[Security] Bump @babel/traverse from 7.18.10 to 7.23.7 in /assets
Bumps @babel/traverse from 7.18.10 to 7.23.7. This update includes a security fix.
Vulnerabilities fixed
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
Impact
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the
path.evaluate()
orpath.evaluateTruthy()
internal Babel methods.Known affected plugins are:
@babel/plugin-transform-runtime
@babel/preset-env
when using itsuseBuiltIns
option- Any "polyfill provider" plugin that depends on
@babel/helper-define-polyfill-provider
, such asbabel-plugin-polyfill-corejs3
,babel-plugin-polyfill-corejs2
,babel-plugin-polyfill-es-shims
,babel-plugin-polyfill-regenerator
No other plugins under the
@babel/
namespace are impacted, but third-party plugins might be.Users that only compile trusted code are not impacted.
Patches
The vulnerability has been fixed in
@babel/traverse@7.23.2
.Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for
babel-traverse@6
.Workarounds
... (truncated)
Patched versions: 7.23.2 Affected versions: < 7.23.2
Release notes
Sourced from @babel/traverse
's releases.
v7.23.7 (2023-12-29)
🐛 Bug Fix
babel-traverse
- #16191 fix: Crash when removing without
Program
(@liuxingbaoyu
)babel-helpers
,babel-plugin-proposal-decorators
- #16180 fix: Class decorator
ctx.kind
is wrong (@liuxingbaoyu
)babel-plugin-proposal-decorators
babel-core
- #16167 Avoid unpreventable
unhandledRejection
events (@nicolo-ribaudo
)
🏠 Internal
babel-helper-create-class-features-plugin
- #16186 chore: Update deps (
@liuxingbaoyu
)babel-helper-create-class-features-plugin
,babel-plugin-proposal-decorators
Committers: 4
- Babel Bot (
@babel-bot
)- Huáng Jùnliàng (
@JLHwung
)- Nicolò Ribaudo (
@nicolo-ribaudo
)@liuxingbaoyu
v7.23.6 (2023-12-11)
Thanks
@martinez-hugo
and@odinho
for your first pull requests!
👓 Spec Compliance
babel-generator
,babel-parser
,babel-types
babel-helpers
,babel-plugin-proposal-decorators
,babel-plugin-transform-class-properties
,babel-plugin-transform-class-static-block
,babel-plugin-transform-runtime
,babel-preset-env
,babel-runtime-corejs2
,babel-runtime-corejs3
,babel-runtime
,babel-types
🐛 Bug Fix
babel-generator
- #16166 fix: Correctly indenting when
retainLines
is enabled (@liuxingbaoyu
)babel-helpers
,babel-plugin-proposal-explicit-resource-management
babel-plugin-proposal-decorators
,babel-plugin-transform-class-properties
babel-plugin-transform-for-of
,babel-preset-env
- #16011 fix:
for of
withiterableIsArray
and shadowing variable (@liuxingbaoyu
)babel-helpers
,babel-plugin-proposal-decorators
,babel-runtime-corejs2
,babel-runtime-corejs3
,babel-runtime
babel-plugin-transform-typescript
- #16137 Fix references to enum values with merging (
@nicolo-ribaudo
)
🔬 Output optimization
... (truncated)
Changelog
Sourced from @babel/traverse
's changelog.
v7.23.7 (2023-12-29)
🐛 Bug Fix
babel-traverse
- #16191 fix: Crash when removing without
Program
(@liuxingbaoyu
)babel-helpers
,babel-plugin-proposal-decorators
- #16180 fix: Class decorator
ctx.kind
is wrong (@liuxingbaoyu
)babel-plugin-proposal-decorators
babel-core
- #16167 Avoid unpreventable
unhandledRejection
events (@nicolo-ribaudo
)
🏠 Internal
babel-helper-create-class-features-plugin
- #16186 chore: Update deps (
@liuxingbaoyu
)babel-helper-create-class-features-plugin
,babel-plugin-proposal-decorators
v7.23.6 (2023-12-11)
👓 Spec Compliance
babel-generator
,babel-parser
,babel-types
babel-helpers
,babel-plugin-proposal-decorators
,babel-plugin-transform-class-properties
,babel-plugin-transform-class-static-block
,babel-plugin-transform-runtime
,babel-preset-env
,babel-runtime-corejs2
,babel-runtime-corejs3
,babel-runtime
,babel-types
🐛 Bug Fix
babel-generator
- #16166 fix: Correctly indenting when
retainLines
is enabled (@liuxingbaoyu
)babel-helpers
,babel-plugin-proposal-explicit-resource-management
babel-plugin-proposal-decorators
,babel-plugin-transform-class-properties
babel-plugin-transform-for-of
,babel-preset-env
- #16011 fix:
for of
withiterableIsArray
and shadowing variable (@liuxingbaoyu
)babel-helpers
,babel-plugin-proposal-decorators
,babel-runtime-corejs2
,babel-runtime-corejs3
,babel-runtime
babel-plugin-transform-typescript
- #16137 Fix references to enum values with merging (
@nicolo-ribaudo
)
🔬 Output optimization
babel-helper-create-class-features-plugin
,babel-plugin-transform-class-properties
babel-helpers
,babel-plugin-proposal-decorators
- #16160 Optimize decorator helper size (
@liuxingbaoyu
)v7.23.5 (2023-11-29)
👓 Spec Compliance
babel-plugin-proposal-decorators
- #16138 Class binding is in TDZ during decorators initialization (
@nicolo-ribaudo
)
... (truncated)
Commits
-
e428a6d
v7.23.7 -
d292822
fix: Crash when removing withoutProgram
(#16191) -
d02c1f7
v7.23.6 -
cce807f
Bump debug to ^4.3.1 (#16164) -
8479012
v7.23.5 -
da7dc40
Do not remove bindings when removing assignment expression path (#16131) -
fadc081
fix: Unexpected duplication of comments (#16110) -
13a5c83
v7.23.4 -
5e1c5f0
Use prettier 3.1 (#16098) -
1bce5c9
v7.23.3 - Additional commits viewable in compare view