Update dependency @babel/runtime to v7.26.10 [SECURITY]

[renovate]

Note: This PR body was truncated due to platform limits.

This PR contains the following updates:

Package	Change	Age	Confidence
@babel/runtime (source)	7.21.5 -> 7.26.10

GitHub Vulnerability Alerts

CVE-2025-27789

Impact

When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).

Your generated code is vulnerable if all the following conditions are true:

• You use Babel to compile regular expression named capturing groups
• You use the .replace method on a regular expression that contains named capturing groups
• Your code uses untrusted strings as the second argument of .replace

If you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:

• you use duplicated named capturing groups, and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23
• you use any named capturing groups, and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10

You can verify what transforms @babel/preset-env is using by enabling the debug option.

Patches

This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.

Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.

Workarounds

If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).

References

This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.

---

Release Notes

babel/babel (@​babel/runtime)

v7.26.10

Compare Source

👓 Spec Compliance

• babel-parser
  • #​17159 Disallow decorator in array pattern (@​JLHwung)

🐛 Bug Fix

• babel-parser, babel-template
  • #​17164 Fix: always initialize ExportDeclaration attributes (@​JLHwung)
• babel-core
  • #​17142 fix: "Map maximum size exceeded" in deepClone (@​liuxingbaoyu)
• babel-parser, babel-plugin-transform-typescript
  • #​17154 Update typescript parser tests (@​JLHwung)
• babel-traverse
  • #​17151 fix: Should not evaluate vars in child scope (@​liuxingbaoyu)
• babel-generator
  • #​17153 fix: Correctly generate abstract override (@​liuxingbaoyu)
• babel-parser
  • #​17107 Fix source type detection when parsing TypeScript (@​JLHwung)
• babel-helpers, babel-runtime, babel-runtime-corejs2, babel-runtime-corejs3
  • #​17173 Fix processing of replacement pattern with named capture groups (@​mmmsssttt404)

💅 Polish

• babel-standalone
  • #​17158 Avoid warnings when re-bundling @​babel/standalone with webpack (@​liuxingbaoyu)

🏠 Internal

• babel-parser
  • #​17160 Left-value parsing cleanup (@​JLHwung)

v7.26.9

Compare Source

🐛 Bug Fix

• babel-types
  • #​17103 fix: Definition for TSPropertySignature.kind (@​liuxingbaoyu)
• babel-generator, babel-types
  • #​17062 Print TypeScript optional/definite in ClassPrivateProperty (@​jamiebuilds-signal)

🏠 Internal

• babel-types
  • #​17130 Use .ts files with explicit reexports to solve name conflicts (@​nicolo-ribaudo)
• babel-core
  • #​17127 Do not depend on @types/gensync in Babel 7 (@​nicolo-ribaudo)

v7.26.7

Compare Source

🐛 Bug Fix

• babel-helpers, babel-preset-env, babel-runtime-corejs3
  • #​17086 Make "object without properties" helpers ES6-compatible (@​tquetano-netflix)
• babel-plugin-transform-typeof-symbol
  • #​17085 fix: Correctly handle typeof in arrow functions (@​liuxingbaoyu)
• babel-parser
  • #​17079 Respect ranges option in estree method value (@​JLHwung)
• babel-core
  • #​17052 Do not try to parse .ts configs as JSON if natively supported (@​nicolo-ribaudo)
• babel-plugin-transform-typescript
  • #​17050 fix: correctly resolve references to non-constant enum members (@​branchseer)
• babel-plugin-transform-typescript, babel-traverse, babel-types
  • #​17025 fix: Remove type-only import x = y.z (@​liuxingbaoyu)

