[Snyk] Upgrade: @babel/core, @babel/plugin-proposal-object-rest-spread, @babel/plugin-transform-runtime, @babel/preset-env, @babel/runtime#4
Open
snyk-bot wants to merge 1 commit into
Conversation
Snyk has created this PR to upgrade:
- @babel/core from 7.9.6 to 7.10.2.
See this package in NPM: https://www.npmjs.com/package/@babel/core
- @babel/plugin-proposal-object-rest-spread from 7.9.6 to 7.10.1.
See this package in NPM: https://www.npmjs.com/package/@babel/plugin-proposal-object-rest-spread
- @babel/plugin-transform-runtime from 7.9.6 to 7.10.1.
See this package in NPM: https://www.npmjs.com/package/@babel/plugin-transform-runtime
- @babel/preset-env from 7.9.6 to 7.10.2.
See this package in NPM: https://www.npmjs.com/package/@babel/preset-env
- @babel/runtime from 7.9.6 to 7.10.2.
See this package in NPM: https://www.npmjs.com/package/@babel/runtime
See this project in Snyk:
https://app.snyk.io/org/hiranp/project/dee5e8ac-38d5-4363-95c3-29f9b09a10bf?utm_source=github&utm_medium=upgrade-pr
hiranp
pushed a commit
that referenced
this pull request
Apr 17, 2026
## Overview This PR updates the Go toolchain version from `1.25.5` to `1.25.6` for the Gitea project. ## Changes ### Toolchain Update - **Go Toolchain**: Updated from `go1.25.5` to `go1.25.6` This is a minor toolchain version bump that ensures the project uses the latest patch release of Go 1.25. ## Security Improvements While this PR primarily addresses the toolchain update, the project maintains a strong security posture through: ### Current Security Measures ```log Vulnerability #1: GO-2026-4342 Excessive CPU consumption when building archive index in archive/zip More info: https://pkg.go.dev/vuln/GO-2026-4342 Standard library Found in: archive/zip@go1.25.5 Fixed in: archive/zip@go1.25.6 Example traces found: #1: modules/packages/nuget/metadata.go:217:25: nuget.ParseNuspecMetaData calls zip.Reader.Open Vulnerability #2: GO-2026-4341 Memory exhaustion in query parameter parsing in net/url More info: https://pkg.go.dev/vuln/GO-2026-4341 Standard library Found in: net/url@go1.25.5 Fixed in: net/url@go1.25.6 Example traces found: #1: modules/storage/minio.go:284:34: storage.MinioStorage.URL calls url.ParseQuery #2: routers/api/v1/repo/action.go:1640:29: repo.DownloadArtifactRaw calls url.URL.Query Vulnerability #3: GO-2026-4340 Handshake messages may be processed at the incorrect encryption level in crypto/tls More info: https://pkg.go.dev/vuln/GO-2026-4340 Standard library Found in: crypto/tls@go1.25.5 Fixed in: crypto/tls@go1.25.6 Example traces found: #1: services/auth/source/ldap/source_search.go:129:25: ldap.dial calls ldap.Conn.StartTLS, which calls tls.Conn.Handshake #2: modules/graceful/server.go:156:14: graceful.Server.Serve calls http.Server.Serve, which eventually calls tls.Conn.HandshakeContext #3: modules/lfs/content_store.go:132:27: lfs.hashingReader.Read calls tls.Conn.Read #4: modules/proxyprotocol/conn.go:91:21: proxyprotocol.Conn.Write calls tls.Conn.Write #5: modules/session/virtual.go:168:39: session.VirtualStore.Release calls couchbase.CouchbaseProvider.Exist, which eventually calls tls.Dial #6: services/auth/source/ldap/source_search.go:120:22: ldap.dial calls ldap.DialTLS, which calls tls.DialWithDialer #7: services/migrations/gogs.go:114:34: migrations.client calls http.Transport.RoundTrip, which eventually calls tls.Dialer.DialContext ``` ## Breaking Changes None expected. This is a minor toolchain patch update.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Snyk has created this PR to upgrade multiple dependencies.
👯♂ The following dependencies are linked and will therefore be updated together.ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.
from 7.9.6 to 7.10.2
on 2020-05-30
from 7.9.6 to 7.10.1
on 2020-05-27
from 7.9.6 to 7.10.1
on 2020-05-27
from 7.9.6 to 7.10.2
on 2020-05-30
from 7.9.6 to 7.10.2
on 2020-05-30
Release notes
Package name: @babel/core
-
7.10.2 - 2020-05-30
- #11648 fix: don't mutate InputTarget's passed to @babel/helper-compilation-targets (@fivetanley)
- #11634 Class features loose should have precedence over preset-env (@nicolo-ribaudo)
- #11645 fix: add bigIntSuffix to minified output (@JLHwung)
- #11641 Add support for printing ImportAttribute (@existentialism)
- #11631 Fix moduleAttributesVersion errors with stage-0 preset in babel standalone (@hamlim)
- #11643 fix: add new plugin names to missing plugin helpers (@JLHwung)
- #11653 refactor: split locationParser into ParserErrors and error message (@JLHwung)
- Brian Ng (@existentialism)
- Huáng Jùnliàng (@JLHwung)
- Kai Cataldo (@kaicataldo)
- Matt Hamlin (@hamlim)
- Nicolò Ribaudo (@nicolo-ribaudo)
- Stanley Stuart (@fivetanley)
-
7.10.1 - 2020-05-27
- #11633 [hotfix] Use same targets for fields as for private methods (@nicolo-ribaudo)
- #11624 Fix standalone tag when data-type is not set. (@dfabulich)
- Every package
- #11625 Use
- Dan Fabulich (@dfabulich)
- Nicolò Ribaudo (@nicolo-ribaudo)
- Saulo Santiago (@saulosantiago)
-
7.10.0 - 2020-05-26
- #11370 logical-assignment: Do not assign names to anonymous functions (@arku)
- #11248 Handle private access chained on an optional chain (@jridgewell)
- #11593 feat: add privatePropertyInObject to babel-standalone (@JLHwung)
- #11466 Support data-type="module" to generate native <script type="module"> (@dfabulich)
- #11372 Add private-property-in-object support (@jridgewell)
- #11377 Transform ES2015 Unicode Escapes to ES5 (@jridgewell)
- #10962 added basic support for module attributes and tests updated (@vivek12345)
- #11434 [
- #11220 Log after subsequent compilations in --watch mode (@nicolo-ribaudo)
- #11265 Add "allowArrayLike" option to the destructuring and spread transforms (@nicolo-ribaudo)
- #11266 Add "allowArrayLike" support to the for-of transform (@nicolo-ribaudo)
- #11406 Enable import.meta by default in @babel/parser (#11364) (@kik-o)
- #11428 Implement
- #11451 Add class proposals to shipped proposals (@JLHwung)
- #11595 scope.rename() missing identifier in VariableDeclarator (@yulanggong)
- #10961 fix: optional-chaining should work correctly with ts non-null operator (@macabeus)
- #11547 refactor: add isLiteralPropertyName to parser utils (@JLHwung)
- #11523 fix: don't elide jsx pragma import namespaces (@jquense)
- #11550 fix(plugin-proposal-object-rest-spread): use computed memberExpression for literal keys (@kitos)
- #11530 fix: skip transforming
- #11502 getters and setters support in generator for declare class statement (@zxbodya)
- #11514 [helpers] Add a private function name within
- Other
- #11603 Fix typo (@fisker)
- #11598 chore: use latest node in GitHub actions (@JLHwung)
- #11590 chore: update test262 (@JLHwung)
- #11522 chore: pin windows node.js version (@JLHwung)
- #11504 chore: update babel deps (@JLHwung)
- #11597 Fix comments for smartPipeline topic-forbidding contexts (@lazytype)
- #11512 Use ?. where it represents the intended semantics (@nicolo-ribaudo)
- #11520 Use single object spread call in loose mode (@jridgewell)
- #11538 Downgrade rollup to 1.27.9 (@nicolo-ribaudo)
- Andrew Leedham (@AndrewLeedham)
- Arun Kumar Mohan (@arku)
- Bogdan Savluk (@zxbodya)
- Bruno Macabeus (@macabeus)
- Christoph Nakazawa (@cpojer)
- Devon Govett (@devongovett)
- Henry Zhu (@hzoo)
- Huáng Jùnliàng (@JLHwung)
- Jason Quense (@jquense)
- Justin Ridgewell (@jridgewell)
- Kiko Estrada (@kik-o)
- Nicolò Ribaudo (@nicolo-ribaudo)
- Nikita Kirsanov (@kitos)
- Vivek Nayyar (@vivek12345)
- @dfabulich
- @lazytype
- fisker Cheung (@fisker)
- 任文龙 (@yulanggong)
-
7.9.6 - 2020-04-29
from @babel/core GitHub release notesv7.10.2 (2020-05-30)
Thanks @fivetanley and @hamlim for their first PRs!
🐛 Bug Fix
babel-helper-compilation-targetsbabel-helper-create-class-features-plugin,babel-preset-envbabel-generatorbabel-generator,babel-typesbabel-plugin-syntax-module-attributes,babel-standalone💅 Polish
babel-core🏠 Internal
babel-parserCommitters: 6
v7.10.1 (2020-05-27)
This releases includes fixes for two bugs introduced in 7.10.0. There are still a few known bugs, and we'll fix them soon.
Thanks @saulosantiago for your first PR!
🐛 Bug Fix
babel-preset-envbabel-standalone🏠 Internal
repository.directoryfield inpackage.jsonfiles (@saulosantiago)Committers: 3
v7.10.0 (2020-05-26)
Thanks @AndrewLeedham, @fisker, @kik-o, @kitos, @lazytype for their first PRs!
We are also releasing the first experimental version of the new polyfills plugins: you can check them out at
babel/babel-polyfills.👓 Spec Compliance
babel-plugin-proposal-logical-assignment-operators🚀 New Feature
babel-helper-create-class-features-plugin,babel-helper-member-expression-to-functions,babel-helper-optimise-call-expression,babel-helper-replace-supers,babel-parser,babel-plugin-proposal-class-propertiesbabel-standalonebabel-cli,babel-helper-create-class-features-plugin,babel-parser,babel-plugin-proposal-private-property-in-object,babel-typesbabel-compat-data,babel-plugin-transform-template-literals,babel-plugin-transform-unicode-escapes,babel-preset-env,babel-standalonebabel-parser,babel-plugin-syntax-module-attributes,babel-standalonebabel-helper-compilation-targets,babel-preset-envpreset-env] AddbrowserslistEnvoption (@AndrewLeedham)babel-clibabel-helpers,babel-plugin-transform-destructuring,babel-plugin-transform-spread,babel-traversebabel-helpers,babel-plugin-transform-for-of,babel-preset-envbabel-parserbabel-plugin-transform-react-pure-annotations,babel-preset-reactplugin-transform-react-pure-annotationsand add topreset-react(@devongovett)babel-compat-data,babel-preset-env🐛 Bug Fix
babel-traversebabel-plugin-proposal-optional-chainingbabel-parser,babel-typesbabel-plugin-transform-typescriptbabel-plugin-proposal-object-rest-spreadbabel-plugin-transform-runtimedelete something.includes(@JLHwung)babel-generator💅 Polish
babel-helpers,babel-plugin-proposal-class-properties,babel-plugin-proposal-decorators,babel-plugin-transform-classes,babel-plugin-transform-function-name,babel-plugin-transform-parameters,babel-plugin-transform-react-jsx,babel-plugin-transform-runtime,babel-plugin-transform-typescript,babel-preset-envcreateSuper(@cpojer)🏠 Internal
babel-parserbabel-core,babel-generator,babel-helper-compilation-targets,babel-helpers,babel-parser,babel-plugin-proposal-decorators,babel-plugin-proposal-json-strings,babel-plugin-transform-block-scoping,babel-plugin-transform-flow-comments,babel-plugin-transform-modules-systemjs,babel-plugin-transform-react-jsx-source,babel-plugin-transform-runtime,babel-preset-env,babel-standalone,babel-template,babel-traverse,babel-types🏃♀️ Performance
babel-plugin-proposal-object-rest-spread↩️ Revert
babel-standaloneCommitters: 18
Read more
Package name: @babel/plugin-proposal-object-rest-spread
-
7.10.1 - 2020-05-27
- #11633 [hotfix] Use same targets for fields as for private methods (@nicolo-ribaudo)
- #11624 Fix standalone tag when data-type is not set. (@dfabulich)
- Every package
- #11625 Use
- Dan Fabulich (@dfabulich)
- Nicolò Ribaudo (@nicolo-ribaudo)
- Saulo Santiago (@saulosantiago)
-
7.10.0 - 2020-05-26
-
7.9.6 - 2020-04-29
from @babel/plugin-proposal-object-rest-spread GitHub release notesv7.10.1 (2020-05-27)
This releases includes fixes for two bugs introduced in 7.10.0. There are still a few known bugs, and we'll fix them soon.
Thanks @saulosantiago for your first PR!
🐛 Bug Fix
babel-preset-envbabel-standalone🏠 Internal
repository.directoryfield inpackage.jsonfiles (@saulosantiago)Committers: 3
Read more
Read more
Package name: @babel/plugin-transform-runtime
-
7.10.1 - 2020-05-27
-
7.10.0 - 2020-05-26
-
7.9.6 - 2020-04-29
from @babel/plugin-transform-runtime GitHub release notesRead more
Read more
Read more
Package name: @babel/preset-env
-
7.10.2 - 2020-05-30
-
7.10.1 - 2020-05-27
-
7.10.0 - 2020-05-26
-
7.9.6 - 2020-04-29
from @babel/preset-env GitHub release notesRead more
Read more
Read more
Read more
Package name: @babel/runtime
-
7.10.2 - 2020-05-30
-
7.10.1 - 2020-05-27
-
7.10.0 - 2020-05-26
-
7.9.6 - 2020-04-29
from @babel/runtime GitHub release notesRead more
Read more
Read more
Read more
Commit messages
Package name: @babel/core
Compare
Package name: @babel/plugin-proposal-object-rest-spread
Compare
Package name: @babel/plugin-transform-runtime
Compare
Package name: @babel/preset-env
Compare
Package name: @babel/runtime
Compare
Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.
For more information:
🧐 View latest project report
🛠 Adjust upgrade PR settings
🔕 Ignore this dependency or unsubscribe from future upgrade PRs