babel-template-6.26.0.tgz: 1 vulnerabilities (highest severity is: 8.8) #1088
Assignees
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github.aaakk.us.kg
bot
added
the
Mend: dependency security vulnerability
joshuarrrr
added a commit
to joshuarrrr/oui
that referenced
this issue
Oct 16, 2023
…ate` Fixes opensearch-project#1088 Signed-off-by: Josh Romero <[email protected]>
7 tasks
joshuarrrr
added a commit
to joshuarrrr/oui
that referenced
this issue
Oct 17, 2023
…ate` Fixes opensearch-project#1088 Signed-off-by: Josh Romero <[email protected]>
mend-for-github.aaakk.us.kg
bot
changed the title
joshuarrrr
added a commit
that referenced
this issue
Nov 14, 2023
* remove `babel-core` dep and upgrade `babel-template` to `@babel/template` Fixes #1088 Signed-off-by: Josh Romero <[email protected]> * update changelog Signed-off-by: Josh Romero <[email protected]> * Bump `react-view`from `2.3.2` to `2.3.7` Also clean up resolutions and update some locked deps. Signed-off-by: Josh Romero <[email protected]> * Revert "Bump `react-view`from `2.3.2` to `2.3.7`" This reverts commit d422448. Signed-off-by: Josh Romero <[email protected]> --------- Signed-off-by: Josh Romero <[email protected]>
opensearch-trigger-bot bot
pushed a commit
that referenced
this issue
Nov 14, 2023
* remove `babel-core` dep and upgrade `babel-template` to `@babel/template` Fixes #1088 Signed-off-by: Josh Romero <[email protected]> * update changelog Signed-off-by: Josh Romero <[email protected]> * Bump `react-view`from `2.3.2` to `2.3.7` Also clean up resolutions and update some locked deps. Signed-off-by: Josh Romero <[email protected]> * Revert "Bump `react-view`from `2.3.2` to `2.3.7`" This reverts commit d422448. Signed-off-by: Josh Romero <[email protected]> --------- Signed-off-by: Josh Romero <[email protected]> (cherry picked from commit 07a11b6) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md
joshuarrrr
pushed a commit
that referenced
this issue
Nov 14, 2023
* remove `babel-core` dep and upgrade `babel-template` to `@babel/template` Fixes #1088 Signed-off-by: Josh Romero <[email protected]> * update changelog Signed-off-by: Josh Romero <[email protected]> * Bump `react-view`from `2.3.2` to `2.3.7` Also clean up resolutions and update some locked deps. Signed-off-by: Josh Romero <[email protected]> * Revert "Bump `react-view`from `2.3.2` to `2.3.7`" This reverts commit d422448. Signed-off-by: Josh Romero <[email protected]> --------- Signed-off-by: Josh Romero <[email protected]> (cherry picked from commit 07a11b6) Signed-off-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com> # Conflicts: # CHANGELOG.md Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Found in HEAD commit: 0b9840aaaa6a50427d8716b1a7d0fa6114d3a6da
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - babel-traverse-6.26.0.tgz
The Babel Traverse module maintains the overall tree state, and is responsible for replacing, removing, and adding nodes
Library home page: https://registry.npmjs.org/babel-traverse/-/babel-traverse-6.26.0.tgz
Path to dependency file: /package.json
Path to vulnerable library: /package.json
Dependency Hierarchy:
Found in HEAD commit: 0b9840aaaa6a50427d8716b1a7d0fa6114d3a6da
Found in base branch: main
Vulnerability Details
Babel is a compiler for writingJavaScript. In
@babel/traverseprior to versions 7.23.2 and 8.0.0-alpha.4 and all versions ofbabel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on thepath.evaluate()orpath.evaluateTruthy()internal Babel methods. Known affected plugins are@babel/plugin-transform-runtime;@babel/preset-envwhen using itsuseBuiltInsoption; and any "polyfill provider" plugin that depends on@babel/helper-define-polyfill-provider, such asbabel-plugin-polyfill-corejs3,babel-plugin-polyfill-corejs2,babel-plugin-polyfill-es-shims,babel-plugin-polyfill-regenerator. No other plugins under the@babel/namespace are impacted, but third-party plugins might be. Users that only compile trusted code are not impacted. The vulnerability has been fixed in@babel/[email protected]and@babel/[email protected]. Those who cannot upgrade@babel/traverseand are using one of the affected packages mentioned above should upgrade them to their latest version to avoid triggering the vulnerable code path in affected@babel/traverseversions:@babel/plugin-transform-runtimev7.23.2,@babel/preset-envv7.23.2,@babel/helper-define-polyfill-providerv0.4.3,babel-plugin-polyfill-corejs2v0.4.6,babel-plugin-polyfill-corejs3v0.8.5,babel-plugin-polyfill-es-shimsv0.10.0,babel-plugin-polyfill-regeneratorv0.5.3.Publish Date: 2023-10-12
URL: CVE-2023-45133
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-67hx-6x53-jw92
Release Date: 2023-10-12
Fix Resolution: @babel/traverse - 7.23.2
The text was updated successfully, but these errors were encountered: