Skip to content

chore: refresh @babel/core lockfile to ^7.29.7 to address CVE-2026-49356#1344

Merged
brendan-kellam merged 1 commit into
mainfrom
linear/sou-1370-sourcebot-devsourcebot-cve-2026-49356-babelcore-c16f
Jun 17, 2026
Merged

chore: refresh @babel/core lockfile to ^7.29.7 to address CVE-2026-49356#1344
brendan-kellam merged 1 commit into
mainfrom
linear/sou-1370-sourcebot-devsourcebot-cve-2026-49356-babelcore-c16f

Conversation

@linear-code

@linear-code linear-code Bot commented Jun 17, 2026

Copy link
Copy Markdown
Contributor

Fixes SOU-1370

Note

This duplicates #1339 (SOU-1363), which makes the identical fix. SOU-1370 and SOU-1363 are the same Dependabot alert for CVE-2026-49356. The tooling for this session can only push to / edit this branch, so I couldn't fold SOU-1370 into #1339 directly. Whichever PR merges first, the other can be closed.

#1333 addressed CVE-2026-49356 but only refreshed the @babel/core@^7.18.5 lock entry. The entry shared by ^7.24.4 and ^7.26.0 (eslint-plugin-react-hooks, react-scan) was still pinned to 7.29.0, below the patched 7.29.6, so Dependabot re-flagged the alert.

This refreshes that entry via yarn up -R @babel/core. Every transitive @babel/core instance now resolves to 7.29.7. Lockfile-only change; no new CHANGELOG line since the existing @babel/core entry from #1333 already covers it.



#1333 addressed CVE-2026-49356 but left the @babel/core entry shared by
^7.24.4 and ^7.26.0 (eslint-plugin-react-hooks, react-scan) pinned to
7.29.0, below the patched 7.29.6. Refresh via yarn up -R @babel/core so
every transitive instance resolves to 7.29.7. Lockfile-only change.

Generated with [Linear](https://linear.app/sourcebot/issue/SOU-1370/sourcebot-devsourcebot-cve-2026-49356-babelcore-arbitrary-file-read#agent-session-a076660e)

Co-authored-by: linear-code[bot] <222613912+linear-code[bot]@users.noreply.github.com>
@github-actions

Copy link
Copy Markdown
Contributor

License Audit

❌ Audit failed to produce results. Check the workflow logs for details.

@brendan-kellam brendan-kellam marked this pull request as ready for review June 17, 2026 23:48
@github-actions

Copy link
Copy Markdown
Contributor

@brendan-kellam your pull request is missing a changelog!

@brendan-kellam brendan-kellam merged commit 0dbf1be into main Jun 17, 2026
9 of 10 checks passed
@brendan-kellam brendan-kellam deleted the linear/sou-1370-sourcebot-devsourcebot-cve-2026-49356-babelcore-c16f branch June 17, 2026 23:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant