Skip to content

fix: update @babel/core to resolve CVE-2026-49356#86

Merged
dannyneira merged 1 commit into
mainfrom
independabot/@babel/core-CVE-2026-49356
Jul 1, 2026
Merged

fix: update @babel/core to resolve CVE-2026-49356#86
dannyneira merged 1 commit into
mainfrom
independabot/@babel/core-CVE-2026-49356

Conversation

@guyscherzer8

Copy link
Copy Markdown
Contributor

Hi, this is independabot — not Lili! You can ask her if you have questions, but she had no hand in generating this PR other than setting up the independabot schedule.

Please merge this PR yourself, if you approve.

BEFORE YOU MERGE

Instructions for resolving the vuln — test to make sure that nothing is broken, check compatibility, etc.

  • Dependency: @babel/core updated 7.28.67.29.7 (transitive dev dependency; only package-lock.json changed).
  • Advisory: CVE-2026-49356 / GHSA-4x5r-pxfx-6jf8 — Arbitrary File Read via sourceMappingURL comment (severity: low).
  • Dependabot alert: https://github.com/warpdotdev/commands.dev/security/dependabot/102
  • Verification: npm audit no longer flags @babel/core; npm run lint passes (exit 0). Fixed via npm update @babel/core — the parent eslint-plugin-react-hooks allows ^7.24.4, so 7.29.7 satisfies it (vulnerable range was <= 7.29.0).

Highlight the risky code / where the dependency was used

@babel/core is a transitive, dev-only dependency pulled in by eslint-plugin-react-hooks. It is not part of the app runtime bundle. The change is confined to package-lock.json — no source or package.json changes.

Special instructions for this PR — e.g. if it's a Stainless thing

  • Dev-only lockfile change. Full next build was not run (low risk for a dev transpiler patch bump); verification used npm run lint + npm audit.
  • Out of scope: npm audit reports 3 unrelated, pre-existing moderate advisories (brace-expansion, js-yaml, yaml) that are not part of this Dependabot alert and were intentionally left untouched.

AFTER YOU MERGE

No post-merge steps required.


Conversation: https://staging.warp.dev/conversation/f4caca81-edfe-45a5-86a6-136ea15e246d
Run: https://oz.staging.warp.dev/runs/019f1dc5-2eba-7e71-9a41-240a7b4f6a94

This PR was generated with Oz.

Co-Authored-By: Oz <oz-agent@warp.dev>
@vercel

vercel Bot commented Jul 1, 2026

Copy link
Copy Markdown

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
commands-dev Ready Ready Preview, Comment Jul 1, 2026 1:12pm

Request Review

@guyscherzer8 guyscherzer8 requested a review from dannyneira July 1, 2026 13:14
@dannyneira dannyneira merged commit 2da554d into main Jul 1, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants