π Security: Fix 6 vulnerable packages #3029
Conversation
Security fixes: - @babel/helper-define-polyfill-provider: transitive β 0.6.5 - @babel/plugin-transform-runtime: transitive β 7.28.5 - @babel/preset-env: transitive β 7.28.5 - babel-plugin-polyfill-corejs2: transitive β 0.4.14 - babel-plugin-polyfill-corejs3: transitive β 0.13.0 - babel-plugin-polyfill-regenerator: transitive β 0.6.5 Addresses vulnerabilities: - CVE-2023-45133 Automated security fix by Security Bot
razorgupta
requested review from
anuraghazra,
chaitanyadeorukhkar,
kamleshchandnani,
ravikumar-rajagopalan,
saurabhdaware,
swapnil-kr1 and
tewarig
as code owners
razorgupta
added
dependencies
π¦ Changeset detectedLatest commit: f4e593a The changes in this PR will be included in the next version bump. This PR includes changesets to release 1 package
Not sure what this means? Click here to learn what changesets are. Click here if you're a maintainer who wants to add another changeset to this PR |
|
β PR title doesn't follow Conventional Commits specification. Details: |
|
This pull request is automatically built and testable in CodeSandbox. To see build info of the built libraries, click here or the icon next to each commit SHA. Latest deployment of this branch, based on commit f4e593a:
|
packages/blade/package.json
Outdated
| "@babel/plugin-transform-arrow-functions": "7.27.1", | ||
| "@babel/plugin-transform-react-jsx": "7.27.1", | ||
| "@babel/plugin-transform-runtime": "7.28.3", | ||
| "@babel/plugin-transform-runtime": "^7.28.5", |
There was a problem hiding this comment.
we should lock @babel/plugin-transform-runtime at 7.28.5 and should lock all other packages as well.
don't want this package to auto update. since it can break things or if some vulnerable package is published it will be auto installed.
There was a problem hiding this comment.
I have Fixed the caret versions.
Regarding the build failure with @babel/plugin-proposal-private-property-in-object, This plugin was renamed in Babel 7.22+ to @babel/plugin-transform-private-property-in-object (proposal β transform).
The babel config in the codebase needs to be updated to use the new plugin name
Options:
- Update babel.config.js to use @babel/plugin-transform-private-property-in-object
- Or remove the explicit plugin if @babel/preset-env handles it automatically
Can someone from the team help with this?
|
currently build is also failing for |
tewarig
left a comment
tewarig
left a comment
There was a problem hiding this comment.
we also need to add changeset for @razorpay/blade since we would need to release a version. so consumers using these packages have latest version
|
@razorgupta the test cases are still failing can you check ? |
The tests are failing because of the Babel plugin rename issue we discussed earlier: |
Created .changeset/security-fix-babel.md with a patch version bump for @razorpay/blade. |
2 participants
π Security Updates
This PR fixes security vulnerabilities found by Semgrep SCA.
π¦ Updated Packages
NPM:
@babel/helper-define-polyfill-provider: transitive β 0.6.5@babel/plugin-transform-runtime: transitive β 7.28.5@babel/preset-env: transitive β 7.28.5babel-plugin-polyfill-corejs2: transitive β 0.4.14babel-plugin-polyfill-corejs3: transitive β 0.13.0babel-plugin-polyfill-regenerator: transitive β 0.6.5Note: 56 total updates across multiple package files
π‘οΈ Vulnerabilities Fixed
βοΈ Changes Made
π€ This PR was created automatically by Security Bot
β οΈ Please review and test before merging