Skip to content

chore(deps): update dependency @babel/core to v7.29.6 [security] (v2)#8701

Merged
caohuilin merged 2 commits into
v2from
renovate/v2-npm-babel-core-vulnerability
Jun 18, 2026
Merged

chore(deps): update dependency @babel/core to v7.29.6 [security] (v2)#8701
caohuilin merged 2 commits into
v2from
renovate/v2-npm-babel-core-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@babel/core (source) 7.28.67.29.6 age confidence

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.


@​babel/core: Arbitrary File Read via sourceMappingURL Comment

CVE-2026-49356 / GHSA-4x5r-pxfx-6jf8

More information

Details

Impact

Using @babel/core to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are all true:

  • the attacker controls the input source code
  • the attacker can read the output source code
  • the attacker knows the path of the source map file that they want to read

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/core@7.29.6 and @babel/core@8.0.0-rc.6.

Workarounds

Callers can mitigate the issue without upgrading by setting inputSourceMap: false in their Babel options.

Callers can also manually extract the #sourceMappingURL comment from the input source code, validate whether the source map that it links to is allowed to be read, and if it is pass an object to inputSourceMap (passing false when it's not).

Credits

Thanks Teodor-Cristian Radoi for reporting the vulnerability.

Severity

  • CVSS Score: 3.2 / 10 (Low)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

babel/babel (@​babel/core)

v7.29.6

Compare Source

v7.29.6 (2026-05-25)

🐛 Bug Fix
Committers: 3

v7.29.0

Compare Source

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature
🐛 Bug Fix
  • babel-parser
  • babel-traverse
    • #​17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
  • babel-plugin-transform-block-scoping, babel-traverse
    • #​17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)
🏃‍♀️ Performance
Committers: 6

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@changeset-bot

changeset-bot Bot commented Jun 18, 2026

Copy link
Copy Markdown

⚠️ No Changeset found

Latest commit: 7af937d

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@netlify

netlify Bot commented Jun 18, 2026

Copy link
Copy Markdown

Deploy Preview for modernjs-v2 ready!

Name Link
🔨 Latest commit 7af937d
🔍 Latest deploy log https://app.netlify.com/projects/modernjs-v2/deploys/6a3391b2c95c4b000810941a
😎 Deploy Preview https://deploy-preview-8701--modernjs-v2.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.
🤖 Make changes Run an agent on this branch

To edit notification comments on pull requests, go to your Netlify project configuration.

@renovate

renovate Bot commented Jun 18, 2026

Copy link
Copy Markdown
Contributor Author

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

@caohuilin caohuilin merged commit 247a257 into v2 Jun 18, 2026
11 checks passed
@caohuilin caohuilin deleted the renovate/v2-npm-babel-core-vulnerability branch June 18, 2026 06:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant