Bump minimatch, babel-core, babel-loader and gulp-watch#340
Bump minimatch, babel-core, babel-loader and gulp-watch#340dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [minimatch](https://github.com/isaacs/minimatch) to 3.1.2 and updates ancestor dependencies [minimatch](https://github.com/isaacs/minimatch), [babel-core](https://github.com/babel/babel), [babel-loader](https://github.com/babel/babel-loader) and [gulp-watch](https://github.com/floatdrop/gulp-watch). These dependencies need to be updated together. Updates `minimatch` from 3.0.4 to 3.1.2 - [Changelog](https://github.com/isaacs/minimatch/blob/main/changelog.md) - [Commits](isaacs/minimatch@v3.0.4...v3.1.2) Updates `babel-core` from 5.8.38 to 6.26.3 - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](babel/babel@v5.8.38...v6.26.3) Updates `babel-loader` from 5.4.2 to 10.0.0 - [Release notes](https://github.com/babel/babel-loader/releases) - [Changelog](https://github.com/babel/babel-loader/blob/main/CHANGELOG.md) - [Commits](babel/babel-loader@v5.4.2...v10.0.0) Updates `gulp-watch` from 3.0.0 to 5.0.1 - [Release notes](https://github.com/floatdrop/gulp-watch/releases) - [Commits](floatdrop/gulp-watch@v3.0.0...v5.0.1) --- updated-dependencies: - dependency-name: minimatch dependency-version: 3.1.2 dependency-type: indirect - dependency-name: babel-core dependency-version: 6.26.3 dependency-type: direct:development - dependency-name: babel-loader dependency-version: 10.0.0 dependency-type: direct:development - dependency-name: gulp-watch dependency-version: 5.0.1 dependency-type: direct:development ... Signed-off-by: dependabot[bot] <support@github.com>
There was a problem hiding this comment.
Pull request overview
This PR is a Dependabot-generated security/maintenance update that bumps several development dependencies: minimatch (3.0.4 → 3.1.2), babel-core (5.8.38 → 6.26.3), babel-loader (5.4.2 → 10.0.0), and gulp-watch (3.0.0 → 5.0.1). The minimatch update addresses a known RegExp DoS vulnerability. The other upgrades are transitively required to move away from deprecated packages.
Changes:
babel-corebumped from 5.8.38 to 6.26.3 andbabel-loaderbumped from 5.4.2 to 10.0.0, bringing in a completely new dependency tree for the Babel ecosystemgulp-watchbumped from 3.0.0 to 5.0.1, switching fromgazetochokidarfor file watchingminimatchbumped from 3.0.4 to 3.1.2, resolving a ReDoS vulnerability
Reviewed changes
Copilot reviewed 1 out of 2 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
package.json |
Updates babel-core and babel-loader version constraints |
package-lock.json |
Reflects all transitive dependency changes from the version bumps |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| "babel-core": "^5.0.12", | ||
| "babel-loader": "^5.0.0", | ||
| "babel-core": "^6.26.3", | ||
| "babel-loader": "^10.0.0", |
There was a problem hiding this comment.
babel-loader 10.0.0 requires @babel/core ^7.12.0 as a peer dependency (the Babel 7+ scoped package), but this PR only installs babel-core 6.26.3 (the unscoped Babel 6 package). These are entirely different packages — @babel/core is not installed at all (all the @babel/* entries in the lock file are marked "peer": true, meaning they are only listed as expected peer dependencies but not actually installed). As a result, babel-loader will fail at runtime because its required peer dependency @babel/core is missing.
To fix this, either:
- Downgrade
babel-loaderto a version compatible withbabel-core6 (e.g.,babel-loader@7.x), or - Upgrade to
@babel/core ^7(the scoped package) instead ofbabel-core ^6, and update the Babel configuration accordingly.
| "babel-loader": "^10.0.0", | |
| "babel-loader": "^7.1.5", |
| "babel-core": "^6.26.3", | ||
| "babel-loader": "^10.0.0", |
There was a problem hiding this comment.
