Request to Upgrade @babel/runtime in next/dist/compiled to v7.26.10 in 14.2.30 #81486
-
SummaryCurrentI noticed that the current version of Expected behaviorThe latest patched version is v7.26.10. Why This MattersOur security scans are flagging this outdated version of Additional information- Next.js Version: v14.2.30
- Current Bundled @babel/runtime Version: v7.22.5
- Recommended Version: v7.26.10 (patched)
It would also be helpful if this upgrade could be backported to the latest `v14.x` stable releases, as many projects are still using this version in production environments.ExampleNo response |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments
-
|
This is a valid and important security concern. The user is requesting an upgrade of the @babel/runtime package bundled inside next/dist/compiled from version 7.22.5 to 7.26.10 in Next.js version 14.2.30, since 7.22.5 has known vulnerabilities flagged by security scanners (e.g., GHSA-968p-4wvh-cqc8). Suggested response for a maintainer or community support: Next Steps: The Next.js team typically reviews dependency upgrades regularly and prioritizes security patches. This request will be forwarded to the team responsible for dependency updates and security. If possible, the upgrade to @babel/[email protected] can be backported to the latest 14.x stable releases, including 14.2.30. You can track progress and any related updates on the official Next.js GitHub repository and changelogs. Temporary Workaround: Until the upgrade is published, you might consider patching or overriding the vulnerable version in your project using tools like resolutions in package.json (if using yarn) or other dependency override techniques. Also consider running your security scans with exceptions for transitive dependencies managed by Next.js until the fix is released. Thank you again for helping improve the security of the Next.js ecosystem. |
Beta Was this translation helpful? Give feedback.
-
|
@SametDulger |
Beta Was this translation helpful? Give feedback.
This is a valid and important security concern. The user is requesting an upgrade of the @babel/runtime package bundled inside next/dist/compiled from version 7.22.5 to 7.26.10 in Next.js version 14.2.30, since 7.22.5 has known vulnerabilities flagged by security scanners (e.g., GHSA-968p-4wvh-cqc8).
Suggested response for a maintainer or community support:
Thank you for raising this security issue regarding the bundled version of @babel/runtime in Next.js 14.2.30. We understand that the current version (7.22.5) has known vulnerabilities and that upgrading to 7.26.10 would mitigate these risks.
Next Steps:
The Next.js team typically reviews dependency upgrades regularly and prioritizes se…