Skip to content

Bump @babel/core from 7.4.0 to 7.29.6#76

Open
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/babel/core-7.29.6
Open

Bump @babel/core from 7.4.0 to 7.29.6#76
dependabot[bot] wants to merge 1 commit into
masterfrom
dependabot/npm_and_yarn/babel/core-7.29.6

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 25, 2026

Copy link
Copy Markdown

Bumps @babel/core from 7.4.0 to 7.29.6.

Release notes

Sourced from @​babel/core's releases.

v7.29.6 (2026-05-25)

🐛 Bug Fix

Committers: 3

v7.29.5 (2026-05-05)

🏠 Internal

  • babel-preset-env
    • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

  • babel-plugin-transform-modules-systemjs
    • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

v7.29.3 (2026-04-30)

👓 Spec Compliance

🐛 Bug Fix

  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
    • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
  • babel-register
  • babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env

💅 Polish

📝 Documentation

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​babel/core since your current version.


Dependabot compatibility score

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
  • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    You can disable automated security fix PRs for this repo from the Security Alerts page.

Bumps [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core) from 7.4.0 to 7.29.6.
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.29.6/packages/babel-core)

---
updated-dependencies:
- dependency-name: "@babel/core"
  dependency-version: 7.29.6
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jun 25, 2026
Comment thread package-lock.json
"version": "1.1.1",
"resolved": "https://registry.npmjs.org/ee-first/-/ee-first-1.1.1.tgz",
"integrity": "sha1-WQxhFWsK4vTwJVcyoViyZrxWsh0="
},
"ejs": {
"node_modules/ejs": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium severity vulnerability may affect your project—review required:
Line 3777 lists a dependency (ejs) with a known Medium severity vulnerability.

ℹ️ Why this matters

Affected versions of ejs are vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution') / Protection Mechanism Failure. ejs before 3.1.10 lacks prototype-pollution protection when handling template options, so a polluted Object.prototype can inject options such as client and escapeFunction into the template compiler and reach arbitrary-code paths. Any code that compiles or renders a template through render, renderFile, compile, or the Template constructor exercises the vulnerable options handling.

References: GHSA, CVE

To resolve this comment:
Check if you are using ejs on the CLI.

  • If you're affected, upgrade this dependency to at least version 3.1.10 at package-lock.json.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread package-lock.json
"version": "3.0.2",
"resolved": "https://registry.npmjs.org/js-tokens/-/js-tokens-3.0.2.tgz",
"integrity": "sha1-mGbfOVECEw449/mWvOtlRDIJwls="
},
"js-yaml": {
"node_modules/js-yaml": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium severity vulnerability may affect your project—review required:
Line 6524 lists a dependency (js-yaml) with a known Medium severity vulnerability.

ℹ️ Why this matters

Affected versions of js-yaml are vulnerable to Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution'). js-yaml is vulnerable to prototype pollution through its YAML merge key (<<) handling. When parsing untrusted YAML with load, loadAll, safeLoad, or safeLoadAll, a crafted document containing a __proto__ key inside a merged mapping can modify the prototype of the resulting object, leading to integrity violations in the application.

References: GHSA, CVE

To resolve this comment:
Check if you are using js-yaml on the CLI.

  • If you're affected, upgrade this dependency to at least version 3.14.2 at package-lock.json.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread package-lock.json
"node": ">=4.0.0"
}
},
"node_modules/webpack-dev-server": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium severity vulnerability may affect your project—review required:
Line 11376 lists a dependency (webpack-dev-server) with a known Medium severity vulnerability.

ℹ️ Why this matters

Affected versions of webpack-dev-server are vulnerable to Exposed Dangerous Method or Function. webpack-dev-server serves bundled assets without rejecting cross-origin classic script requests. Because such <script src> requests bypass the same-origin policy, a malicious website visited by a developer running the dev server can load the application bundle cross-origin and, via prototype pollution of the webpack runtime, extract the application source code.

References: GHSA, CVE

To resolve this comment:
Check if you are using webpack dev server CLI setup.

