pkg: Update @babel/core to v7.29.6 [SECURITY]

[renovate]

This PR contains the following updates:

Package	Change	Age	Adoption	Passing	Confidence
@babel/core (source)	7.29.0 → 7.29.6

---

@​babel/core: Arbitrary File Read via sourceMappingURL Comment

CVE-2026-49356 / GHSA-4x5r-pxfx-6jf8

More information

Details

Impact

Using @babel/core to compile maliciously crafted code can allow ab attacker to read any source map from the system that is running Babel, if these conditions are all true:

• the attacker controls the input source code
• the attacker can read the output source code
• the attacker knows the path of the source map file that they want to read

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/core@7.29.6 and @babel/core@8.0.0-rc.6.

Workarounds

Callers can mitigate the issue without upgrading by setting inputSourceMap: false in their Babel options.

Callers can also manually extract the #sourceMappingURL comment from the input source code, validate whether the source map that it links to is allowed to be read, and if it is pass an object to inputSourceMap (passing false when it's not).

Credits

Thanks Teodor-Cristian Radoi for reporting the vulnerability.

Severity

• CVSS Score: 3.2 / 10 (Low)
• Vector String: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N

References

• https://github.com/babel/babel/security/advisories/GHSA-4x5r-pxfx-6jf8
• https://babeljs.io/docs/options#inputsourcemap
• https://github.com/advisories/GHSA-4x5r-pxfx-6jf8

This data is provided by the GitHub Advisory Database (CC-BY 4.0).

---

Release Notes

babel/babel (@​babel/core)

v7.29.6

Compare Source

v7.29.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #​18014 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #​18001 [7.x packport]Improve input source map handling (@​JLHwung)
• babel-core, babel-generator
  • #​17998 Preserve original identifier names from input sourcemaps (#​17992) (@​Andarist)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Mateusz Burzyński (@​Andarist)
• Nicolò Ribaudo (@​nicolo-ribaudo)

---

Configuration

📅 Schedule: (in timezone America/Chicago)

• Branch creation
  • At any time (no schedule defined)
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about these updates again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

1 Skipped Deployment

Project	Deployment	Actions	Updated (UTC)
docs-site	Ignored	Preview	Jun 17, 2026 12:16pm

[changeset-bot]

⚠️ No Changeset found

Latest commit: 7472606

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[github-actions]

Size Change: 0 B

Total Size: 81.1 kB

ℹ️ View Unchanged

Filename	Size	Change
examples/test-bundlesize/dist/App.js	1.46 kB	-2 B (-0.14%)
examples/test-bundlesize/dist/polyfill.js	307 B	0 B
examples/test-bundlesize/dist/rdcClient.js	10.8 kB	0 B
examples/test-bundlesize/dist/rdcEndpoint.js	8.07 kB	0 B
examples/test-bundlesize/dist/react.js	59.7 kB	0 B
examples/test-bundlesize/dist/webpack-runtime.js	726 B	0 B

_{compressed-size-action}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.21%. Comparing base (5d3c206) to head (7472606).

Additional details and impacted files

@@           Coverage Diff           @@
##           master    #3992   +/-   ##
=======================================
  Coverage   98.21%   98.21%           
=======================================
  Files         154      154           
  Lines        3024     3024           
  Branches      601      601           
=======================================
  Hits         2970     2970           
  Misses         11       11           
  Partials       43       43           

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-actions]

Benchmark

Details

Benchmark suite	Current: 7472606	Previous: 5c8ae10	Ratio
normalizeLong	439 ops/sec (±3.72%)	435 ops/sec (±3.78%)	0.99
normalizeLong Values	406 ops/sec (±1.33%)	392 ops/sec (±1.43%)	0.97
normalizeLong Scalar	338 ops/sec (±2.26%)	325 ops/sec (±2.03%)	0.96
normalizeLong Scalar update	850 ops/sec (±0.65%)	846 ops/sec (±0.41%)	1.00
denormalizeLong	248 ops/sec (±3.83%)	226 ops/sec (±4.67%)	0.91
denormalizeLong Values	218 ops/sec (±4.10%)	211 ops/sec (±3.89%)	0.97
denormalizeLong donotcache	944 ops/sec (±0.19%)	1036 ops/sec (±0.12%)	1.10
denormalizeLong Values donotcache	716 ops/sec (±0.18%)	742 ops/sec (±0.23%)	1.04
denormalizeLong Scalar donotcache	901 ops/sec (±0.17%)	1033 ops/sec (±0.23%)	1.15
denormalizeShort donotcache 500x	1543 ops/sec (±0.11%)	1447 ops/sec (±1.08%)	0.94
denormalizeShort 500x	710 ops/sec (±4.18%)	635 ops/sec (±4.42%)	0.89
denormalizeShort 500x withCache	6626 ops/sec (±0.13%)	7184 ops/sec (±1.07%)	1.08
queryShort 500x withCache	2844 ops/sec (±0.12%)	3063 ops/sec (±0.23%)	1.08
buildQueryKey All	55375 ops/sec (±0.56%)	44550 ops/sec (±0.52%)	0.80
query All withCache	5891 ops/sec (±0.31%)	7047 ops/sec (±0.29%)	1.20
denormalizeLong with mixin Entity	236 ops/sec (±4.18%)	220 ops/sec (±4.41%)	0.93
denormalizeLong withCache	5705 ops/sec (±0.21%)	5924 ops/sec (±0.10%)	1.04
denormalizeLong withCache (Scalar churn)	5708 ops/sec (±0.13%)	5866 ops/sec (±0.30%)	1.03
denormalizeLong Values withCache	5018 ops/sec (±0.16%)	6169 ops/sec (±0.58%)	1.23
denormalizeLong Scalar withCache	7863 ops/sec (±1.20%)	7348 ops/sec (±0.91%)	0.93
denormalizeLong Scalar update withCache	4021 ops/sec (±0.18%)	5410 ops/sec (±0.49%)	1.35
denormalizeLong All withCache	5703 ops/sec (±0.20%)	6534 ops/sec (±0.17%)	1.15
denormalizeLong Query-sorted withCache	5971 ops/sec (±0.18%)	7123 ops/sec (±0.22%)	1.19
denormalizeLongAndShort withEntityCacheOnly	1662 ops/sec (±0.93%)	1556 ops/sec (±0.58%)	0.94
denormalize bidirectional 50	5135 ops/sec (±4.58%)	4767 ops/sec (±3.95%)	0.93
denormalize bidirectional 50 donotcache	40248 ops/sec (±0.17%)	43673 ops/sec (±0.17%)	1.09
getResponse	4612 ops/sec (±0.99%)	5607 ops/sec (±1.73%)	1.22
getResponse (null)	10387571 ops/sec (±0.74%)	10134993 ops/sec (±1.09%)	0.98
getResponse (clear cache)	232 ops/sec (±4.34%)	219 ops/sec (±3.90%)	0.94
getSmallResponse	3540 ops/sec (±0.70%)	3834 ops/sec (±0.93%)	1.08
getSmallInferredResponse	2721 ops/sec (±0.21%)	2777 ops/sec (±0.78%)	1.02
getResponse Collection	4561 ops/sec (±0.50%)	5292 ops/sec (±0.88%)	1.16
get Collection	4422 ops/sec (±0.27%)	5201 ops/sec (±0.37%)	1.18
get Query-sorted	4871 ops/sec (±0.27%)	6355 ops/sec (±0.33%)	1.30
setLong	456 ops/sec (±0.17%)	451 ops/sec (±0.97%)	0.99
setLongWithMerge	254 ops/sec (±0.70%)	251 ops/sec (±0.33%)	0.99
setLongWithSimpleMerge	272 ops/sec (±0.66%)	271 ops/sec (±0.23%)	1.00
setSmallResponse 500x	928 ops/sec (±1.29%)	862 ops/sec (±1.27%)	0.93

This comment was automatically generated by workflow using github-action-benchmark.