Skip to content

Security: Fix 6 vulnerable packages #517

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
razorgupta wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Security: Fix 6 vulnerable packages #517

razorgupta wants to merge 2 commits into from

Conversation

@razorgupta
Copy link

@razorgupta razorgupta commented Dec 4, 2025

Security Updates

This PR fixes security vulnerabilities found by Semgrep SCA.

✅ All packages validated for:

  • End of Life (EOL) status
  • Supply chain attack risks
  • Version stability (7-day cool-down or n-1 fallback)
  • Peer dependency compatibility

⚠️ Action Required:

  1. Run yarn install or npm install to regenerate lock file with fixed versions
  2. Run your build (yarn build / npm run build) to verify it compiles
  3. Run your test suite to verify compatibility
  4. Test in staging before merging to production

Updated Packages

NPM:

  • @babel/helper-define-polyfill-provider: transitive → 0.6.5
  • @babel/plugin-transform-runtime: transitive → 7.28.5
  • @babel/traverse: transitive → 7.28.5
  • babel-plugin-polyfill-corejs2: transitive → 0.4.14
  • babel-plugin-polyfill-corejs3: transitive → 0.13.0
  • babel-plugin-polyfill-regenerator: transitive → 0.6.5

Note: 12 total updates across multiple package files

🔐 Vulnerabilities Fixed

📋 Semgrep Findings Addressed

Semgrep ID Link
143733008 View in Semgrep
143733009 View in Semgrep
143733010 View in Semgrep
152225437 View in Semgrep
152225438 View in Semgrep
152225439 View in Semgrep

Changes Made

  • Updated dependency files with secure versions
  • Regenerated lock files

This PR was created automatically by Security Bot
Please review and test before merging

fix(security): upgrade 6 vulnerable packages
35d24e8 
Security fixes:
- @babel/helper-define-polyfill-provider: transitive → 0.6.5
- @babel/plugin-transform-runtime: transitive → 7.28.5
- @babel/traverse: transitive → 7.28.5
- babel-plugin-polyfill-corejs2: transitive → 0.4.14
- babel-plugin-polyfill-corejs3: transitive → 0.13.0
- babel-plugin-polyfill-regenerator: transitive → 0.6.5

Addresses vulnerabilities:
- CVE-2023-45133

Automated security fix by Security Bot
@razorgupta razorgupta added dependencies Pull requests that update a dependency file security automated labels Dec 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automated dependencies Pull requests that update a dependency file security

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@razorgupta