Skip to content

dependabot npm(deps-dev): [security] bump @babel/traverse from 7.22.5 to 7.23.3

Depen d'Abot requested to merge dependabot-npm_and_yarn-babel-traverse-7.23.3 into master

Bumps @babel/traverse from 7.22.5 to 7.23.3. This update includes a security fix.

Vulnerabilities fixed

Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code

Impact

Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.

Known affected plugins are:

  • @babel/plugin-transform-runtime
  • @babel/preset-env when using its useBuiltIns option
  • Any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator

No other plugins under the @babel/ namespace are impacted, but third-party plugins might be.

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/traverse@7.23.2.

Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.

Workarounds

... (truncated)

Patched versions: 7.23.2 Affected versions: < 7.23.2

Release notes

Sourced from @​babel/traverse's releases.

v7.23.3 (2023-11-09)

🐛 Bug Fix

  • babel-plugin-transform-typescript
  • babel-generator
  • babel-compat-data, babel-plugin-bugfix-v8-static-class-fields-redefine-readonly, babel-preset-env
  • babel-plugin-transform-object-super
  • babel-helper-module-transforms, babel-plugin-transform-modules-amd, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-umd

📝 Documentation

🏠 Internal

:running_woman: Performance

🔬 Output optimization

  • babel-plugin-transform-computed-properties

Committers: 9

v7.23.2 (2023-10-11)

NOTE: This release also re-publishes @babel/core, even if it does not appear in the linked release commit.

Thanks @​jimmydief for your first PR!

🐛 Bug Fix

  • babel-traverse

... (truncated)

Changelog

Sourced from @​babel/traverse's changelog.

v7.23.3 (2023-11-09)

🐛 Bug Fix

  • babel-plugin-transform-typescript
  • babel-generator
  • babel-compat-data, babel-plugin-bugfix-v8-static-class-fields-redefine-readonly, babel-preset-env
  • babel-plugin-transform-object-super
  • babel-helper-module-transforms, babel-plugin-transform-modules-amd, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-umd

📝 Documentation

🏠 Internal

:running_woman: Performance

🔬 Output optimization

  • babel-plugin-transform-computed-properties

v7.23.2 (2023-10-11)

🐛 Bug Fix

  • babel-traverse
  • babel-preset-typescript
  • babel-helpers
    • #16017 Fix: fallback to typeof when toString is applied to incompatible object (@​JLHwung)
  • babel-helpers, babel-plugin-transform-modules-commonjs, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

v7.23.0 (2023-09-25)

🚀 New Feature

  • babel-plugin-proposal-import-wasm-source, babel-plugin-syntax-import-source, babel-plugin-transform-dynamic-import
  • babel-helper-module-transforms, babel-helpers, babel-plugin-proposal-import-defer, babel-plugin-syntax-import-defer, babel-plugin-transform-modules-commonjs, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime, babel-standalone
  • babel-generator, babel-parser, babel-types

... (truncated)

Commits

Merge request reports

Private personal CI stack from Kai KRETSCHMANN, for the fun of it!