Skip to content

[Security] Bump @babel/traverse from 7.18.10 to 7.23.7 in /assets

Dependabot Zahir's Email requested to merge dependabot-npm_and_yarn-assets-babel-traverse-7.23.7 into master

Bumps @babel/traverse from 7.18.10 to 7.23.7. This update includes a security fix.

Vulnerabilities fixed

Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code

Impact

Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.

Known affected plugins are:

  • @babel/plugin-transform-runtime
  • @babel/preset-env when using its useBuiltIns option
  • Any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator

No other plugins under the @babel/ namespace are impacted, but third-party plugins might be.

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/traverse@7.23.2.

Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.

Workarounds

... (truncated)

Patched versions: 7.23.2 Affected versions: < 7.23.2

Release notes

Sourced from @​babel/traverse's releases.

v7.23.7 (2023-12-29)

🐛 Bug Fix

🏠 Internal

  • babel-helper-create-class-features-plugin
  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

Committers: 4

v7.23.6 (2023-12-11)

Thanks @​martinez-hugo and @​odinho for your first pull requests!

👓 Spec Compliance

  • babel-generator, babel-parser, babel-types
  • babel-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime, babel-types

🐛 Bug Fix

  • babel-generator
  • babel-helpers, babel-plugin-proposal-explicit-resource-management
  • babel-plugin-proposal-decorators, babel-plugin-transform-class-properties
    • #16161 Ensure the [[@@toPrimitive]] call of a decorated class member key is invoked once (@​JLHwung)
    • #16148 Support named evaluation for decorated anonymous class exp (@​JLHwung)
  • babel-plugin-transform-for-of, babel-preset-env
  • babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-plugin-transform-typescript

🔬 Output optimization

... (truncated)

Changelog

Sourced from @​babel/traverse's changelog.

v7.23.7 (2023-12-29)

🐛 Bug Fix

🏠 Internal

  • babel-helper-create-class-features-plugin
  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators

v7.23.6 (2023-12-11)

👓 Spec Compliance

  • babel-generator, babel-parser, babel-types
  • babel-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime, babel-types

🐛 Bug Fix

  • babel-generator
  • babel-helpers, babel-plugin-proposal-explicit-resource-management
  • babel-plugin-proposal-decorators, babel-plugin-transform-class-properties
    • #16161 Ensure the [[@@toPrimitive]] call of a decorated class member key is invoked once (@​JLHwung)
    • #16148 Support named evaluation for decorated anonymous class exp (@​JLHwung)
  • babel-plugin-transform-for-of, babel-preset-env
  • babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • babel-plugin-transform-typescript

🔬 Output optimization

  • babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • babel-helpers, babel-plugin-proposal-decorators

v7.23.5 (2023-11-29)

👓 Spec Compliance

... (truncated)

Commits

Merge request reports