Skip to content

Bump the npm_and_yarn group across 2 directories with 6 updates#2

Open
dependabot[bot] wants to merge 1 commit into
canaryfrom
dependabot/npm_and_yarn/npm_and_yarn-d2952ab2c7
Open

Bump the npm_and_yarn group across 2 directories with 6 updates#2
dependabot[bot] wants to merge 1 commit into
canaryfrom
dependabot/npm_and_yarn/npm_and_yarn-d2952ab2c7

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jul 2, 2026

Copy link
Copy Markdown

Bumps the npm_and_yarn group with 3 updates in the / directory: @babel/core, shell-quote and tar.
Bumps the npm_and_yarn group with 2 updates in the /turbopack/crates/turbopack-tracing/tests/node-file-trace directory: axios and vm2.

Updates @babel/core from 7.26.10 to 7.29.6

Release notes

Sourced from @​babel/core's releases.

v7.29.6 (2026-05-25)

🐛 Bug Fix

Committers: 3

v7.29.5 (2026-05-05)

🏠 Internal

  • babel-preset-env
    • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

  • babel-plugin-transform-modules-systemjs
    • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

v7.29.3 (2026-04-30)

👓 Spec Compliance

🐛 Bug Fix

  • babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
    • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
  • babel-register
  • babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env

💅 Polish

📝 Documentation

... (truncated)

Commits
Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​babel/core since your current version.


Updates shell-quote from 1.7.3 to 1.8.4

Changelog

Sourced from shell-quote's changelog.

v1.8.4 - 2026-05-22

Commits

  • [Fix] quote: validate object-token shapes 4378a6e
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, npmignore 22ebec0
  • [Tests] increase coverage 9f3caa3
  • [readme] replace runkit CI badge with shields.io check-runs badge 3344a04
  • [Dev Deps] update @ljharb/eslint-config 699c511

v1.8.3 - 2025-06-01

Fixed

v1.8.2 - 2024-11-27

Fixed

Commits

  • [meta] fix changelog tags 0fb9fd8
  • [actions] split out node 10-20, and 20+ 819bd84
  • [Dev Deps] update @ljharb/eslint-config, auto-changelog, npmignore, tape fc56408
  • [actions] update npm for windows tests fdeb0fd
  • [Dev Deps] update @ljharb/eslint-config, aud, tape b8a4a3b
  • [actions] prevent node 14 on ARM mac from failing 9eecafc
  • [meta] exclude more files from the package 4044e7f
  • [Tests] replace aud with npm audit 8cfdbd8
  • [meta] add missing engines.node 843820e
  • [Dev Deps] add missing peer dep 4c3b88d
  • [Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6 80322ed

v1.8.1 - 2023-04-07

Fixed

Commits

  • [Refactor] parse: hoist getVar to module level b42ac73
  • [Refactor] hoist some vars to module level 8f0c5c3
  • [Refactor] parse: use slice over substr, cache some values fcb2e1a
  • [Refactor] parse: a bit of cleanup 6780ec5
  • [Refactor] parse: tweak the regex to not match nothing 227d474

... (truncated)

Commits
  • ff166e2 v1.8.4
  • 4378a6e [Fix] quote: validate object-token shapes
  • 22ebec0 [Dev Deps] update @ljharb/eslint-config, auto-changelog, eslint, `npmig...
  • 9f3caa3 [Tests] increase coverage
  • 3344a04 [readme] replace runkit CI badge with shields.io check-runs badge
  • 699c511 [Dev Deps] update @ljharb/eslint-config
  • 487a9b4 v1.8.3
  • 01faaff [Fix] remove unnecessary backslash escaping in single quotes
  • b19fc77 v1.8.2
  • 59d29ea [Fix] quote: preserve empty strings
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by ljharb, a new releaser for shell-quote since your current version.

Install script changes

This version adds prepublish script that runs during installation. Review the package contents before updating.


Updates tar from 7.5.7 to 7.5.16

Commits
  • cf21338 7.5.16
  • 21a8220 do not apply PAX header fields to meta entries
  • 52632cf update project deps
  • 302f51f fix inconsequential typo in PENDINGLINKS symbol name
  • 55dbb99 remove some uses of mutate-fs
  • 87cc309 7.5.15
  • 7aef486 fix: regression in pending links detection
  • 6244eb3 7.5.14
  • 9704d8c stricter protection against hardlinks preempting their targets
  • 700734f update workflows and deps
  • Additional commits viewable in compare view
Maintainer changes

This version was pushed to npm by isaacs, a new releaser for tar since your current version.