v7.26.0

Compare Source

🚀 New Feature

• babel-core, babel-generator, babel-parser, babel-plugin-syntax-import-assertions, babel-plugin-syntax-import-attributes, babel-preset-env, babel-standalone, babel-types
  • #​16850 Enable import attributes parsing by default (@​nicolo-ribaudo)
• babel-core
  • #​16862 feat: support async plugin's pre/post (@​timofei-iatsenko)
• babel-compat-data, babel-plugin-proposal-regexp-modifiers, babel-plugin-transform-regexp-modifiers, babel-preset-env, babel-standalone
  • #​16692 Add transform-regexp-modifiers to preset-env (@​JLHwung)
• babel-parser
  • #​16849 feat: add startIndex parser option (@​DylanPiercey)
• babel-generator, babel-parser, babel-plugin-syntax-flow
  • #​16841 Always enable parsing of Flow enums (@​nicolo-ribaudo)
• babel-helpers, babel-preset-typescript, babel-runtime-corejs3
  • #​16794 Support import() in rewriteImportExtensions (@​liuxingbaoyu)
• babel-generator, babel-parser
  • #​16708 Add experimental format-preserving mode to @babel/generator (@​nicolo-ribaudo)

🐛 Bug Fix

• babel-core
  • #​16928 Workaround Node.js bug for parallel loading of TLA modules (@​nicolo-ribaudo)
  • #​16926 Fix loading of modules with TLA in Node.js 23 (@​nicolo-ribaudo)

💅 Polish

• babel-plugin-proposal-json-modules, babel-plugin-transform-json-modules, babel-standalone
  • #​16924 Rename proposal-json-modules to transform-json-modules (@​nicolo-ribaudo)

🏠 Internal

• babel-code-frame, babel-highlight
  • #​16896 Inline @babel/highlight in @babel/code-frame (@​nicolo-ribaudo)
• babel-generator, babel-parser, babel-types
  • #​16732 Add kind to TSModuleDeclaration (@​liuxingbaoyu)

🏃‍♀️ Performance

• babel-helper-module-transforms, babel-plugin-transform-modules-commonjs
  • #​16882 perf: Improve module transforms (@​liuxingbaoyu)

v7.25.9

Compare Source

🐛 Bug Fix

• babel-parser, babel-template, babel-types
  • #​16905 fix: Keep type annotations in syntacticPlaceholders mode (@​liuxingbaoyu)
• babel-helper-compilation-targets, babel-preset-env
  • #​16907 fix: support BROWSERSLIST{,_CONFIG} env (@​JLHwung)
• Other
  • #​16884 Analyze ClassAccessorProperty to prevent the no-undef rule (@​victorenator)

🏠 Internal

• babel-helper-transform-fixture-test-runner
  • #​16914 remove test options flaky (@​JLHwung)

🏃‍♀️ Performance

• babel-parser, babel-types
  • #​16918 perf: Make VISITOR_KEYS etc. faster to access (@​liuxingbaoyu)

v7.25.7

Compare Source

🐛 Bug Fix

• babel-helper-validator-identifier
  • #​16825 fix: update identifier to unicode 16 (@​JLHwung)
• babel-traverse
  • #​16814 fix: issue with node path keys updated on unrelated paths (@​DylanPiercey)
• babel-plugin-transform-classes
  • #​16797 Use an inclusion rather than exclusion list for super() check (@​nicolo-ribaudo)
• babel-generator
  • #​16788 Fix printing of TS infer in compact mode (@​nicolo-ribaudo)
  • #​16785 Print TS type annotations for destructuring in assignment pattern (@​nicolo-ribaudo)
  • #​16778 Respect [no LineTerminator here] after nodes (@​nicolo-ribaudo)

💅 Polish

• babel-types
  • #​16852 Add deprecated JSDOC for fields (@​liuxingbaoyu)

🏠 Internal

• babel-core
  • #​16820 Allow sync loading of ESM when --experimental-require-module (@​nicolo-ribaudo)
• babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env
  • #​16858 Add browserslist config to external dependency (@​JLHwung)
• babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone
  • #​16809 Archive syntax-import-reflection and syntax-decimal (@​nicolo-ribaudo)
• babel-generator
  • #​16779 Simplify logic for [no LineTerminator here] before nodes (@​nicolo-ribaudo)

🏃‍♀️ Performance

• babel-plugin-transform-typescript
  • #​16875 perf: Avoid extra cloning of namespaces (@​liuxingbaoyu)
• babel-types
  • #​16842 perf: Improve @​babel/types builders (@​liuxingbaoyu)
  • #​16828 Only access BABEL_TYPES_8_BREAKING at startup (@​nicolo-ribaudo)

v7.25.6

Compare Source

🐛 Bug Fix

• babel-generator
  • #​16783 Properly print inner comments in TS array types (@​nicolo-ribaudo)
  • #​16775 fix: jsx whitespace is not properly preserved when retainLines (@​liuxingbaoyu)
• babel-traverse
  • #​16727 fix: path.getAssignmentIdentifiers may be undefined (@​liuxingbaoyu)
• babel-parser
  • #​16761 fix: improve static canFollowModifier checks (@​JLHwung)
• babel-helpers, babel-plugin-transform-optional-chaining, babel-runtime-corejs3
  • #​16769 Only wrap functions in superPropertyGet helper (@​nicolo-ribaudo)

💅 Polish

• babel-generator, babel-plugin-transform-async-to-generator, babel-plugin-transform-block-scoping, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-plugin-transform-named-capturing-groups-regex, babel-plugin-transform-react-jsx-development, babel-plugin-transform-react-jsx, babel-plugin-transform-react-pure-annotations, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env
  • #​16780 Do not enforce printing space between ( and comments (@​nicolo-ribaudo)
• babel-plugin-syntax-import-assertions, babel-plugin-syntax-import-attributes
  • #​16781 Don't throw when enabling both syntax-import-{assertions,attributes} (@​nicolo-ribaudo)
• babel-generator
  • #​16782 TS union/intersection nested in union does not need parens (@​nicolo-ribaudo)

🏠 Internal

• babel-generator
  • #​16777 Remove unused parent params in the generator (@​nicolo-ribaudo)

v7.25.4

Compare Source

🐛 Bug Fix

• babel-traverse
  • #​16756 fix: Skip computed key when renaming (@​liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #​16755 fix: Decorator 2018-09 may throw an exception (@​liuxingbaoyu)
• babel-types
  • #​16710 Visit AST fields nodes according to their syntactical order (@​nicolo-ribaudo)
• babel-generator
  • #​16709 Print semicolon after TS export namespace as A (@​nicolo-ribaudo)

💅 Polish

• babel-generator, babel-plugin-proposal-decorators, babel-plugin-proposal-destructuring-private, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties, babel-plugin-transform-destructuring, babel-plugin-transform-optional-chaining, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-typescript, babel-runtime-corejs2, babel-runtime, babel-traverse
  • #​16722 Avoid unnecessary parens around sequence expressions (@​nicolo-ribaudo)
• babel-generator, babel-plugin-transform-class-properties
  • #​16714 Avoid unnecessary parens around exported arrow functions (@​nicolo-ribaudo)
• babel-generator, babel-plugin-proposal-decorators, babel-plugin-proposal-destructuring-private, babel-plugin-transform-object-rest-spread
  • #​16712 Avoid printing unnecessary parens around object destructuring (@​nicolo-ribaudo)

🔬 Output optimization

• babel-generator
  • #​16740 Avoid extra spaces between comments/regexps in compact mode (@​nicolo-ribaudo)

v7.25.0

Compare Source

👓 Spec Compliance

• babel-helpers, babel-plugin-proposal-explicit-resource-management, babel-runtime-corejs3
  • #​16537 await using normative updates (@​JLHwung)
• babel-plugin-transform-typescript
  • #​16602 Ensure enum members syntactically determinable to be strings do not get reverse mappings (@​liuxingbaoyu)

