Summary
CVE-2026-49356 affects @babel/core versions <= 7.29.0 (arbitrary file read via sourceMappingURL). The package is a transitive dependency currently resolved to 7.14.2.
Proposed Changes
Add "@babel/core": "7.29.6" to the overrides section in package.json so npm resolves the patched version for all transitive consumers.
Evidence
Validation
- Verify
@babel/core resolves to 7.29.6 in package-lock.json after npm install
Summary
CVE-2026-49356 affects
@babel/coreversions <= 7.29.0 (arbitrary file read viasourceMappingURL). The package is a transitive dependency currently resolved to 7.14.2.Proposed Changes
Add
"@babel/core": "7.29.6"to theoverridessection inpackage.jsonso npm resolves the patched version for all transitive consumers.Evidence
@babel/corenot in direct dependencies; transitive via build/test toolchainValidation
@babel/coreresolves to 7.29.6 inpackage-lock.jsonafternpm install