  • If you're affected, upgrade this dependency to at least version 5.2.1 at package-lock.json.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread package-lock.json
"node": ">=4.0.0"
}
},
"node_modules/webpack-dev-server": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Medium severity vulnerability may affect your project—review required:
Line 11376 lists a dependency (webpack-dev-server) with a known Medium severity vulnerability.

ℹ️ Why this matters

Affected versions of webpack-dev-server are vulnerable to Origin Validation Error. webpack-dev-server improperly validates the WebSocket connection Origin header, unconditionally accepting any IP-address-based Origin. A malicious website can perform a cross-site WebSocket hijack against a running dev server and exfiltrate the developer source code carried in Hot Module Reloading (HMR) messages. The insecure origin check is the package default and is reached on every WebSocket connection, so any project running an affected version is vulnerable.

References: GHSA, CVE

To resolve this comment:
Check if you are using webpack dev server CLI setup and access untrusted web site with non-Chromium based browser.

  • If you're affected, upgrade this dependency to at least version 5.2.1 at package-lock.json.
  • If you're not affected, comment /fp we don't use this [condition]
💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread package-lock.json
}
},
"terser": {
"node_modules/terser": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability introduced by a package you're using:
Line 10045 lists a dependency (terser) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

terser versions before 4.8.1, >= 5.0.0 before 5.14.2 are vulnerable to Inefficient Regular Expression Complexity.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 4.8.1 at package-lock.json.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread package-lock.json
},
"get-func-name": {
"node_modules/get-func-name": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

High severity vulnerability introduced by a package you're using:
Line 5309 lists a dependency (get-func-name) with a known High severity vulnerability. Fixing requires upgrading or replacing the dependency.

ℹ️ Why this matters

Affected version of get-func-name is vulnerable to Uncontrolled Resource Consumption / Inefficient Regular Expression Complexity. The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks.

References: GHSA, CVE

To resolve this comment:
Upgrade this dependency to at least version 2.0.1 at package-lock.json.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread package-lock.json
"resolved": "https://registry.npmjs.org/regenerator-runtime/-/regenerator-runtime-0.13.2.tgz",
"integrity": "sha512-S/TQAZJO+D3m9xeN1WTI8dLKBBiRgXBlTJvbWjCThHWZj9EvHK70Ff50/tYj2J/fvBY6JtFVwRuazHN2E7M9BA=="
},
"node_modules/@babel/preset-env": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical severity vulnerability may affect your project—review required:
Line 1143 lists a dependency (@babel/preset-env) with a known Critical severity vulnerability.

ℹ️ Why this matters

Affected versions of @babel/traverse and babel-traverse are vulnerable to Incomplete List of Disallowed Inputs / Incorrect Comparison. Compiling untrusted code with Babel using plugins that invoke the internal path.evaluate() or path.evaluateTruthy() methods (for example @babel/plugin-transform-runtime, @babel/preset-env with useBuiltIns, or any polyfill‐provider plugin) allows a maliciously crafted AST to execute arbitrary code on the build machine during compilation.

References: GHSA, CVE

To resolve this comment:
Check if you use Babel to compile untrusted JavaScript.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Comment thread package-lock.json
}
},
"@babel/plugin-transform-runtime": {
"node_modules/@babel/plugin-transform-runtime": {

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Critical severity vulnerability may affect your project—review required:
Line 1017 lists a dependency (@babel/plugin-transform-runtime) with a known Critical severity vulnerability.

ℹ️ Why this matters

Affected versions of @babel/traverse and babel-traverse are vulnerable to Incomplete List of Disallowed Inputs / Incorrect Comparison. Compiling untrusted code with Babel using plugins that invoke the internal path.evaluate() or path.evaluateTruthy() methods (for example @babel/plugin-transform-runtime, @babel/preset-env with useBuiltIns, or any polyfill‐provider plugin) allows a maliciously crafted AST to execute arbitrary code on the build machine during compilation.

References: GHSA, CVE

To resolve this comment:
Check if you use Babel to compile untrusted JavaScript.

💬 Ignore this finding

To ignore this, reply with:

  • /fp <comment> for false positive
  • /ar <comment> for acceptable risk
  • /other <comment> for all other reasons

You can view more details on this finding in the Semgrep AppSec Platform here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants