optimize: bump @babel/runtime to ^7.27.0#7673
Conversation
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## 2.x #7673 +/- ##
============================================
+ Coverage 61.27% 61.31% +0.04%
Complexity 666 666
============================================
Files 1314 1314
Lines 49817 49817
Branches 5858 5858
============================================
+ Hits 30524 30544 +20
+ Misses 16549 16529 -20
Partials 2744 2744 see 9 files with indirect coverage changes 🚀 New features to boost your workflow:
|
|
Please register your PR in those two files : |
|
Hi, |
|
Hi, I have updated the changelog in both zh-cn/2.x.md and en-us/2.x.md as requested. Thanks! |
slievrly
left a comment
There was a problem hiding this comment.
Is it necessary to make an update in package-lock.json?
Add your Github ID at the bottom of the change logs as well. |
bd54b85 to
f95298f
Compare
I took a closer look and noticed that package-lock.json already resolves @babel/runtime to version 7.27.0, |
Okay, I acknowledge your point. But, In order to address the CVE notifications, it wound be necessary to upgrade the @babel/runtimedependency version within the package-lock.json file. |
package-lock.json is used to lock the version of the installation dependency. Some dependencies specify the version of @babel/runtime. Of course, some are cross-version. We need to upgrade the version-compatible dependencies to the patch-free version. |
|
Thank you for the clarification. I understand your point regarding the CVE notifications and version-locked dependencies. |
|
Updated package-lock.json and added an |
There was a problem hiding this comment.
Pull Request Overview
Bumps @babel/runtime dependency from ^7.26.10 to ^7.27.0 to address security vulnerability CVE-2025-27789 and align with the resolved version in package-lock.json.
- Updates @babel/runtime version in package.json dependencies
- Adds changelog entries in both English and Chinese documentation
- Includes contributor acknowledgment for the security fix
Reviewed Changes
Copilot reviewed 3 out of 4 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| console/src/main/resources/static/console-fe/package.json | Updates @babel/runtime dependency version and adds it to overrides section |
| changes/zh-cn/2.x.md | Adds Chinese changelog entry for the dependency update |
| changes/en-us/2.x.md | Adds English changelog entry for the dependency update |
Files not reviewed (1)
- console/src/main/resources/static/console-fe/package-lock.json: Language not supported
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
| "cipher-base": "1.0.6", | ||
| "@babel/runtime": "^7.27.0" |
There was a problem hiding this comment.
The @babel/runtime entry is duplicated - it's already defined in the dependencies section at line 34. This duplication in what appears to be an overrides section could lead to confusion about which version takes precedence.
| "cipher-base": "1.0.6", | |
| "@babel/runtime": "^7.27.0" | |
| "cipher-base": "1.0.6" |
Ⅰ. Describe what this PR did
Update
console-fe/package.jsonto bump@babel/runtimefrom^7.26.10to^7.27.0.This aligns the direct dependency with the already resolved version in
package-lock.jsonand addresses the potential security risk (CVE-2025-27789).Ⅱ. Does this pull request fix one issue?
fixes #7660
Ⅲ. Why don't you add test cases (unit test/integration test)?
Not applicable. This PR only updates a dependency version in
package.json.Ⅳ. Describe how to verify it
npm installunderconsole-fe.node_modules/@babel/runtimeis installed at version7.27.0.console-fesuccessfully without errors.Ⅴ. Special notes for reviews
None.