Skip to content

chore(deps): update dependency @babel/runtime to v7.26.10 [security] #692

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
jzempel merged 1 commit into from
Dec 3, 2025
Merged

chore(deps): update dependency @babel/runtime to v7.26.10 [security] #692

jzempel merged 1 commit into from
Dec 3, 2025

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Apr 8, 2025
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
@babel/runtime (source) 7.26.0 -> 7.26.10 age confidence

GitHub Vulnerability Alerts

CVE-2025-27789

Impact

When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).

Your generated code is vulnerable if all the following conditions are true:

  • You use Babel to compile regular expression named capturing groups
  • You use the .replace method on a regular expression that contains named capturing groups
  • Your code uses untrusted strings as the second argument of .replace

If you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:

  • you use duplicated named capturing groups, and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23
  • you use any named capturing groups, and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10

You can verify what transforms @babel/preset-env is using by enabling the debug option.

Patches

This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.

Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.

Workarounds

If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).

References

This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.

Release Notes

babel/babel (@​babel/runtime)

v7.26.10

Compare Source

👓 Spec Compliance
🐛 Bug Fix
💅 Polish
🏠 Internal

v7.26.9

Compare Source

🐛 Bug Fix
🏠 Internal

v7.26.7

Compare Source

🐛 Bug Fix

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate renovate bot requested a review from a team as a code owner April 8, 2025 21:25
@coveralls
Copy link

coveralls commented Apr 8, 2025
edited
Loading

Coverage Status

Changes unknown
when pulling 46b8c90 on renovate/npm-babel-runtime-vulnerability
into ** on main**.

@renovate renovate bot force-pushed the renovate/npm-babel-runtime-vulnerability branch 3 times, most recently from 68aadb6 to 96a4723 Compare May 13, 2025 22:19
@renovate renovate bot force-pushed the renovate/npm-babel-runtime-vulnerability branch 2 times, most recently from a923be0 to 92d6c6a Compare June 5, 2025 18:25
@renovate renovate bot force-pushed the renovate/npm-babel-runtime-vulnerability branch 2 times, most recently from 9d691e7 to f49b81a Compare July 9, 2025 13:48
@renovate renovate bot force-pushed the renovate/npm-babel-runtime-vulnerability branch 3 times, most recently from f341210 to 845ef60 Compare August 4, 2025 19:32
@renovate renovate bot force-pushed the renovate/npm-babel-runtime-vulnerability branch 2 times, most recently from 650b75a to d431e5d Compare August 5, 2025 22:38
@renovate renovate bot force-pushed the renovate/npm-babel-runtime-vulnerability branch 2 times, most recently from 4f76e33 to 100d582 Compare October 20, 2025 15:01
@renovate renovate bot force-pushed the renovate/npm-babel-runtime-vulnerability branch 4 times, most recently from 8adaea3 to 423197c Compare December 2, 2025 17:30
@renovate renovate bot force-pushed the renovate/npm-babel-runtime-vulnerability branch from 423197c to 7019c3d Compare December 3, 2025 19:43
@renovate renovate bot force-pushed the renovate/npm-babel-runtime-vulnerability branch from 7019c3d to 5fac4f0 Compare December 3, 2025 20:33
@renovate renovate bot force-pushed the renovate/npm-babel-runtime-vulnerability branch from 5fac4f0 to 46b8c90 Compare December 3, 2025 20:36
@jzempel jzempel merged commit 8db13aa into main Dec 3, 2025
3 checks passed
@jzempel jzempel deleted the renovate/npm-babel-runtime-vulnerability branch December 3, 2025 20:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jzempel jzempel jzempel approved these changes

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@coveralls @jzempel @zendesk-garden