build(deps-dev): bump @babel/helpers from 7.21.0 to 7.27.0

[dependabot]

Bumps @babel/helpers from 7.21.0 to 7.27.0.

Release notes

Sourced from @​babel/helpers's releases.

v7.27.0 (2025-03-24)

Thanks @​ishchhabra and @​vovkasm for your first PRs!

👓 Spec Compliance

• babel-generator, babel-parser
  • #16977 Default importAttributesKeyword to with (@​JLHwung)

🚀 New Feature

• babel-helper-create-class-features-plugin, babel-traverse, babel-types
  • #17169 Allow traverseFast to exit early (@​liuxingbaoyu)
• babel-parser, babel-types
  • #17110 Add ImportAttributes to Standardized and move its parser test fixtures (@​JLHwung)
• babel-generator
  • #17100 fix(babel-generator): add named export of generate function (@​vovkasm)
• babel-parser, babel-template
  • #17149 Add allowYieldOutsideFunction to parser (@​liuxingbaoyu)
• babel-plugin-transform-typescript, babel-traverse
  • #17102 feat: Add upToScope parameter to hasBinding (@​liuxingbaoyu)
• babel-parser
  • #17082 Support ESTree AccessorProperty (@​JLHwung)
• babel-types
  • #17162 feat(babel-types): Add support for BigInt literal conversion in valueToNode (@​ishchhabra)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • #16816 fix: Class reference in type throws error (@​liuxingbaoyu)
• babel-traverse
  • #17170 fix: Reset child scopes when scope.crawl() (@​liuxingbaoyu)
• babel-helpers, babel-preset-typescript, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #17118 Fix: align behaviour to tsc rewriteRelativeImportExtensions (@​JLHwung)
• babel-cli
  • #17182 fix: @babel/cli generates duplicate inline source maps (@​liuxingbaoyu)
• babel-plugin-transform-named-capturing-groups-regex, babel-types
  • #17175 Generate computed proto key (@​JLHwung)

🏃‍♀️ Performance

• babel-types
  • #16870 perf: Improve builders of @babel/types (@​liuxingbaoyu)
• babel-helper-create-regexp-features-plugin
  • #17176 fix: improve duplicate named groups check (@​JLHwung)

Committers: 5

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Ish Chhabra (@​ishchhabra)
• Vladimir Timofeev (@​vovkasm)
• @​liuxingbaoyu

v7.26.10 (2025-03-11)

... (truncated)

Changelog

Sourced from @​babel/helpers's changelog.

v7.27.0 (2025-03-24)

👓 Spec Compliance

• babel-generator, babel-parser
  • #16977 Default importAttributesKeyword to with (@​JLHwung)

🚀 New Feature

• babel-helper-create-class-features-plugin, babel-traverse, babel-types
  • #17169 Allow traverseFast to exit early (@​liuxingbaoyu)
• babel-parser, babel-types
  • #17110 Add ImportAttributes to Standardized and move its parser test fixtures (@​JLHwung)
• babel-generator
  • #17100 fix(babel-generator): add named export of generate function (@​vovkasm)
• babel-parser, babel-template
  • #17149 Add allowYieldOutsideFunction to parser (@​liuxingbaoyu)
• babel-plugin-transform-typescript, babel-traverse
  • #17102 feat: Add upToScope parameter to hasBinding (@​liuxingbaoyu)
• babel-parser
  • #17082 Support ESTree AccessorProperty (@​JLHwung)
• babel-types
  • #17162 feat(babel-types): Add support for BigInt literal conversion in valueToNode (@​ishchhabra)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • #16816 fix: Class reference in type throws error (@​liuxingbaoyu)
• babel-traverse
  • #17170 fix: Reset child scopes when scope.crawl() (@​liuxingbaoyu)
• babel-helpers, babel-preset-typescript, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #17118 Fix: align behaviour to tsc rewriteRelativeImportExtensions (@​JLHwung)
• babel-cli
  • #17182 fix: @babel/cli generates duplicate inline source maps (@​liuxingbaoyu)
• babel-plugin-transform-named-capturing-groups-regex, babel-types
  • #17175 Generate computed proto key (@​JLHwung)

🏃‍♀️ Performance

• babel-types
  • #16870 perf: Improve builders of @babel/types (@​liuxingbaoyu)
• babel-helper-create-regexp-features-plugin
  • #17176 fix: improve duplicate named groups check (@​JLHwung)

v7.26.10 (2025-03-11)

👓 Spec Compliance

• babel-parser
  • #17159 Disallow decorator in array pattern (@​JLHwung)

🐛 Bug Fix

• babel-parser, babel-template
  • #17164 Fix: always initialize ExportDeclaration attributes (@​JLHwung)
• babel-core
  • #17142 fix: "Map maximum size exceeded" in deepClone (@​liuxingbaoyu)

... (truncated)

Commits

• 5c350ea v7.27.0
• ca4865a Fix: align behaviour to tsc rewriteRelativeImportExtensions (#17118)
• e1ce99d v7.26.10
• d5952e8 Fix processing of replacement pattern with named capture groups (#17173)
• 64bca7b v7.26.9
• 4cf5c9e [babel 8] Use @babel/types for parser's return type (#17117)
• 2d95140 v7.26.7
• 0e6199b Make "object without properties" helpers ES6-compatible (#17086)
• cd24cc0 chore: Update TS 5.7 (#17053)
• 63d3038 v7.26.0
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot merge will merge this PR after your CI passes on it
• @dependabot squash and merge will squash and merge this PR after your CI passes on it
• @dependabot cancel merge will cancel a previously requested merge and block automerging
• @dependabot reopen will reopen this PR if it is closed
• @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[TheRedHatter]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

✅ license/snyk check is complete. No issues have been found. (View Details)

[semgrep-code-therredhatter]

Semgrep found 1 ssc-1676dcdc-09e4-4f68-8fa8-5ff232a5b53f finding:

• package-lock.json
  • L10268 - Triage

Risk: Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function.

Fix: Upgrade this library to at least version 9.0.0 at brokencrystals/package-lock.json:10268.

Reference(s): GHSA-hjrf-2m68-5959, CVE-2022-23541

Semgrep found 1 ssc-30d12dd5-94ad-46fa-9d32-3d5477d86f3e finding:

• package-lock.json
  • L10268 - Triage

Risk: Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm

Fix: Upgrade this library to at least version 9.0.0 at brokencrystals/package-lock.json:10268.

Reference(s): GHSA-8cf7-32gw-wr33, CVE-2022-23539

Semgrep found 1 ssc-37ae9e0a-cbf0-4910-8f73-04f2275899a6 finding:

• package-lock.json
  • L15782 - Triage

Risk: webpack 5.x before 5.76.0 is vulnerable to Improper Access Control due to ImportParserPlugin.js mishandling the magic comment feature. Due to this, webpack does not avoid cross-realm object access and an attacker who controls a property of an untrusted object can obtain access to the real global object.

Manual Review Advice: A vulnerability from this advisory is reachable if you host an application utilizing webpack and an attacker can control a property of an untrusted object

Fix: Upgrade this library to at least version 5.76.0 at brokencrystals/package-lock.json:15782.

Reference(s): GHSA-hc6q-2mpp-qw7j, CVE-2023-28154

[semgrep-code-theredhatter]

Semgrep found 1 ssc-1676dcdc-09e4-4f68-8fa8-5ff232a5b53f finding:

• package-lock.json
  • L10268 - Triage

Risk: Affected versions of jsonwebtoken are vulnerable to Improper Authentication. Insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using a poorly implemented key retrieval function and your application is supporting usage of both symmetric key and asymmetric key in jwt.verify() implementation with the same key retrieval function.

Fix: Upgrade this library to at least version 9.0.0 at brokencrystals/package-lock.json:10268.

Reference(s): GHSA-hjrf-2m68-5959, CVE-2022-23541

Semgrep found 1 ssc-30d12dd5-94ad-46fa-9d32-3d5477d86f3e finding:

• package-lock.json
  • L10268 - Triage

Risk: Affected versions of jsonwebtoken are vulnerable to Use Of A Broken Or Risky Cryptographic Algorithm. The library could be misconfigured so that legacy, insecure key types are used for signature verification. For example, DSA keys could be used with the RS256 algorithm.

Manual Review Advice: A vulnerability from this advisory is reachable if you are using a legacy, insecure key type with a supported algorithm; for example, DSA keys could be used with the RS256 algorithm

Fix: Upgrade this library to at least version 9.0.0 at brokencrystals/package-lock.json:10268.

Reference(s): GHSA-8cf7-32gw-wr33, CVE-2022-23539

Semgrep found 1 ssc-37ae9e0a-cbf0-4910-8f73-04f2275899a6 finding:

• package-lock.json
  • L15782 - Triage

Risk: webpack 5.x before 5.76.0 is vulnerable to Improper Access Control due to ImportParserPlugin.js mishandling the magic comment feature. Due to this, webpack does not avoid cross-realm object access and an attacker who controls a property of an untrusted object can obtain access to the real global object.

Manual Review Advice: A vulnerability from this advisory is reachable if you host an application utilizing webpack and an attacker can control a property of an untrusted object

Fix: Upgrade this library to at least version 5.76.0 at brokencrystals/package-lock.json:15782.

Reference(s): GHSA-hc6q-2mpp-qw7j, CVE-2023-28154

[TheRedHatter]

Checkmarx One – Scan Summary & Details – eac4bff6-f401-4222-82ee-abd2e0122582

Great job, no security vulnerabilities found in this Pull Request

[socket-security]

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff	Package	Supply Chain Security	Vulnerability	Quality	Maintenance	License

View full report