fix: update @babel/core to resolve CVE-2026-49356#86
Merged
Conversation
Co-Authored-By: Oz <oz-agent@warp.dev>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
dannyneira
approved these changes
Jul 1, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Hi, this is independabot — not Lili! You can ask her if you have questions, but she had no hand in generating this PR other than setting up the independabot schedule.
Please merge this PR yourself, if you approve.
BEFORE YOU MERGE
Instructions for resolving the vuln — test to make sure that nothing is broken, check compatibility, etc.
@babel/coreupdated7.28.6→7.29.7(transitive dev dependency; onlypackage-lock.jsonchanged).sourceMappingURLcomment (severity: low).npm auditno longer flags@babel/core;npm run lintpasses (exit 0). Fixed vianpm update @babel/core— the parenteslint-plugin-react-hooksallows^7.24.4, so7.29.7satisfies it (vulnerable range was<= 7.29.0).Highlight the risky code / where the dependency was used
@babel/coreis a transitive, dev-only dependency pulled in byeslint-plugin-react-hooks. It is not part of the app runtime bundle. The change is confined topackage-lock.json— no source orpackage.jsonchanges.Special instructions for this PR — e.g. if it's a Stainless thing
next buildwas not run (low risk for a dev transpiler patch bump); verification usednpm run lint+npm audit.npm auditreports 3 unrelated, pre-existing moderate advisories (brace-expansion,js-yaml,yaml) that are not part of this Dependabot alert and were intentionally left untouched.AFTER YOU MERGE
No post-merge steps required.
Conversation: https://staging.warp.dev/conversation/f4caca81-edfe-45a5-86a6-136ea15e246d
Run: https://oz.staging.warp.dev/runs/019f1dc5-2eba-7e71-9a41-240a7b4f6a94
This PR was generated with Oz.