Install script changes

This version adds prepare script that runs during installation. Review the package contents before updating.


Updates axios from 1.13.6 to 1.16.0

Release notes

Sourced from axios's releases.

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

  • Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
  • Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
  • Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
  • parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
  • Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
  • transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

  • QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
  • ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
  • Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

  • HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
  • HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
  • Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
  • XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
  • Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
  • Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
  • UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
  • Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

  • Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
  • Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
  • Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
  • Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
  • Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
  • Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

... (truncated)

Changelog

Sourced from axios's changelog.

v1.16.0 — May 2, 2026

This release adds support for the QUERY HTTP method and a new ECONNREFUSED error constant, lands a substantial wave of HTTP, fetch, and XHR adapter bug fixes around redirects, aborts, headers, and timeouts, and welcomes 23 new contributors.

⚠️ Notable Changes

A handful of fixes in this release are either security-adjacent or change observable behaviour. Please review before upgrading:

  • Fetch adapter now enforces maxBodyLength and maxContentLength. These limits were silently ignored on the fetch adapter prior to 1.16.0 — anyone relying on them as a safety net (DoS protection, accidental large uploads) had no protection. (#10795)
  • Proxy requests now preserve user-supplied Host headers. Previously, the proxy path could overwrite a custom Host. Virtual-host-style routing through a proxy will now behave correctly. (#10822)
  • Basic auth credentials embedded in URLs are now URL-decoded. If you have percent-encoded credentials in a URL (e.g. https://user:p%40ss@host), the decoded value is what now goes on the wire. (#10825)
  • parseProtocol now strictly requires a colon in the protocol separator. Strings that loosely parsed as protocols before may no longer match. (#10729)
  • Deprecated unescape() replaced with modern UTF-8 encoding. Non-ASCII URL handling is now spec-correct; consumers depending on legacy unescape() quirks may see different output bytes. (#7378)
  • transformRequest input typing change was reverted. The typing change introduced in #10745 was reverted in #10810 after follow-up review — net behavior is unchanged from 1.15.2. (#10745, #10810)

🚀 New Features

  • QUERY HTTP Method: Added support for the QUERY HTTP method across adapters and type definitions. (#10802)
  • ECONNREFUSED Error Constant: Exposed ECONNREFUSED as a constant on AxiosError so callers can match connection-refused failures without comparing string literals (closes #6485). (#10680)
  • Encode Helper Export: Exported the internal encode helper from buildURL so userland param serializers can reuse the same encoding logic that axios uses internally. (#6897)

🐛 Bug Fixes

  • HTTP Adapter — Redirects & Headers: Cleared stale headers when a redirect targets a no-proxy host, fixed the redirect listener chain so listeners no longer stack across hops, restored the missing requestDetails argument on beforeRedirect, preserved user-supplied Host headers when forwarding through a proxy, and properly URL-decoded basic auth credentials. (#10794, #10800, #6241, #10822, #10825)
  • HTTP Adapter — Streams & Timeouts: Preserved the partial response object on AxiosError when a stream is aborted after headers arrive, honoured the timeout option during the connect phase when redirects are disabled, and resolved an unsettled-promise hang when an aborted request was combined with compression and maxRedirects: 0. (#10708, #10819, #7149)
  • Fetch Adapter: Enforced maxBodyLength / maxContentLength in the fetch adapter, set the User-Agent header to match the HTTP adapter, preserved the original abort reason instead of replacing it with a generic error, and deferred global access so importing the module no longer throws a TypeError in restricted environments. (#10795, #10772, #10806, #7260)
  • XHR Adapter: Unsubscribed the cancelToken and AbortSignal listeners on the error, timeout, and abort code paths to prevent leaked subscriptions. (#10787)
  • Error Handling: Attached the parsed response to AxiosError when JSON.parse fails inside dispatchRequest, prevented settle from emitting undefined error codes, and tightened the parseProtocol regex to require a colon in the protocol separator. (#10724, #7276, #10729)
  • Types & Exports: Aligned the CommonJS CancelToken typings with the ESM build, fixed a compiler error caused by RawAxiosHeaders, and re-exported create from the package index. (#7414, #6389, #6460)
  • UTF-8 Encoding: Replaced the deprecated unescape() call with a modern UTF-8 encoding implementation. (#7378)
  • Misc Cleanup: Resolved a batch of small inconsistencies and gadget-level issues across the codebase. (#10833)

🔧 Maintenance & Chores

  • Refactor — ES6 Modernisation: Modernised the utils module and XHR adapter to use ES6 features, and tidied the multipart boundary error message. (#10588, #7419)
  • Tests: Hardened the HTTP test server lifecycle to fix flaky FormData EPIPE failures, fixed Win32 platform support for the pipe tests, and corrected an incorrect test assumption. (#10820, #10791, #10796)
  • Docs: Documented paramsSerializer.encode for strict RFC 3986 query encoding, updated the parseReviver TypeScript definitions and configuration docs for ES2023, added timeout guidance to the README's first async example, and expanded notes around the recent type changes. (#10821, #10782, #10759, #10804)
  • Reverted: Reverted the transformRequest input typing change from #10745 after follow-up review. (#10745, #10810)
  • Dependencies: Bumped actions/setup-node, the github-actions group, and postcss (in /docs) to their latest versions. (#10785, #10813, #10814)
  • Release: Updated changelog and packages, and prepared the 1.16.0 release. (#10790, #10834)

🌟 New Contributors

We are thrilled to welcome our new contributors. Thank you for helping improve axios:

... (truncated)

Commits
  • df53d7d chore(release): prepare release 1.16.0 (#10834)
  • 9d92bcd fix: gadgets and smaller issues (#10833)
  • 5107ee6 fix: prevent undefined error codes in settle (#7276)
  • e573499 fix(fetch): defer global access in fetch adapter (#7260)
  • ad68e1a fix(http): honor timeout during connect without redirects (#10819)
  • 2a51828 fix(http): decode URL basic auth credentials (#10825)
  • 0e8b6bb fix(http): preserve user-supplied Host header when forwarding through a proxy...
  • 79f39e1 docs: document paramsSerializer.encode for strict RFC 3986 query encoding (#1...
  • 0fe3a5f [Docs/Types] Update parseReviver TypeScript definitions for ES2023 and add ...
  • cd6737f chore: matches the sibling responseStream.on(aborted) handler and added tests...
  • Additional commits viewable in compare view
Install script changes

This version modifies prepare script that runs during installation. Review the package contents before updating.


Updates follow-redirects from 1.15.11 to 1.16.0

Commits
  • 0c23a22 Release version 1.16.0 of the npm package.
  • 844c4d3 Add sensitiveHeaders option.
  • 5e8b8d0 ci: add Node.js 24.x to the CI matrix
  • 7953e22 ci: upgrade GitHub Actions to use setup-node@v6 and checkout@v6
  • 86dc1f8 Sanitizing input.
  • See full diff in compare view

Updates vm2 from 3.10.5 to 3.11.4

Release notes

Sourced from vm2's releases.

v3.11.4

Ten advisories closed. Patch release — no API changes for valid configurations.

What's Changed

Security fixes

  • GHSA-c4cf-2hgv-2qv6 — Bridge set trap ignoring ECMA-262 §9.5.9 Receiver, letting Object.create(hostObj) children and Reflect.set(hostObj, k, v, custom) writes leak onto the host object (write-channel → RCE).
  • GHSA-m5q2-4fm3-vfqp — Cross-realm Symbol.for namespace leak + missing dangerous-symbol guards on the bridge's write traps (set / defineProperty / deleteProperty), enabling sandbox-installed nodejs.util.promisify.custom / stream brand / webstream hooks on host objects (RCE).
  • GHSA-v6mx-mf47-r5wg — Host prototype mutation via Function.prototype.{call,apply,bind} and Reflect.{apply,construct} indirection through Object.prototype.__proto__ setter, severing host intrinsic prototype chains and escaping via thisEnsureThis proto-walk fallthrough (RCE).
  • GHSA-q3fm-4wcw-g57x — Defense Invariant #11 violation in defaultSandboxPrepareStackTrace (second variant of GHSA-9qj6-qjgg-37qq in a different file): sandbox-installed Array.prototype[N] setter / Array.prototype.join override could observe bridge-internal stack-trace state.
  • GHSA-76w7-j9cq-rx2j — Promise species hijack in localPromise's swallow-tail, hijacking the downstream child constructor to capture V8's internal (resolve, reject) capability and reach a raw host-realm error → host Function (RCE).
  • GHSA-m4wx-m65x-ghrr — NodeVM constructor patch bypass of GHSA-8hg8-63c5-gwmx: any truthy nesting paired with a non-real-config require produced a NESTING_OVERRIDE-only resolver → inner NodeVM with attacker-chosen requirechild_process RCE.
  • GHSA-6j2x-vhqr-qr7q — WebAssembly JSPI (WebAssembly.promising / WebAssembly.Suspending, Node 24+ behind a flag, Node 26+ default) producing Promise objects with a host-realm [[Prototype]] chain and no bridge interposition; species hijack delivers a raw host-realm rejection to sandbox .catch → host Function (RCE).
  • GHSA-rp36-8xq3-r6c4 — NodeVM builtin denylist bypass via process (whose getBuiltinModule(name) reloads any core module regardless of allow/deny config) and inspector/promises (whose Session().post('Runtime.evaluate', ...) evaluates attacker JS in the host realm). Supersedes GHSA-947f-4v7f-x2v8.
  • GHSA-r9pm-gxmw-wv6p — NodeVM builtin: ['*'] wildcard exposing Node's undocumented underscored network builtins (_http_client, _http_server, _tls_*, _stream_*) even when the documented -http/-https/-net/-tls exclusions were used — SSRF-class capability bypass (CVSS 8.6).
  • GHSA-9g8x-92q2-p28f — NodeVM builtin allowlist surfacing four process-wide observability builtins (diagnostics_channel, async_hooks, perf_hooks, v8) that read state of the entire host process rather than sandbox-local state — HTTP header / async-context / perf-mark / heap-snapshot exfiltration.

