Skip to content

chore(deps): update dependency @babel/core to v7.29.6 [security]#368

Open
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-babel-core-vulnerability
Open

chore(deps): update dependency @babel/core to v7.29.6 [security]#368
renovate[bot] wants to merge 1 commit into
mainfrom
renovate/npm-babel-core-vulnerability

Conversation

@renovate

@renovate renovate Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

This PR contains the following updates:

Package Change Age Confidence
@babel/core (source) 7.29.07.29.6 age confidence

@​babel/core: Arbitrary File Read via sourceMappingURL Comment

CVE-2026-49356 / GHSA-4x5r-pxfx-6jf8

More information

Details

Impact

Using @babel/core to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are all true:

  • the attacker controls the input source code
  • the attacker can read the output source code
  • the attacker knows the path of the source map file that they want to read

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/core@7.29.6 and @babel/core@8.0.0-rc.6.

Workarounds

Callers can mitigate the issue without upgrading by setting inputSourceMap: false in their Babel options.

Callers can also manually extract the #sourceMappingURL comment from the input source code, validate whether the source map that it links to is allowed to be read, and if it is pass an object to inputSourceMap (passing false when it's not).

Credits

Thanks Teodor-Cristian Radoi for reporting the vulnerability.

Severity

  • CVSS Score: 3.2 / 10 (Low)
  • Vector String: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

References

This data is provided by the GitHub Advisory Database (CC-BY 4.0).


Release Notes

babel/babel (@​babel/core)

v7.29.6

Compare Source

v7.29.6 (2026-05-25)

🐛 Bug Fix
Committers: 3

v7.29.0

Compare Source

v7.29.0 (2026-01-31)

Thanks @​simbahax for your first PR!

🚀 New Feature
🐛 Bug Fix
  • babel-parser
  • babel-traverse
    • #​17708 fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (@​simbahax)
  • babel-plugin-transform-block-scoping, babel-traverse
    • #​17737 [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (@​magic-akari)
🏃‍♀️ Performance
Committers: 6

v7.28.6

Compare Source

v7.28.5

Compare Source

👓 Spec Compliance
🐛 Bug Fix
  • babel-plugin-proposal-destructuring-private
  • babel-parser
  • babel-plugin-proposal-discard-binding, babel-plugin-transform-destructuring
  • babel-helper-create-class-features-plugin, babel-helper-member-expression-to-functions, babel-plugin-transform-block-scoping, babel-plugin-transform-optional-chaining, babel-traverse, babel-types
  • babel-traverse
🏠 Internal
🏃‍♀️ Performance

Configuration

📅 Schedule: (in timezone Europe/Berlin)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.


  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate

renovate Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor Author

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

  • any of the package files in this branch needs updating, or
  • the branch becomes conflicted, or
  • you click the rebase/retry checkbox if found above, or
  • you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: implementations/react-native-sdk/package-lock.json
npm warn Unknown env config "store". This will stop working in the next major version of npm. See `npm help npmrc` for supported config options.
npm error code ERESOLVE
npm error ERESOLVE could not resolve
npm error
npm error While resolving: @implementation/react-native-sdk@0.0.0
npm error Found: react@18.3.1
npm error node_modules/react
npm error   react@"19.2.3" from the root project
npm error   peer react@"*" from @react-native/virtualized-lists@0.76.9
npm error   node_modules/@react-native/virtualized-lists
npm error     @react-native/virtualized-lists@"0.76.9" from react-native@0.76.9
npm error     node_modules/react-native
npm error       react-native@"0.84.0" from the root project
npm error       2 more (@react-native/virtualized-lists, @react-native-async-storage/async-storage)
npm error   3 more (react-native, react-shallow-renderer, react-test-renderer)
npm error
npm error Could not resolve dependency:
npm error @react-native-clipboard/clipboard@"1.16.3" from the root project
npm error
npm error Conflicting peer dependency: react@19.2.3
npm error node_modules/react
npm error   peer react@"^19.2.3" from react-native@0.84.0
npm error   node_modules/react-native
npm error     react-native@"0.84.0" from the root project
npm error     peer react-native@">= 0.61.5" from @react-native-clipboard/clipboard@1.16.3
npm error     node_modules/@react-native-clipboard/clipboard
npm error       @react-native-clipboard/clipboard@"1.16.3" from the root project
npm error
npm error Fix the upstream dependency conflict, or retry this command with --force or --legacy-peer-deps to accept an incorrect (and potentially broken) dependency resolution.
npm error
npm error
npm error For a full report see:
npm error /runner/cache/others/npm/_logs/2026-07-09T11_39_11_515Z-eresolve-report.txt
npm error A complete log of this run can be found in: /runner/cache/others/npm/_logs/2026-07-09T11_39_11_515Z-debug-0.log

@renovate renovate Bot added the security label Jul 9, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants