Skip to content

Security: Fix 2 vulnerable packages #650

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
razorgupta wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Security: Fix 2 vulnerable packages #650

razorgupta wants to merge 1 commit into from

Conversation

@razorgupta
Copy link

@razorgupta razorgupta commented Dec 3, 2025

Security Updates

This PR fixes security vulnerabilities found by Semgrep SCA.

✅ All packages validated for:

  • End of Life (EOL) status
  • Supply chain attack risks
  • Version stability (7-day cool-down or n-1 fallback)
  • Peer dependency compatibility

⚠️ Action Required:

  • Run your test suite to verify compatibility
  • Check for peer dependency warnings
  • Test in staging before merging to production

Updated Packages

NPM:

  • @babel/preset-env: ^7.4.5 → 7.28.5
  • @babel/traverse: transitive → 7.28.5

Vulnerabilities Fixed

Changes Made

  • Updated dependency files with secure versions
  • Regenerated lock files

This PR was created automatically by Security Bot
Please review and test before merging

fix(security): upgrade 2 vulnerable packages
36b93b6 
Security fixes:
- @babel/preset-env: ^7.4.5 → 7.28.5
- @babel/traverse: transitive → 7.28.5

Addresses vulnerabilities:
- CVE-2023-45133

Automated security fix by Security Bot
@razorgupta razorgupta added dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability automated labels Dec 3, 2025
@semgrep-code-razorpay
Copy link

semgrep-code-razorpay bot commented Dec 3, 2025

Semgrep found 1 ssc-cee3e6d5-d7c8-4c35-9815-076aa1ebfd49 finding:

Risk: Affected versions of rollup are vulnerable to Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting').

Manual Review Advice: A vulnerability from this advisory is reachable if you use Rollup to bundle JavaScript with import.meta.url and the output format is set to cjs, umd, or iife formats, while allowing users to inject scriptless HTML elements with unsanitized name attributes

Fix: Upgrade this library to at least version 2.79.2 at common-frontend-utils/package-lock.json:10823.

Reference(s): GHSA-gcx4-mw62-g8wm, CVE-2024-47068

🔴 Fix or ignore this finding to merge your pull request.
Ignore this finding from ssc-cee3e6d5-d7c8-4c35-9815-076aa1ebfd49

Semgrep found 1 ssc-5a557c33-4191-4714-a574-8efb44cf209b finding:

Risk: Affected version of get-func-name is vulnerable to Uncontrolled Resource Consumption / Inefficient Regular Expression Complexity. The current regex implementation for parsing values in the module is susceptible to excessive backtracking, leading to potential DoS attacks.

Fix: Upgrade this library to at least version 2.0.1 at common-frontend-utils/package-lock.json:5770.

Reference(s): GHSA-4q6p-r6v2-jvc5, CVE-2023-43646

🔴 Fix or ignore this finding to merge your pull request.
Ignore this finding from ssc-5a557c33-4191-4714-a574-8efb44cf209b

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

automated dependencies Pull requests that update a dependency file security Pull requests that address a security vulnerability

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@razorgupta