[Security] Bump @babel/traverse from 7.18.10 to 7.23.9 in /assets

Bumps @babel/traverse from 7.18.10 to 7.23.9. This update includes a security fix.

Vulnerabilities fixed

Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code

Impact

Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.

Known affected plugins are:

• @babel/plugin-transform-runtime
• @babel/preset-env when using its useBuiltIns option
• Any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator

No other plugins under the @babel/ namespace are impacted, but third-party plugins might be.

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/traverse@7.23.2.

Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.

Workarounds

... (truncated)

Patched versions: 7.23.2 Affected versions: < 7.23.2

Release notes

Sourced from @​babel/traverse's releases.

v7.23.9 (2024-01-25)

🐛 Bug Fix

• babel-helper-transform-fixture-test-runner, babel-plugin-transform-function-name, babel-plugin-transform-modules-systemjs, babel-preset-env
  • #16225 fix: systemjs re-traverses helpers (@​liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16226 Improve decorated private method check (@​JLHwung)
• babel-plugin-proposal-decorators, babel-plugin-transform-async-generator-functions, babel-plugin-transform-runtime, babel-preset-env
  • #16224 Properly sort core-js@3 imports (@​nicolo-ribaudo)
• babel-traverse
  • #15383 fix: Don't throw in getTypeAnnotation when using TS+inference (@​liuxingbaoyu)
• Other
  • #16210 [eslint] Fix no-use-before-define for class ref in fields (@​nicolo-ribaudo)

🏠 Internal

• babel-core, babel-parser, babel-template
  • #16222 Migrate eslint-parser to cts (@​liuxingbaoyu)
• babel-types
  • #16213 Remove @babel/types props that are not produced by the parser (@​liuxingbaoyu)

:running_woman: Performance

• babel-parser
  • #16072 perf: Improve parser performance for typescript (@​liuxingbaoyu)

🔬 Output optimization

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-proposal-destructuring-private, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-new-target, babel-plugin-transform-parameters, babel-plugin-transform-private-methods, babel-preset-env
  • #16218 Improve temporary variables for decorators (@​liuxingbaoyu)
• babel-helpers, babel-plugin-proposal-explicit-resource-management, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #15959 Improve output of using (@​liuxingbaoyu)

Committers: 4

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu

v7.23.8 (2024-01-08)

🐛 Bug Fix

• babel-preset-env
  • #16181 fix: preset-env throws exception for export * as x (@​liuxingbaoyu)
• babel-helpers, babel-plugin-proposal-decorators
  • #16201 fix: decorator binds getter/setter to ctx.access for public fields (@​liuxingbaoyu)
  • #16199 fix: Class decorator correctly passes return value (@​liuxingbaoyu)

↩ Revert

• #16202 Revert "chore: Update artifact tools (#16184)" (@​JLHwung)

🔬 Output optimization

• babel-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-function-name, babel-plugin-transform-parameters, babel-plugin-transform-react-jsx, babel-plugin-transform-runtime, babel-plugin-transform-spread, babel-plugin-transform-typescript, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime

... (truncated)

Changelog

Sourced from @​babel/traverse's changelog.

v7.23.9 (2024-01-25)

🐛 Bug Fix

• babel-helper-transform-fixture-test-runner, babel-plugin-transform-function-name, babel-plugin-transform-modules-systemjs, babel-preset-env
  • #16225 fix: systemjs re-traverses helpers (@​liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16226 Improve decorated private method check (@​JLHwung)
• babel-plugin-proposal-decorators, babel-plugin-transform-async-generator-functions, babel-plugin-transform-runtime, babel-preset-env
  • #16224 Properly sort core-js@3 imports (@​nicolo-ribaudo)
• babel-traverse
  • #15383 fix: Don't throw in getTypeAnnotation when using TS+inference (@​liuxingbaoyu)
• Other
  • #16210 [eslint] Fix no-use-before-define for class ref in fields (@​nicolo-ribaudo)

🏠 Internal

• babel-core, babel-parser, babel-template
  • #16222 Migrate eslint-parser to cts (@​liuxingbaoyu)
• babel-types
  • #16213 Remove @babel/types props that are not produced by the parser (@​liuxingbaoyu)

:running_woman: Performance

• babel-parser
  • #16072 perf: Improve parser performance for typescript (@​liuxingbaoyu)

🔬 Output optimization

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-proposal-destructuring-private, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-new-target, babel-plugin-transform-parameters, babel-plugin-transform-private-methods, babel-preset-env
  • #16218 Improve temporary variables for decorators (@​liuxingbaoyu)
• babel-helpers, babel-plugin-proposal-explicit-resource-management, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #15959 Improve output of using (@​liuxingbaoyu)

v7.23.8 (2024-01-08)

🐛 Bug Fix

• babel-preset-env
  • #16181 fix: preset-env throws exception for export * as x (@​liuxingbaoyu)
• babel-helpers, babel-plugin-proposal-decorators
  • #16201 fix: decorator binds getter/setter to ctx.access for public fields (@​liuxingbaoyu)
  • #16199 fix: Class decorator correctly passes return value (@​liuxingbaoyu)

↩ Revert

• #16202 Revert "chore: Update artifact tools (#16184)" (@​JLHwung)

🔬 Output optimization

• babel-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-function-name, babel-plugin-transform-parameters, babel-plugin-transform-react-jsx, babel-plugin-transform-runtime, babel-plugin-transform-spread, babel-plugin-transform-typescript, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16194 Improve output of super() (@​liuxingbaoyu)

v7.23.7 (2023-12-29)

🐛 Bug Fix

• babel-traverse
  • #16191 fix: Crash when removing without Program (@​liuxingbaoyu)
• babel-helpers, babel-plugin-proposal-decorators

... (truncated)

Commits

• a0dd614 v7.23.9
• 1200542 fix: Don't throw in getTypeAnnotation when using TS+inference (#15383)
• e428a6d v7.23.7
• d292822 fix: Crash when removing without Program (#16191)
• d02c1f7 v7.23.6
• cce807f Bump debug to ^4.3.1 (#16164)
• 8479012 v7.23.5
• da7dc40 Do not remove bindings when removing assignment expression path (#16131)
• fadc081 fix: Unexpected duplication of comments (#16110)
• 13a5c83 v7.23.4
• Additional commits viewable in compare view