fix(deps): update dependency @babel/runtime-corejs3 to v7.26.10 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@babel/runtime-corejs3 (source)	7.26.0 -> 7.26.10

GitHub Vulnerability Alerts

CVE-2025-27789

Impact

When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).

Your generated code is vulnerable if all the following conditions are true:

• You use Babel to compile regular expression named capturing groups
• You use the .replace method on a regular expression that contains named capturing groups
• Your code uses untrusted strings as the second argument of .replace

If you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:

• you use duplicated named capturing groups, and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23
• you use any named capturing groups, and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10

You can verify what transforms @babel/preset-env is using by enabling the debug option.

Patches

This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.

Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.

Workarounds

If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).

References

This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.

---

Release Notes

babel/babel (@​babel/runtime-corejs3)

v7.26.10

Compare Source

👓 Spec Compliance

• babel-parser
  • #​17159 Disallow decorator in array pattern (@​JLHwung)

🐛 Bug Fix

• babel-parser, babel-template
  • #​17164 Fix: always initialize ExportDeclaration attributes (@​JLHwung)
• babel-core
  • #​17142 fix: "Map maximum size exceeded" in deepClone (@​liuxingbaoyu)
• babel-parser, babel-plugin-transform-typescript
  • #​17154 Update typescript parser tests (@​JLHwung)
• babel-traverse
  • #​17151 fix: Should not evaluate vars in child scope (@​liuxingbaoyu)
• babel-generator
  • #​17153 fix: Correctly generate abstract override (@​liuxingbaoyu)
• babel-parser
  • #​17107 Fix source type detection when parsing TypeScript (@​JLHwung)
• babel-helpers, babel-runtime, babel-runtime-corejs2, babel-runtime-corejs3
  • #​17173 Fix processing of replacement pattern with named capture groups (@​mmmsssttt404)

💅 Polish

• babel-standalone
  • #​17158 Avoid warnings when re-bundling @​babel/standalone with webpack (@​liuxingbaoyu)

🏠 Internal

• babel-parser
  • #​17160 Left-value parsing cleanup (@​JLHwung)

v7.26.9

Compare Source

🐛 Bug Fix

• babel-types
  • #​17103 fix: Definition for TSPropertySignature.kind (@​liuxingbaoyu)
• babel-generator, babel-types
  • #​17062 Print TypeScript optional/definite in ClassPrivateProperty (@​jamiebuilds-signal)

🏠 Internal

• babel-types
  • #​17130 Use .ts files with explicit reexports to solve name conflicts (@​nicolo-ribaudo)
• babel-core
  • #​17127 Do not depend on @types/gensync in Babel 7 (@​nicolo-ribaudo)

v7.26.7

Compare Source

🐛 Bug Fix

• babel-helpers, babel-preset-env, babel-runtime-corejs3
  • #​17086 Make "object without properties" helpers ES6-compatible (@​tquetano-netflix)
• babel-plugin-transform-typeof-symbol
  • #​17085 fix: Correctly handle typeof in arrow functions (@​liuxingbaoyu)
• babel-parser
  • #​17079 Respect ranges option in estree method value (@​JLHwung)
• babel-core
  • #​17052 Do not try to parse .ts configs as JSON if natively supported (@​nicolo-ribaudo)
• babel-plugin-transform-typescript
  • #​17050 fix: correctly resolve references to non-constant enum members (@​branchseer)
• babel-plugin-transform-typescript, babel-traverse, babel-types
  • #​17025 fix: Remove type-only import x = y.z (@​liuxingbaoyu)

---

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[changeset-bot]

⚠️ No Changeset found

Latest commit: c2259f3

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.