fix(deps): patch transitive @babel/core and js-yaml vulnerabilities#1183
Closed
cursor[bot] wants to merge 1 commit into
Closed
fix(deps): patch transitive @babel/core and js-yaml vulnerabilities#1183cursor[bot] wants to merge 1 commit into
cursor[bot] wants to merge 1 commit into
Conversation
Adds Yarn resolutions to address the following Dependabot security advisories for transitive devDependencies. The vulnerable packages are pulled in by jest/istanbul/eslint and none can be upgraded without a resolution because either no patched upstream release exists yet or upgrading the parent would be a major version bump. - GHSA-4x5r-pxfx-6jf8 (CVE-2026-49356) - @babel/core arbitrary file read via sourceMappingURL. Pulled in by @jest/transform, jest-config, jest-snapshot, istanbul-lib-instrument at <=7.29.0. Bumped to 7.29.7 (fixed in 7.29.6+). - GHSA-h67p-54hq-rp68 (CVE-2026-53550) - js-yaml quadratic-complexity DoS in merge key handling. Pulled in by eslint 8.57.1 at 4.1.1 and by @istanbuljs/load-nyc-config at 3.14.2. Bumped to 4.3.0 on the 4.x line and 3.15.0 on the 3.x line (3.15.0 backports the maxTotalMergeKeys mitigation; an API-compatible 3.x fix release). Resolutions are justified here: the vulnerable packages are transitive and no upstream patch is available without a major bump of the direct dependency. All exposure is dev/test only, but applying the fix removes the noise from Dependabot. Co-authored-by: Andreja Kogovsek <andrejak@users.noreply.github.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Weekly Dependabot sweep. Two security advisories were active against transitive devDependencies; both are now patched via Yarn resolutions.
@babel/corearbitrary file read viasourceMappingURL@babel/core7.29.0(via@jest/transform,jest-config,jest-snapshot,istanbul-lib-instrument)7.29.7js-yamlquadratic-complexity DoS in merge-key handlingjs-yaml4.1.1(viaeslint@8.57.1) and3.14.2(via@istanbuljs/load-nyc-config)4.3.0(4.x line) and3.15.0(3.x backport withmaxTotalMergeKeysmitigation)The top-level
@babel/core@8.0.0direct dep is not in the advisory's affected range and is left untouched.Why resolutions?
Both vulnerable packages are pulled in transitively. Their direct parents (
jest@29.7.0,eslint@8.57.1,@istanbuljs/load-nyc-config@1.1.0) have no patch release that ships the fix, so the only practical option without a multi-major dev-tooling overhaul is a resolution. The resolutions are scoped to the exact ranges requested by the parents (@babel/core@npm:^7.x,js-yaml@npm:^3.13.1,js-yaml@npm:^4.1.0) so the direct@babel/core@8.0.0is unaffected and the 3.x vs 4.xjs-yamlAPI split is preserved.Exposure is dev/test only —
yarn npm audit --environment productionis clean both before and after — but applying the fix removes the Dependabot noise.Verification
yarn install— clean, only pre-existing peer-dep warning about@babel/core@8.0.0yarn test— 138/138 passyarn lint— 0 errors (pre-existing warnings only)yarn build:test— succeedsyarn npm audit --all --recursive— the two CVE entries above are gone (remaining lines are deprecation notices, not security advisories, and are not reported by Dependabot)