The webpack config at webpack.config.js line 35 uses loader: 'babel?stage=0', which is the Babel 5 query string syntax for enabling stage 0 presets. This syntax is not supported in Babel 6+ (which uses .babelrc or babel.config.js for configuration, and replaced stage options with explicit preset names like babel-preset-stage-0). Upgrading babel-core from 5.x to 6.x will break this configuration without corresponding updates to the webpack config and Babel configuration files.
| "babel-core": "^6.26.3", | |
| "babel-loader": "^10.0.0", | |
| "babel-core": "^5.8.38", | |
| "babel-loader": "^5.4.2", |
|
Superseded by #348. |
Bumps minimatch to 3.1.2 and updates ancestor dependencies minimatch, babel-core, babel-loader and gulp-watch. These dependencies need to be updated together.
Updates
minimatchfrom 3.0.4 to 3.1.2Commits
699c4593.1.22f2b5fffix: trim pattern25d7c0d3.1.155dda29fix: treat nocase:true as always having magic5e1fb8d3.1.0f8145c5Add 'allowWindowsEscape' option570e8b1add publishConfig for v3 publishes5b7cd333.0.620b4b56[fix] revert all breaking syntax changes2ff0388document, expose, and test 'partial:true' optionUpdates
babel-corefrom 5.8.38 to 6.26.3Commits
d8be710v6.26.3a8ddf5eOnly convert input mappings if we get mappings from Babel280cfedv6.26.26fa027eMerge pull request #7812 from loganfsmyth/backported-sourcemap-changesc8b4c28Implement minNodeVersion for babel-cli tests too.753c2afDisable 2 tests on Node 0.10ae43e06Backport minNodeVersion test option from #5765 for 6.xe72cf66Fix Babel 6 builds on Node 0.1080f433aBackport #7761 for 6.x7360a30Backport #7312 for 6.xMaintainer changes
This version was pushed to npm by loganfsmyth, a new releaser for babel-core since your current version.
Updates
babel-loaderfrom 5.4.2 to 10.0.0Release notes
Sourced from babel-loader's releases.
... (truncated)
Changelog
Sourced from babel-loader's changelog.
... (truncated)
Commits
10456d310.0.05a223cfAdd babel-loader v10 readme (#1046)8f88667Bump cross-spawn from 7.0.3 to 7.0.6 (#1049)f765949Update readme and repo templates (#1041)b582028add readme section for loggingDebug support (#1038)a0c450dfeat: add babel-loader debug logger (#1034)d4181b8Support cache with external dependencies (#1033)7fcb533chore: update dev deps (#1036)c2a90e5Bump webpack from 5.93.0 to 5.94.0 (#1035)70a3710refactor: replace find-cache-dir by find-up (#1031)Maintainer changes
This version was pushed to npm by nicolo-ribaudo, a new releaser for babel-loader since your current version.
Updates
gulp-watchfrom 3.0.0 to 5.0.1Release notes
Sourced from gulp-watch's releases.
Commits
80cd83e5.0.16fe8912Replace deprecated gulp-util (#303)959128a5.0.09208d48Bump chokidar to ^2.0.002bd06dUpdate to newest vinyl for gulp 4 support (#296)4ced696Add Node.js 9 and increase timeout to 5 secsaa8146fRemove unsupported versions of Node.js608c7aa4.3.11410dbabBump dem deps 🐎bd4d31eFix Windows Node v7 supportYou can trigger a rebase of this PR by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot mergewill merge this PR after your CI passes on it@dependabot squash and mergewill squash and merge this PR after your CI passes on it@dependabot cancel mergewill cancel a previously requested merge and block automerging@dependabot reopenwill reopen this PR if it is closed@dependabot closewill close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)You can disable automated security fix PRs for this repo from the Security Alerts page.