Skip to content

build(deps): fix Dependabot alerts for transitive @babel/core and js-yaml#1189

Merged
andrejak merged 1 commit into
mainfrom
cursor/dependabot-alerts-investigation-eedd
Jul 6, 2026
Merged

build(deps): fix Dependabot alerts for transitive @babel/core and js-yaml#1189
andrejak merged 1 commit into
mainfrom
cursor/dependabot-alerts-investigation-eedd

Conversation

@cursor

@cursor cursor Bot commented Jul 6, 2026

Copy link
Copy Markdown

Summary

Fixes two Dependabot security alerts affecting transitive dependencies in yarn.lock. Lockfile-only change — no updates to package.json and no new resolutions entries required.

Vulnerabilities addressed

Package Severity Advisory Vulnerable Before After
@babel/core (transitive via @jest/transform@29.7.0) Low GHSA-4x5r-pxfx-6jf8 — Arbitrary File Read via sourceMappingURL Comment <=7.29.0 7.29.0 7.29.7
js-yaml (transitive via eslint@8.57.1) Moderate GHSA-h67p-54hq-rp68 — Quadratic-complexity DoS in merge key handling via repeated aliases >=4.0.0 <=4.1.1 4.1.1 4.3.0

After the bump, yarn npm audit --recursive --all --no-deprecations reports No audit suggestions.

Approach

Both advisories are in transitive dependencies where bumping the direct dependent would require a major upgrade (ESLint 8 → 9 with flat-config migration; Jest 29 → 30). Instead, this uses yarn up @babel/core --recursive and yarn up js-yaml --recursive, which only rewrites the lockfile entries for the vulnerable ranges to their patched versions:

  • @babel/core@npm:^7.11.6, ^7.12.3, ^7.23.97.29.7 (still within the ranges requested by babel-jest et al.)
  • js-yaml@npm:^4.1.04.3.0 (still within the range requested by eslint 8.57.1)
  • js-yaml@npm:^3.13.1 is left untouched at 3.15.0 (unaffected).

No new resolutions are introduced — the existing resolutions block in package.json is unchanged.

Verification

  • yarn install → clean
  • yarn npm audit --recursive --all --no-deprecations → no findings
  • yarn test → 37 suites, 139 tests passing
  • yarn build:test → success (tsc + rollup)
  • yarn lint → 0 errors (58 pre-existing spellcheck warnings, unchanged)
Open in Web View Automation 

Addresses two Dependabot security alerts in transitive dependencies:

- @babel/core (GHSA-4x5r-pxfx-6jf8, low): Arbitrary File Read via
  sourceMappingURL Comment. Vulnerable versions <=7.29.0. The
  transitive @babel/core@^7 pulled in via @jest/transform@29.7.0 was
  resolving to 7.29.0. Bumped to 7.29.7 (first patched 7.x release).

- js-yaml (GHSA-h67p-54hq-rp68, moderate): Quadratic-complexity DoS in
  merge key handling via repeated aliases. Vulnerable versions
  >=4.0.0 <=4.1.1. The transitive js-yaml@^4.1.0 pulled in via
  eslint@8.57.1 was resolving to 4.1.1. Bumped to 4.3.0 (first patched
  4.x release).

Both fixes are lockfile-only (no changes to package.json), performed
via 'yarn up --recursive' so no additional 'resolutions' entries are
required. Tests, type-check, build, and lint all pass.

Co-authored-by: Andreja Kogovsek <andrejak@users.noreply.github.com>
@andrejak andrejak marked this pull request as ready for review July 6, 2026 11:34
@andrejak andrejak requested a review from a team as a code owner July 6, 2026 11:34
@cursor

cursor Bot commented Jul 6, 2026

Copy link
Copy Markdown
Author

Bugbot is not enabled for this team, so this pull request was not reviewed.

Enable Bugbot in the Cursor dashboard to get automatic reviews on future PRs.

@andrejak andrejak merged commit fdd5ef2 into main Jul 6, 2026
5 checks passed
@andrejak andrejak deleted the cursor/dependabot-alerts-investigation-eedd branch July 6, 2026 11:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants