li> </ul> <h2>8.5.6</h2> <ul> <li>Fixed <code>ContainerWithChildren</code> type discriminating (by <a href="https://github.com/Goodwine"><code>@Goodwine</code></a>).</li> </ul> <h2>8.5.5</h2> <ul> <li>Fixed <code>package.json</code>→<code>exports</code> compatibility with some tools (by <a href="https://github.com/JounQin"><code>@JounQin</code></a>).</li> </ul> <h2>8.5.4</h2> <ul> <li>Fixed Parcel compatibility issue (by <a href="https://github.com/git-sumitchaudhary"><code>@git-sumitchaudhary</code></a>).</li> </ul> </blockquote> </details> <details> <summary>Changelog</summary> <p><em>Sourced from <a href="https://github.com/postcss/postcss/blob/main/CHANGELOG.md">postcss's changelog</a>.</em></p> <blockquote> <h2>8.5.14</h2> <ul> <li>Fixed custom syntax regression (by <a href="https://github.com/43081j"><code>@43081j</code></a>).</li> </ul> <h2>8.5.13</h2> <ul> <li>Fixed <code>postcss-scss</code> commend regression.</li> </ul> <h2>8.5.12</h2> <ul> <li>Fixed reading any file via user-generated CSS.</li> <li>Added <code>opts.unsafeMap</code> to disable checks.</li> </ul> <h2>8.5.11</h2> <ul> <li>Fixed nested brackets parsing performance (by <a href="https://github.com/offset"><code>@offset</code></a>).</li> </ul> <h2>8.5.10</h2> <ul> <li>Fixed XSS via unescaped <code></style></code> in non-bundler cases (by <a href="https://github.com/TharVid"><code>@TharVid</code></a>).</li> </ul> <h2>8.5.9</h2> <ul> <li>Speed up source map encoding paring in case of the error.</li> </ul> <h2>8.5.8</h2> <ul> <li>Fixed <code>Processor#version</code>.</li> </ul> <h2>8.5.7</h2> <ul> <li>Improved source map annotation cleaning performance (by CodeAnt AI).</li> </ul> <h2>8.5.6</h2> <ul> <li>Fixed <code>ContainerWithChildren</code> type discriminating (by <a href="https://github.com/Goodwine"><code>@Goodwine</code></a>).</li> </ul> <h2>8.5.5</h2> <ul> <li>Fixed <code>package.json</code>→<code>exports</code> compatibility with some tools (by <a href="https://github.com/JounQin"><code>@JounQin</code></a>).</li> </ul> <h2>8.5.4</h2> <ul> <li>Fixed Parcel compatibility issue (by <a href="https://github.com/git-sumitchaudhary"><code>@git-sumitchaudhary</code></a>).</li> </ul> </blockquote> </details> <details> <summary>Commits</summary> <ul> <li><a href="https://github.com/postcss/postcss/commit/3ec13948ae0006e1bde2dfb545346341ac8b2dcf"><code>3ec1394</code></a> Release 8.5.14 version</li> <li><a href="https://github.com/postcss/postcss/commit/f2bb827b20b591080977412555aa3e5baf588620"><code>f2bb827</code></a> Update dependencies</li> <li><a href="https://github.com/postcss/postcss/commit/d75953d60854ad835fd21dde0b11081522341020"><code>d75953d</code></a> Merge pull request <a href="https://redirect.github.com/postcss/postcss/issues/2084">#2084</a> from 43081j/raw-raws-rawing</li> <li><a href="https://github.com/postcss/postcss/commit/68bd2139b5dcaf5a682bc2e8826d8557be2d1480"><code>68bd213</code></a> fix: always call <code>raw</code> to retrieve raw values</li> <li><a href="https://github.com/postcss/postcss/commit/af58cf1b7af02e9b9fcb138a4a2d7ef3450158b1"><code>af58cf1</code></a> Release 8.5.13 version</li> <li><a href="https://github.com/postcss/postcss/commit/f227dbd0e9443e5f33e18e633b8b4d2b55aac5ee"><code>f227dbd</code></a> Temporary ignore pnpm 11 config</li> <li><a href="https://github.com/postcss/postcss/commit/d3abd40d723cf3559e5ddb5fc738b7cb64e92bb0"><code>d3abd40</code></a> Update dependencies</li> <li><a href="https://github.com/postcss/postcss/commit/dd06c3e11362087bc18f9c20cee30fd82bda3de9"><code>dd06c3e</code></a> Revert stringifier changes because of the conflict with postcss-scss</li> <li><a href="https://github.com/postcss/postcss/commit/ae889c815fb88d785401a88f1a7dfc8cb11915fb"><code>ae889c8</code></a> Try to fix CI</li> <li><a href="https://github.com/postcss/postcss/commit/e0093e49bcf00347383a13e40bb1f67bc823ca15"><code>e0093e4</code></a> Move to pnpm 11</li> <li>Additional commits viewable in <a href="https://github.com/postcss/postcss/compare/8.5.3...8.5.14">compare view</a></li> </ul> </details> <br /> [](https://docs.github.com/en/github/managing-security-vulnerabilities/about-dependabot-security-updates#about-compatibility-scores) Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`. [//]: # (dependabot-automerge-start) [//]: # (dependabot-automerge-end) --- <details> <summary>Dependabot commands and options</summary> <br /> You can trigger Dependabot actions by commenting on this PR: - `@dependabot rebase` will rebase this PR - `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it - `@dependabot show <dependency name> ignore conditions` will show all of the ignore conditions of the specified dependency - `@dependabot ignore this major version` will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this minor version` will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself) - `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself) You can disable automated security fix PRs for this repo from the [Security Alerts page](https://github.com/software-mansion/react-native-screens/network/alerts). </details> Signed-off-by: dependabot[bot] <support@github.com> Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Aggregate of dependabot dependency updates. All changes are lock-file only.
Merged PRs