🚀 New Feature

• babel-helper-create-class-features-plugin, babel-helper-function-name, babel-helper-plugin-utils, babel-helper-wrap-function, babel-plugin-bugfix-safari-class-field-initializer-scope, babel-plugin-bugfix-safari-id-destructuring-collision-in-function-expression, babel-plugin-transform-classes, babel-plugin-transform-function-name, babel-preset-env, babel-traverse, babel-types
  • #​16658 Move ensureFunctionName to NodePath.prototype (@​nicolo-ribaudo)
• babel-helper-hoist-variables, babel-helper-plugin-utils, babel-plugin-proposal-async-do-expressions, babel-plugin-transform-modules-systemjs, babel-traverse
  • #​16644 Move hoistVariables to Scope.prototype (@​nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-helper-module-transforms, babel-helper-plugin-utils, babel-helper-split-export-declaration, babel-plugin-transform-classes, babel-traverse, babel-types
  • #​16645 Move splitExportDeclaration to NodePath.prototype (@​nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-helper-environment-visitor, babel-helper-module-transforms, babel-helper-plugin-utils, babel-helper-remap-async-to-generator, babel-helper-replace-supers, babel-plugin-bugfix-firefox-class-in-computed-class-key, babel-plugin-bugfix-v8-static-class-fields-redefine-readonly, babel-plugin-transform-async-generator-functions, babel-plugin-transform-classes, babel-traverse
  • #​16649 Move environment-visitor helper into @babel/traverse (@​nicolo-ribaudo)
• babel-core, babel-parser
  • #​16480 Expose wether a module has TLA or not as .extra.async (@​nicolo-ribaudo)
• babel-compat-data, babel-plugin-bugfix-safari-class-field-initializer-scope, babel-preset-env
  • #​16569 Introduce bugfix-safari-class-field-initializer-scope (@​davidtaylorhq)
• babel-plugin-transform-block-scoping, babel-traverse, babel-types
  • #​16551 Add NodePath#getAssignmentIdentifiers (@​JLHwung)
• babel-helper-import-to-platform-api, babel-plugin-proposal-json-modules
  • #​16579 Add uncheckedRequire option for JSON imports to CJS (@​nicolo-ribaudo)
• babel-helper-transform-fixture-test-runner, babel-node
  • #​16642 Allow using custom config in babel-node --eval (@​slatereax)
• babel-compat-data, babel-helper-create-regexp-features-plugin, babel-plugin-proposal-duplicate-named-capturing-groups-regex, babel-plugin-transform-duplicate-named-capturing-groups-regex, babel-preset-env, babel-standalone
  • #​16445 Add duplicate-named-capturing-groups-regex to preset-env (@​JLHwung)

🐛 Bug Fix

• babel-generator
  • #​16678 Print parens around as expressions on the LHS (@​nicolo-ribaudo)
• babel-template, babel-types
  • #​15286 fix: Props are lost when the template replaces the node (@​liuxingbaoyu)

🏠 Internal

• Other
  • #​16674 bump gulp to 5 (@​JLHwung)
• babel-generator
  • #​16651 Simplify the printing logic for ( before ambiguous tokens (@​nicolo-ribaudo)
• babel-helper-function-name, babel-plugin-transform-arrow-functions, babel-plugin-transform-function-name, babel-preset-env, babel-traverse
  • #​16652 Simplify helper-function-name logic (@​nicolo-ribaudo)

🏃‍♀️ Performance

• babel-parser, babel-plugin-proposal-pipeline-operator
  • #​16461 Some minor parser performance improvements for ts (@​liuxingbaoyu)

🔬 Output optimization

• babel-plugin-transform-classes
  • #​16670 Reduce redundant assertThisInitialized (@​liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-helper-replace-supers, babel-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-exponentiation-operator, babel-plugin-transform-object-super, babel-plugin-transform-private-methods, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #​16374 Improve super.x output (@​liuxingbaoyu)
• babel-plugin-transform-class-properties, babel-plugin-transform-classes
  • #​16656 Simplify output for anonymous classes with no methods (@​nicolo-ribaudo)

v7.24.8

Compare Source

👓 Spec Compliance

• babel-parser
  • #​16567 Do not use strict mode in TS declare (@​liuxingbaoyu)

🐛 Bug Fix

• babel-generator
  • #​16630 Correctly print parens around in in for heads (@​nicolo-ribaudo)
  • #​16626 Fix printing of comments in await using (@​nicolo-ribaudo)
  • #​16591 fix typescript code generation for yield expression inside type expre… (@​SreeXD)
• babel-parser
  • #​16613 Disallow destructuring assignment in using declarations (@​H0onnn)
  • #​16490 fix: do not add .value: undefined to regexp literals (@​liuxingbaoyu)
• babel-types
  • #​16615 Remove boolean props from ObjectTypeInternalSlot visitor keys (@​nicolo-ribaudo)
• babel-plugin-transform-typescript
  • #​16566 fix: Correctly handle export import x = (@​liuxingbaoyu)

💅 Polish

• babel-generator
  • #​16625 Avoid unnecessary parens around async in for await (@​nicolo-ribaudo)
• babel-traverse
  • #​16619 Avoid checking Scope.globals multiple times (@​liuxingbaoyu)

v7.24.7

Compare Source

🐛 Bug Fix

• babel-node
  • #​16554 Allow extra flags in babel-node (@​nicolo-ribaudo)
• babel-traverse
  • #​16522 fix: incorrect constantViolations with destructuring (@​liuxingbaoyu)
• babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management
  • #​16524 fix: Transform using in switch correctly (@​liuxingbaoyu)

🏠 Internal

• babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #​16525 Delete unused array helpers (@​blakewilson)

v7.24.6

Compare Source

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • #​16514 Fix source maps for private member expressions (@​nicolo-ribaudo)
• babel-core, babel-generator, babel-plugin-transform-modules-commonjs
  • #​16515 Fix source maps for template literals (@​nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #​16485 Support undecorated static accessor in anonymous classes (@​JLHwung)
  • #​16484 Fix decorator bare yield await (@​JLHwung)
• babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3
  • #​16483 Fix: throw TypeError if addInitializer is called after finished (@​JLHwung)
• babel-parser, babel-plugin-transform-typescript
  • #​16476 fix: Correctly parse cls.fn<C> = x (@​liuxingbaoyu)

🏠 Internal

• babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #​16501 Generate helper metadata at build time (@​nicolo-ribaudo)
• babel-helpers
  • #​16499 Add tsconfig.json for @babel/helpers/src/helpers (@​nicolo-ribaudo)
• babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #​16495 Move all runtime helpers to individual files (@​nicolo-ribaudo)
• babel-parser, babel-traverse
  • #​16482 Statically generate boilerplate for bitfield accessors (@​nicolo-ribaudo)
• Other
  • #​16466 Migrate import assertions syntax (@​JLHwung)

v7.24.5

Compare Source

🐛 Bug Fix

• babel-plugin-transform-classes, babel-traverse
  • #​16377 fix: TypeScript annotation affects output (@​liuxingbaoyu)
• babel-helpers, babel-plugin-proposal-explicit-resource-management, babel-runtime-corejs3
  • #​16440 Fix suppressed error order (@​sossost)
  • #​16408 Await nullish async disposable (@​JLHwung)

💅 Polish

• babel-parser
  • #​16407 Recover from exported using declaration (@​JLHwung)

🏠 Internal

• Other
  • #​16414 Relax ESLint peerDependency constraint to allow v9 (@​liuxingbaoyu)
• babel-parser
  • #​16425 Improve @babel/parser AST types (@​nicolo-ribaudo)
  • #​16417 Always pass type argument to .startNode (@​nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-helper-member-expression-to-functions, babel-helper-module-transforms, babel-helper-split-export-declaration, babel-helper-wrap-function, babel-helpers, babel-plugin-bugfix-firefox-class-in-computed-class-key, babel-plugin-proposal-explicit-resource-management, babel-plugin-transform-block-scoping, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-plugin-transform-private-property-in-object, babel-plugin-transform-react-jsx-self, babel-plugin-transform-typeof-symbol, babel-plugin-transform-typescript, babel-traverse
  • #​16439 Make NodePath<T | U> distributive (@​nicolo-ribaudo)
• babel-plugin-proposal-partial-application, babel-types
  • #​16421 Remove JSXNamespacedName from valid CallExpression args (@​nicolo-ribaudo)
• babel-plugin-transform-class-properties, babel-preset-env
  • #​16406 Do not load unnecessary Babel 7 syntax plugins in Babel 8 (@​nicolo-ribaudo)

🏃‍♀️ Performance

• babel-helpers, babel-preset-env, babel-runtime-corejs3
  • #​16357 Performance: improve objectWithoutPropertiesLoose on V8 (@​romgrk)

v7.24.4

Compare Source

👓 Spec Compliance

• babel-parser
  • #​16403 Forbid initializerless using (@​JLHwung)
• babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3
  • #​16388 Ensure decorators are callable (@​JLHwung)

🐛 Bug Fix

• babel-generator
  • #​16402 fix: Correctly prints { [key in Bar]? } (@​liuxingbaoyu)
  • #​16394 fix: Correctly generate TSMappedType (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-firefox-class-in-computed-class-key, babel-preset-env
  • #​16390 Create bugfix plugin for classes in computed keys in Firefox (@​nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #​16387 fix: support mutated outer decorated class binding (@​JLHwung)
  • #​16385 fix: Decorators when super() exists and protoInit is not needed (@​liuxingbaoyu)
• babel-plugin-transform-block-scoping
  • #​16384 fix: Transform scoping for for X in loop (@​liuxingbaoyu)
  • #​16368 fix: Capture let when the for body is not a block (@​liuxingbaoyu)
• babel-core, babel-plugin-transform-block-scoped-functions, babel-plugin-transform-block-scoping
  • #​16363 Fix incorrect function hoisting in some case statements (@​luiscubal)

v7.24.1

Compare Source

🐛 Bug Fix

• babel-generator
  • #​16648 Fix parens detection for object&function in as/satisfies (@​nicolo-ribaudo)

v7.24.0

Compare Source

🚀 New Feature

• babel-standalone
  • #​11696 Export babel tooling packages in @babel/standalone (@​ajihyf)
• babel-core, babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-transform-class-properties
  • #​16267 Implement noUninitializedPrivateFieldAccess assumption (@​nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators, babel-plugin-proposal-pipeline-operator, babel-plugin-syntax-decorators, babel-plugin-transform-class-properties, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #​16242 Support decorator 2023-11 normative updates (@​JLHwung)
• babel-preset-flow
  • #​16309 [babel 7] Allow setting ignoreExtensions in Flow preset (@​nicolo-ribaudo)
  • #​16284 Add experimental_useHermesParser option in preset-flow (@​liuxingbaoyu)
• babel-helper-import-to-platform-api, babel-plugin-proposal-import-wasm-source, babel-plugin-proposal-json-modules, babel-standalone
  • #​16172 Add transform support for JSON modules imports (@​nicolo-ribaudo)
• babel-plugin-transform-runtime
  • #​16241 Add back moduleName option to @babel/plugin-transform-runtime (@​nicolo-ribaudo)
• babel-parser, babel-types
  • #​16277 Allow import attributes for TSImportType (@​sosukesuzuki)

🐛 Bug Fix

• babel-plugin-proposal-do-expressions, babel-traverse
  • #​16305 fix: avoid popContext on unvisited node paths (@​JLHwung)
• babel-helper-create-class-features-plugin, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object
  • #​16312 Fix class private properties when privateFieldsAsSymbols (@​liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-plugin-transform-private-methods
  • #​16307 Fix the support of arguments in private get/set method (@​liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators
  • #​16287 Reduce decorator static property size (@​liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #​16281 Fix evaluation order of decorators with cached receiver (@​nicolo-ribaudo)
  • #​16279 Fix decorator this memoization (@​JLHwung)
  • #​16266 Preserve static on decorated private accessor (@​nicolo-ribaudo)
  • #​16258 fix: handle decorated async private method and generator (@​JLHwung)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-async-generator-functions, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-plugin-transform-typescript, babel-preset-env
  • #​16275 Fix class private properties when privateFieldsAsProperties (@​liuxingbaoyu)
• babel-helpers
  • #​16268 Do not consider arguments in a helper as a global reference (@​nicolo-ribaudo)
• babel-helpers, babel-plugin-proposal-decorators
  • #​16270 Handle symbol key class elements decoration (@​JLHwung)
  • #​16265 Do not define access.get for public setter decorators (@​nicolo-ribaudo)

💅 Polish

• babel-core, babel-helper-create-class-features-plugin, babel-preset-env
  • #​12428 Suggest using BABEL_SHOW_CONFIG_FOR for config problems (@​nicolo-ribaudo)

🏠 Internal

• babel-helper-transform-fixture-test-runner
  • #​16278 Continue writing output.js when exec.js throws (@​liuxingbaoyu)

🔬 Output optimization

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #​16306 Avoid intermediate functions for private accessors with decs (@​nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties
  • #​16294 More aggressively inline decorators in the static block (@​nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-transform-private-methods
  • #​16283 Do not use classPrivateMethodGet (@​liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-helpers, babel-plugin-proposal-decorators
  • #​16287 Reduce decorator static property size (@​liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties
  • #​16280 Reduce element decorator temp variables (@​JLHwung)
• babel-helper-create-class-features-plugin, babel-helper-fixtures, babel-helpers, babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining, babel-plugin-proposal-decorators, babel-plugin-proposal-destructuring-private, babel-plugin-proposal-optional-chaining-assign, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-private-methods, babel-plugin-transform-private-property-in-object, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #​16261 Do not use descriptors for private class elements (@​nicolo-ribaudo)
• babel-helpers, babel-plugin-proposal-decorators
  • #​16263 Reduce helper size for decorator 2023-11 (@​liuxingbaoyu)

v7.23.9

Compare Source

🐛 Bug Fix

• babel-helper-transform-fixture-test-runner, babel-plugin-transform-function-name, babel-plugin-transform-modules-systemjs, babel-preset-env
  • #​16225 fix: systemjs re-traverses helpers (@​liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #​16226 Improve decorated private method check (@​JLHwung)
• babel-plugin-proposal-decorators, babel-plugin-transform-async-generator-functions, babel-plugin-transform-runtime, babel-preset-env
  • #​16224 Properly sort core-js@3 imports (@​nicolo-ribaudo)
• babel-traverse
  • #​15383 fix: Don't throw in getTypeAnnotation when using TS+inference (@​liuxingbaoyu)
• Other
  • #​16210 [eslint] Fix no-use-before-define for class ref in fields (@​nicolo-ribaudo)

🏠 Internal

• babel-core, babel-parser, babel-template
  • #​16222 Migrate eslint-parser to cts (@​liuxingbaoyu)
• babel-types
  • #​16213 Remove @babel/types props that are not produced by the parser (@​liuxingbaoyu)

🏃‍♀️ Performance

• babel-parser
  • #​16072 perf: Improve parser performance for typescript (@​liuxingbaoyu)

🔬 Output optimization

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-proposal-destructuring-private, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties, babel-plugin-transform-class-static-block, babel-plugin-transform-new-target, babel-plugin-transform-parameters, babel-plugin-transform-private-methods, babel-preset-env
  • #​16218 Improve temporary variables for decorators (@​liuxingbaoyu)
• babel-helpers, babel-plugin-proposal-explicit-resource-management, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #​15959 Improve output of using (@​liuxingbaoyu)

v7.23.8

Compare Source

🐛 Bug Fix

• babel-preset-env
  • #​16181 fix: preset-env throws exception for export * as x (@​liuxingbaoyu)
• babel-helpers, babel-plugin-proposal-decorators
  • #​16201 fix: decorator binds getter/setter to ctx.access for public fields (@​liuxingbaoyu)
  • #​16199 fix: Class decorator correctly passes return value (@​liuxingbaoyu)

↩️ Revert

• #​16202 Revert "chore: Update artifact tools (#​16184)" (@​JLHwung)

🔬 Output optimization

• babel-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-function-name, babel-plugin-transform-parameters, babel-plugin-transform-react-jsx, babel-plugin-transform-runtime, babel-plugin-transform-spread, babel-plugin-transform-typescript, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #​16194 Improve output of super() (@​liuxingbaoyu)

v7.23.7

Compare Source

🐛 Bug Fix

• babel-traverse
  • #​16191 fix: Crash when removing without Program (@​liuxingbaoyu)
• babel-helpers, babel-plugin-proposal-decorators
  • #​16180 fix: Class decorator ctx.kind is wrong (@​liuxingbaoyu)
• babel-plugin-proposal-decorators
  • #​16170 Fix decorator initProto usage in derived classes (@​JLHwung)
• babel-core
  • [#​16167](https://red

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/London, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[leotm]

https://github.com/react-native-community/template/blob/main/template/package.json#L21

[socket-security]

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action	Severity	Alert  (click "▶" to expand/collapse)
Warn		Critical CVE: npm cipher-base is missing type checks, leading to hash rewind and passing on crafted data CVE: GHSA-cpq7-6gpm-g9rc cipher-base is missing type checks, leading to hash rewind and passing on crafted data (CRITICAL) Affected versions: < 1.0.5 Patched version: 1.0.5 From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) CVE: GHSA-vjh7-7g9h-fjfh Elliptic's private key extraction in ECDSA upon signing a malformed input (e.g. a string) (CRITICAL) Affected versions: < 6.6.1 Patched version: 6.6.1 From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos CVE: GHSA-h7cp-r72f-jxh6 pbkdf2 returns predictable uninitialized/zero-filled memory for non-normalized or unimplemented algos (CRITICAL) Affected versions: >= 3.0.10 < 3.1.3 Patched version: 3.1.3 From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm pbkdf2 silently disregards Uint8Array input, returning static keys CVE: GHSA-v62p-rq8g-8h59 pbkdf2 silently disregards Uint8Array input, returning static keys (CRITICAL) Affected versions: < 3.1.3 Patched version: 3.1.3 From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Critical CVE: npm sha.js is missing type checks leading to hash rewind and passing on crafted data CVE: GHSA-95m3-7q98-8xr5 sha.js is missing type checks leading to hash rewind and passing on crafted data (CRITICAL) Affected versions: < 2.4.12 Patched version: 2.4.12 From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is a critical CVE? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Remove or replace dependencies that include known critical CVEs. Consumers can use dependency overrides or npm audit fix --force to remove vulnerable dependencies. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm buffer is 96.0% likely obfuscated Confidence: 0.96 Location: Package overview From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.
Warn		Obfuscated code: npm safer-buffer is 94.0% likely obfuscated Confidence: 0.94 Location: Package overview From: ? → npm/[email protected] ℹ Read more on: This package | This alert | What is obfuscated code? Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at [email protected]. Suggestion: Packages should not obfuscate their code. Consider not using packages with obfuscated code. Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity ignore npm/[email protected]. You can also ignore all packages with @SocketSecurity ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report