Update dependency @babel/runtime to v7.26.10 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@babel/runtime (source)	7.26.0 → 7.26.10

---

Warning

Some dependencies could not be looked up. Check the warning logs for more information.

---

Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups

CVE-2025-27789 / GHSA-968p-4wvh-cqc8

More information

Details

Impact

When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).

Your generated code is vulnerable if all the following conditions are true:

• You use Babel to compile regular expression named capturing groups
• You use the .replace method on a regular expression that contains named capturing groups
• Your code uses untrusted strings as the second argument of .replace

If you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:

• you use duplicated named capturing groups, and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23
• you use any named capturing groups, and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10

You can verify what transforms @babel/preset-env is using by enabling the debug option.

Patches

This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.

Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.

Workarounds

If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).

References

This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.

Severity

• CVSS Score: 6.2 / 10 (Medium)
• Vector String: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References

• https://github.com/babel/babel/security/advisories/GHSA-968p-4wvh-cqc8
• https://github.com/babel/babel/pull/17173
• https://github.com/babel/babel/commit/d5952e80c0faa5ec20e35085531b6e572d31dad4
• https://nvd.nist.gov/vuln/detail/CVE-2025-27789
• https://github.com/advisories/GHSA-968p-4wvh-cqc8

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

babel/babel (@​babel/runtime)

v7.26.10

Compare Source

👓 Spec Compliance

• babel-parser
  • #​17159 Disallow decorator in array pattern (@​JLHwung)

🐛 Bug Fix

• babel-parser, babel-template
  • #​17164 Fix: always initialize ExportDeclaration attributes (@​JLHwung)
• babel-core
  • #​17142 fix: "Map maximum size exceeded" in deepClone (@​liuxingbaoyu)
• babel-parser, babel-plugin-transform-typescript
  • #​17154 Update typescript parser tests (@​JLHwung)
• babel-traverse
  • #​17151 fix: Should not evaluate vars in child scope (@​liuxingbaoyu)
• babel-generator
  • #​17153 fix: Correctly generate abstract override (@​liuxingbaoyu)
• babel-parser
  • #​17107 Fix source type detection when parsing TypeScript (@​JLHwung)
• babel-helpers, babel-runtime, babel-runtime-corejs2, babel-runtime-corejs3
  • #​17173 Fix processing of replacement pattern with named capture groups (@​mmmsssttt404)

💅 Polish

• babel-standalone
  • #​17158 Avoid warnings when re-bundling @​babel/standalone with webpack (@​liuxingbaoyu)

🏠 Internal

• babel-parser
  • #​17160 Left-value parsing cleanup (@​JLHwung)

v7.26.9

Compare Source

🐛 Bug Fix

• babel-types
  • #​17103 fix: Definition for TSPropertySignature.kind (@​liuxingbaoyu)
• babel-generator, babel-types
  • #​17062 Print TypeScript optional/definite in ClassPrivateProperty (@​jamiebuilds-signal)

🏠 Internal

• babel-types
  • #​17130 Use .ts files with explicit reexports to solve name conflicts (@​nicolo-ribaudo)
• babel-core
  • #​17127 Do not depend on @types/gensync in Babel 7 (@​nicolo-ribaudo)

v7.26.7

Compare Source

🐛 Bug Fix

• babel-helpers, babel-preset-env, babel-runtime-corejs3
  • #​17086 Make "object without properties" helpers ES6-compatible (@​tquetano-netflix)
• babel-plugin-transform-typeof-symbol
  • #​17085 fix: Correctly handle typeof in arrow functions (@​liuxingbaoyu)
• babel-parser
  • #​17079 Respect ranges option in estree method value (@​JLHwung)
• babel-core
  • #​17052 Do not try to parse .ts configs as JSON if natively supported (@​nicolo-ribaudo)
• babel-plugin-transform-typescript
  • #​17050 fix: correctly resolve references to non-constant enum members (@​branchseer)
• babel-plugin-transform-typescript, babel-traverse, babel-types
  • #​17025 fix: Remove type-only import x = y.z (@​liuxingbaoyu)

---

Configuration

📅 Schedule: (UTC)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

⚠️ Artifact update problem

Renovate failed to update an artifact related to this branch. You probably do not want to merge this PR as-is.

♻ Renovate will retry this branch, including artifacts, only when one of the following happens:

• any of the package files in this branch needs updating, or
• the branch becomes conflicted, or
• you click the rebase/retry checkbox if found above, or
• you rename this PR's title to start with "rebase!" to trigger it manually

The artifact failure details are included below:

File name: yarn.lock

error Error: https://registry.yarnpkg.com/@symbo.ls%2fcli: Not found
    at params.callback [as _callback] (/opt/containerbase/tools/yarn-slim/1.22.22/24.15.0/node_modules/yarn/lib/cli.js:66680:18)
    at self.callback (/opt/containerbase/tools/yarn-slim/1.22.22/24.15.0/node_modules/yarn/lib/cli.js:141410:22)
    at Request.emit (node:events:509:28)
    at Request.<anonymous> (/opt/containerbase/tools/yarn-slim/1.22.22/24.15.0/node_modules/yarn/lib/cli.js:142382:10)
    at Request.emit (node:events:509:28)
    at IncomingMessage.<anonymous> (/opt/containerbase/tools/yarn-slim/1.22.22/24.15.0/node_modules/yarn/lib/cli.js:142304:12)
    at Object.onceWrapper (node:events:630:28)
    at IncomingMessage.emit (node:events:521:24)
    at endReadableNT (node:internal/streams/readable:1729:12)
    at process.processTicksAndRejections (node:internal/process/task_queues:90:21)