Skip to content

chore(deps): bump @babel/traverse to 7.23.2 (CVE-2023-45133 / RCE)#80

Open
dianaKhortiuk-frontegg wants to merge 1 commit into
masterfrom
chore/bump-build-deps-security
Open

chore(deps): bump @babel/traverse to 7.23.2 (CVE-2023-45133 / RCE)#80
dianaKhortiuk-frontegg wants to merge 1 commit into
masterfrom
chore/bump-build-deps-security

Conversation

@dianaKhortiuk-frontegg

Copy link
Copy Markdown
Collaborator

What

Pins @babel/traverse to 7.23.2 via yarn resolutions in both the root (SDK build deps) and the example app — the consolidated replacement for the stale individual Dependabot PRs that were just closed (#11, #12, and the related ones).

@babel/traverse < 7.23.2 is affected by GHSA-67hx-6x53-jw92 / CVE-2023-45133 (arbitrary code execution when Babel processes specially-crafted code). It's a build-time transitive dependency — not part of the published SDK's runtime dependencies (only @frontegg/types ships), so it never reaches consumers, but it's worth fixing for build hygiene.

How

  • Added "@babel/traverse": "7.23.2" to resolutions in package.json and example/package.json.
  • Ran yarn install; the lockfile diffs are limited to @babel/traverse and its own transitive deps (@jridgewell/*, jsesc, picocolors).

Intentionally deferred

The other recently-closed Dependabot bumps were not included, by design:

  • ip 1.1.8 → 1.1.9 (SSRF): the tree also resolves ip@^2.0.0, so a blanket resolution would break that consumer; the 1.x line is a minor build-time transitive.
  • react-devtools-core: dev-tool version bump, no notable advisory.
  • rexml (example Gemfile.lock): the example Gemfile.lock has a pre-existing cocoapods-spm inconsistency unrelated to this change — a Ruby/CocoaPods bump belongs in its own PR.
  • fast-xml-parser: already superseded on master (4.2.5).

🤖 Generated with Claude Code

Pin @babel/traverse to 7.23.2 via yarn resolutions in the root (SDK build deps)
and the example app, fixing the arbitrary-code-execution advisory
(GHSA-67hx-6x53-jw92 / CVE-2023-45133) in this build-time transitive dependency.

Consolidates the security intent of the stale Dependabot PRs (#11, #12) that were
closed. @babel/traverse is build-time only — not part of the published SDK's
runtime dependencies (which is just @frontegg/types).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant