Skip to content

fix(deps): patch transitive @babel/core and js-yaml vulnerabilities#1183

Closed
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/dependabot-alerts-investigation-4167
Closed

fix(deps): patch transitive @babel/core and js-yaml vulnerabilities#1183
cursor[bot] wants to merge 1 commit into
mainfrom
cursor/dependabot-alerts-investigation-4167

Conversation

@cursor

@cursor cursor Bot commented Jun 29, 2026

Copy link
Copy Markdown

Summary

Weekly Dependabot sweep. Two security advisories were active against transitive devDependencies; both are now patched via Yarn resolutions.

Advisory Package Found Patched to
GHSA-4x5r-pxfx-6jf8 (CVE-2026-49356) — @babel/core arbitrary file read via sourceMappingURL @babel/core 7.29.0 (via @jest/transform, jest-config, jest-snapshot, istanbul-lib-instrument) 7.29.7
GHSA-h67p-54hq-rp68 (CVE-2026-53550) — js-yaml quadratic-complexity DoS in merge-key handling js-yaml 4.1.1 (via eslint@8.57.1) and 3.14.2 (via @istanbuljs/load-nyc-config) 4.3.0 (4.x line) and 3.15.0 (3.x backport with maxTotalMergeKeys mitigation)

The top-level @babel/core@8.0.0 direct dep is not in the advisory's affected range and is left untouched.

Why resolutions?

Both vulnerable packages are pulled in transitively. Their direct parents (jest@29.7.0, eslint@8.57.1, @istanbuljs/load-nyc-config@1.1.0) have no patch release that ships the fix, so the only practical option without a multi-major dev-tooling overhaul is a resolution. The resolutions are scoped to the exact ranges requested by the parents (@babel/core@npm:^7.x, js-yaml@npm:^3.13.1, js-yaml@npm:^4.1.0) so the direct @babel/core@8.0.0 is unaffected and the 3.x vs 4.x js-yaml API split is preserved.

Exposure is dev/test only — yarn npm audit --environment production is clean both before and after — but applying the fix removes the Dependabot noise.

Verification

  • yarn install — clean, only pre-existing peer-dep warning about @babel/core@8.0.0
  • yarn test — 138/138 pass
  • yarn lint — 0 errors (pre-existing warnings only)
  • yarn build:test — succeeds
  • yarn npm audit --all --recursive — the two CVE entries above are gone (remaining lines are deprecation notices, not security advisories, and are not reported by Dependabot)
Open in Web View Automation 

Adds Yarn resolutions to address the following Dependabot security
advisories for transitive devDependencies. The vulnerable packages are
pulled in by jest/istanbul/eslint and none can be upgraded without a
resolution because either no patched upstream release exists yet or
upgrading the parent would be a major version bump.

- GHSA-4x5r-pxfx-6jf8 (CVE-2026-49356) - @babel/core arbitrary file
  read via sourceMappingURL. Pulled in by @jest/transform,
  jest-config, jest-snapshot, istanbul-lib-instrument at <=7.29.0.
  Bumped to 7.29.7 (fixed in 7.29.6+).
- GHSA-h67p-54hq-rp68 (CVE-2026-53550) - js-yaml quadratic-complexity
  DoS in merge key handling. Pulled in by eslint 8.57.1 at 4.1.1 and
  by @istanbuljs/load-nyc-config at 3.14.2. Bumped to 4.3.0 on the
  4.x line and 3.15.0 on the 3.x line (3.15.0 backports the
  maxTotalMergeKeys mitigation; an API-compatible 3.x fix release).

Resolutions are justified here: the vulnerable packages are
transitive and no upstream patch is available without a major bump
of the direct dependency. All exposure is dev/test only, but
applying the fix removes the noise from Dependabot.

Co-authored-by: Andreja Kogovsek <andrejak@users.noreply.github.com>
@andrejak andrejak closed this Jun 29, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants