fix: revert `standard_only_visit_mut` to `noop_visit_mut_type` #373

coderabbitai · 2025-12-14T23:23:49Z

CVE-2025-55182

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash # Verify package versions exist on npm and check for vulnerabilities echo "=== Checking if package versions exist on npm ===" packages=( "@happy-dom/[email protected]" "@swc/[email protected]" "@swc/[email protected]" "@testing-library/[email protected]" "@types/[email protected]" "@types/[email protected]" "[email protected]" "[email protected]" "[email protected]" ) for pkg in "${packages[@]}"; do version=$(npm view "$pkg" version 2>&1) if [ $? -eq 0 ]; then echo "✓ $pkg exists" else echo "✗ $pkg - ERROR or does not exist: $version" fi done echo "" echo "=== Checking npm audit for vulnerabilities ===" # Create a temporary package.json to test temp_dir=$(mktemp -d) cat > "$temp_dir/package.json" << 'EOF' { "name": "temp-audit", "version": "1.0.0", "dependencies": { "@happy-dom/jest-environment": "^20.0.11", "@swc/core": "^1.15.4", "@swc/jest": "^0.2.39", "@testing-library/react": "^16.3.0", "@types/jest": "^30.0.0", "@types/react": "^19.2.7", "auto-changelog": "^2.5.0", "jest": "^30.2.0", "react": "^19.2.3" } } EOF # Run npm audit on the temporary package.json (don't install, just check metadata) cd "$temp_dir" npm audit --json 2>/dev/null | python3 << 'PYEOF' import json import sys try: data = json.load(sys.stdin) if 'vulnerabilities' in data: vulns = data['vulnerabilities'] if vulns: print(f"Found {len(vulns)} vulnerable packages:") for pkg_name, details in vulns.items(): print(f"\n Package: {pkg_name}") if 'via' in details: for via in details['via']: if isinstance(via, dict): print(f" - {via.get('title', 'Unknown')}") print(f" Severity: {via.get('severity', 'Unknown')}") else: print("No vulnerabilities found") else: print("Audit data structure unexpected") except Exception as e: print(f"Error parsing audit data: {e}") PYEOF rm -rf "$temp_dir"

Repository: Codex-/swc-plugin-import-meta-env

Length of output: 163

🏁 Script executed:

#!/bin/bash # Simpler version check using npm view with timeout and fallback echo "=== Quick npm version checks (with timeout) ===" for pkg in react jest "@testing-library/react" "@types/react"; do timeout 10 npm view "$pkg@latest" version 2>/dev/null || echo "Could not fetch latest version for $pkg" done echo "" echo "=== Checking package.json syntax ===" if command -v jq &> /dev/null; then cd /tmp && cat > package.json << 'EOF' { "dependencies": { "@happy-dom/jest-environment": "^20.0.11", "@swc/core": "^1.15.4", "@swc/jest": "^0.2.39", "@testing-library/react": "^16.3.0", "@types/jest": "^30.0.0", "@types/react": "^19.2.7", "auto-changelog": "^2.5.0", "jest": "^30.2.0", "react": "^19.2.3" } } EOF jq '.dependencies' package.json fi

Repository: Codex-/swc-plugin-import-meta-env

Length of output: 618

🌐 Web query:

React 19.2.3 security vulnerabilities CVE

💡 Result:

Short answer: React 19.2.3 is a security fix release that addresses the December 2025 Server Components vulnerabilities (notably CVE-2025-55182 and the follow‑on issues CVE-2025-55184, CVE-2025-55183 and the incomplete‑fix CVE-2025-67779). Upgrade to 19.2.3 (or later) immediately if you use React Server Components / related server DOM packages. [1][2][3]

Sources

React security advisories (December 3 and December 11, 2025). [1][2]

NVD entry for CVE-2025-67779 (incomplete‑fix DoS). [3]

Independent writeups summarizing affected versions and fixed releases. [4]

🌐 Web query:

testing-library react 16.3.0 security advisories

💡 Result:

Short answer: No public security advisories are reported for @testing-library/react version 16.3.0. Snyk and package security listings show "no known security issues" for 16.3.0; some third‑party scanners note generic package warnings but not a specific CVE for this package version. (security.snyk.io)

Citations:

1: https://security.snyk.io/package/npm/%40testing-library%2Freact?utm_source=openai

🌐 Web query:

jest 30.2.0 security issues

💡 Result:

Short answer: Yes — Jest 30.2.0 pulls in vulnerable transitive deps.

What’s affected

js-yaml prototype-pollution (GHSA-mh29-5h37-fv8m / CVE-2025‑64718). js-yaml <4.1.1 (and <3.14.2) is vulnerable; several Jest packages depend on js-yaml 3.14.2 in 30.2.0. [1][2]

glob CLI command-injection (GHSA-5j98-mcp5-4vw2 / CVE-2025‑64756) affecting the glob CLI (-c/--cmd); glob appears in Jest dependency tree for 30.2.0. [3][4]

Sources:

js-yaml GHSA advisory (CVE-2025‑64718). [1]

Jest GitHub issue showing js-yaml present in v30.2.0. [2]

OSV/GHSA entry for glob CLI command-injection (CVE-2025‑64756). [3]

Jest GitHub issue reporting glob vulnerability in v30.2.0. [4]

Recommended actions

Treat these as transitive-dependency issues — upgrade to patched versions when Jest publishes them. (There are open Jest issues; no universal Jest patch referenced yet.) [2][4]

Short-term mitigations: avoid parsing untrusted YAML in environments using the vulnerable js-yaml; do not run glob CLI with -c/--cmd on untrusted file names or avoid using the glob CLI in CI on untrusted inputs; install Jest only as devDependency and avoid installing dev deps in production builds (npm/pnpm install --production). [1][3][2]

If you want, I can:

check whether a Jest release/patch has been published addressing these (I’ll look for a specific Jest fix/release note), or

scan your project’s dependency tree and show exactly where the vulnerable packages come from.

🌐 Web query:

Jest 30.3.0 30.4.0 release notes js-yaml glob vulnerability fix

💡 Result:

Short answer: Jest 30.3.0 / 30.4.0 do not contain published fixes — the js-yaml and glob vulnerabilities were reported against Jest 30.x and issues were opened asking maintainers to update dependencies, but as of the latest Jest releases/tags the project had not shipped a 30.3.0/30.4.0 release that resolves them.

Sources:

GitHub Advisory for js-yaml prototype-pollution (CVE / GHSA) — patched in js-yaml 4.1.1 / 3.14.2. [1]

Jest issue for js-yaml vulnerability (opened Nov 18, 2025). [2]

Jest issue requesting glob update to support [email protected]+ for the security fix (opened Nov 20, 2025). [3]

Jest releases / version listing (latest stable shown as 30.0 and npm release history showing latest published 30.2.0 as of Sep 28, 2025). [4][5]

If you want, I can:

watch the Jest repo and notify you when a release explicitly lists upgrades to js-yaml (>=4.1.1 / 3.14.2) and glob (>=10.5.0), or

suggest temporary mitigation steps (pinning/overriding dependency versions via npm/yarn/pnpm).

References

GitHub Advisory — js-yaml prototype pollution (patched in 4.1.1 / 3.14.2). [https://github.com/advisories/GHSA-mh29-5h37-fv8m]

Issue: "js-yaml medium vulnerability CVE-2025-64718" — jestjs/jest #15893. [https://github.com/[Bug]: js-yaml medium vulnerability CVE-2025-64718 jestjs/jest#15893]

Issue: "Update dependencies to support [email protected]+ for security fix" — jestjs/jest #15910. [https://github.com/Update dependencies to support [email protected]+ for security fix jestjs/jest#15910]

Issue: "glob HIGH vulnerability - CVE-2025-64756" — jestjs/jest #15898. [https://github.com/[Bug]: glob HIGH vulnerability - CVE-2025-64756 jestjs/jest#15898]

Jest releases / versions (GitHub releases + npm release history). [https://github.com/jestjs/jest/releases], [https://releasealert.dev/npmjs/_/jest]

Jest 30.2.0 contains unresolved transitive dependency vulnerabilities that should be mitigated or monitored.

React 19.2.3 is the correct patched version addressing December 2025 Server Components vulnerabilities (CVE-2025-55182 and related CVEs). @testing-library/react 16.3.0 is free from known security advisories.

However, Jest 30.2.0 pulls in vulnerable transitive dependencies:

js-yaml <4.1.1 is vulnerable to prototype-pollution (CVE-2025-64718)

glob <10.5.0 is vulnerable to command-injection (CVE-2025-64756)

Since Jest is a devDependency and these are transitive issues, the risk is mitigated. Nevertheless, consider monitoring Jest for a patched release (issues #15893 and #15898 are open on jestjs/jest) or use dependency override tools (npm overrides, yarn resolutions) to pin safer transitive versions as a short-term measure.

🤖 Prompt for AI Agents

package.json around lines 38 to 46: the pinned devDependency [email protected] pulls vulnerable transitive versions of js-yaml and glob; update your remediation by either (1) adding dependency overrides/resolutions (npm overrides or yarn resolutions) to force js-yaml to >=4.1.1 and glob to >=10.5.0, or (2) upgrade jest when a patched release is available and document this as monitored risk in the repo; ensure these changes are limited to devDependencies and add a short comment in package.json or README noting the mitigation and that the issue is tracked against jestjs/jest issues #15893 and #15898.

-Original file line number
+Diff line change
@@ Expand Up / @@ -35,11 +35,15 @@ @@
       ],
       "preferUnplugged": true,
       "devDependencies": {
+        "@happy-dom/jest-environment": "^20.0.11",
         "@swc/core": "^1.15.4",
         "@swc/jest": "^0.2.39",
+        "@testing-library/react": "^16.3.0",
         "@types/jest": "^30.0.0",
+        "@types/react": "^19.2.7",
         "auto-changelog": "^2.5.0",
         "jest": "^30.2.0",
+        "react": "^19.2.3",
         "release-it": "^19.1.0"
       },
       "peerDependencies": {
@@ Expand Down @@

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

fix: revert `standard_only_visit_mut` to `noop_visit_mut_type` #373

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai bot Dec 14, 2025

Uh oh!

Uh oh!

Uh oh!

fix: revert standard_only_visit_mut to noop_visit_mut_type #373

Uh oh!

fix: revert standard_only_visit_mut to noop_visit_mut_type #373

Uh oh!

Uh oh!

Diff view

Diff view

There are no files selected for viewing

coderabbitai bot Dec 14, 2025

Choose a reason for hiding this comment

Uh oh!

Uh oh!

fix: revert `standard_only_visit_mut` to `noop_visit_mut_type` #373

fix: revert `standard_only_visit_mut` to `noop_visit_mut_type` #373