Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Bump sha.js to 2.4.12 to fix cve#17736

Merged
nicolo-ribaudo merged 3 commits into
babel:mainfrom
Nordix:fix/sha.js_update
Jan 27, 2026
Merged

Bump sha.js to 2.4.12 to fix cve#17736
nicolo-ribaudo merged 3 commits into
babel:mainfrom
Nordix:fix/sha.js_update

Conversation

@ivonaest
Copy link
Copy Markdown
Contributor

@ivonaest ivonaest commented Jan 27, 2026

Summary

  1. Why:
    To remove CVEs:

  2. What:

    • Upgrade sha.js to 2.4.12 to remove CVE-2025-9288
    • sha.js is coming from browserify but latest version has older vulnerable sha.js version so new sha.js 2.4.12 needed to be added to resolutions as this is a critical cve

Additional evidence

Partial output from security scanner Trivy:
cve babel shajs

Categorization

  • security/CVE

@liuxingbaoyu
Copy link
Copy Markdown
Member

liuxingbaoyu commented Jan 27, 2026

We only use Browserify in testing and will be removing it soon.

@babel-bot
Copy link
Copy Markdown
Collaborator

babel-bot commented Jan 27, 2026
edited
Loading

Build successful! You can test your changes in the REPL here: https://babeljs.io/repl/build/60687

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented Jan 27, 2026
edited
Loading

Open in StackBlitz

commit: b60992e

JLHwung
JLHwung reviewed Jan 27, 2026
View reviewed changes
Comment thread package.json Outdated
"caniuse-lite": "1.0.30001766",
"core-js-compat": "3.48.0",
"electron-to-chromium": "1.5.278",
"sha.js": "2.4.12",
Copy link
Copy Markdown
Contributor

@JLHwung JLHwung Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The resolutions here is not necessary, because the patched version 2.4.12 is well covered in the version spec such as ^2.4.0 and ^2.4.8. Could you run yarn up -R sha.js and stage the updated yarn.lock only?

Copy link
Copy Markdown
Contributor Author

@ivonaest ivonaest Jan 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Done in the latest commit. Please let me know if this change works for you. Thank you

JLHwung
JLHwung approved these changes Jan 27, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@JLHwung JLHwung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks.

@nicolo-ribaudo nicolo-ribaudo merged commit ae72207 into babel:main Jan 27, 2026
54 checks passed
@ivonaest
Copy link
Copy Markdown
Contributor Author

ivonaest commented Jan 28, 2026

Hi @liuxingbaoyu , @JLHwung , @nicolo-ribaudo, thanks for feedback and merge. I am aware you are planning on removing Browserify but would you be interested in me opening another PR with similar approach for pbkdf2, cipher-base and elliptic dependencies. They are all coming from Browserify. Looking forward to your feedback

@liuxingbaoyu
Copy link
Copy Markdown
Member

liuxingbaoyu commented Jan 28, 2026

I have removed it from #17229.

@ivonaest ivonaest deleted the fix/sha.js_update branch January 29, 2026 10:07
@github-actions github-actions Bot added the outdated A closed issue/PR that is archived due to age. Recommended to make a new issue label May 1, 2026
@github-actions github-actions Bot locked as resolved and limited conversation to collaborators May 1, 2026
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

@JLHwung JLHwung JLHwung approved these changes

@nicolo-ribaudo nicolo-ribaudo nicolo-ribaudo approved these changes

Assignees

No one assigned

Labels

outdated A closed issue/PR that is archived due to age. Recommended to make a new issue

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ivonaest @liuxingbaoyu @babel-bot @JLHwung @nicolo-ribaudo