Documentation

  • docs/ATTACKS.md extended through Category 35, plus two new Defense Invariants: #12 ("No sandbox-visible object has a host-realm prototype chain without bridge interposition") and #13 ("The NodeVM builtin allowlist is a closed system").

Upgrade Notes

  • If you constructed NodeVM({ nesting: <truthy> }) without an explicit require config object, new NodeVM(...) now throws (GHSA-m4wx-m65x-ghrr). This covers every shape that previously silently produced a vm2-only resolver: omitting require, or setting it to any falsy value (false/undefined/null/0/'') or any truthy non-object value (true/number/string/symbol/function); and also any truthy nesting value, not only nesting: true. Either drop nesting, or pass an explicit require config object (e.g. require: { builtin: [] }) to acknowledge that vm2 will be requireable from inside the sandbox. The error message is actionable and links to the README hardening section.
  • No other valid configurations are affected. Embedders who explicitly listed any of process / inspector / worker_threads / cluster / vm / repl / module / trace_events / wasi / diagnostics_channel / async_hooks / perf_hooks / v8 in builtin were already running an unsandboxed sandbox; those names now throw at load time and can be re-introduced as safe wrappers via mock / override / SPECIAL_MODULES.

Full Changelog: patriksimek/vm2@v3.11.3...v3.11.4

v3.11.3

What's Changed

Security fix

Documentation

Full Changelog: patriksimek/vm2@v3.11.2...v3.11.3

v3.11.2

What's Changed

Security fixes

  • GHSA-9vg3-4rfj-wgcm — Sandbox-realm null-proto write-through via bridge.from() set trap (RCE)
  • GHSA-2cm2-m3w5-gp2f — Internal state reachable via computed-key access on globalThis
  • GHSA-9qj6-qjgg-37qq — Bridge saved-state leak via sandbox-installed Array.prototype[N] setter (RCE)

... (truncated)

Changelog

Sourced from vm2's changelog.

[3.11.4]

Ten advisories closed. Patch release — no API changes for valid configurations.

Security fixes

  • GHSA-c4cf-2hgv-2qv6 — bridge escape via BaseHandler.set ignoring the ECMA-262 §9.5.9 Receiver argument; Object.create(hostProxy).x = v and Reflect.set(hostProxy, k, v, sandboxObj) wrote through to the host object instead of installing on the receiver, turning every embedder-exposed host object into a sandbox write channel. Receiver-gated install-on-receiver fix in lib/bridge.js mirroring ReadOnlyHandler.set. See ATTACKS.md Category 32 and test/ghsa/GHSA-c4cf-2hgv-2qv6/.
  • GHSA-m5q2-4fm3-vfqp — sandbox escape via unblocked cross-realm Symbol.for keys plus missing dangerous-symbol guards on the bridge's write traps. Two-layer structural fix: lib/setup-sandbox.js denies the entire nodejs. namespace at Symbol.for and aligns the read-side filters with the full 9-symbol cache, and lib/bridge.js extends isDangerousCrossRealmSymbol and applies it to the set/defineProperty/deleteProperty traps. See ATTACKS.md Category 8 / Category 20 (both extended) and test/ghsa/GHSA-m5q2-4fm3-vfqp/.
  • GHSA-v6mx-mf47-r5wg — host prototype mutation via apply-trap indirection. Sandbox code could reach host prototype-mutating setters (Object.prototype.__proto__, setPrototypeOf, defineProperty, __defineSetter__/__defineGetter__) through Function.prototype.{call,apply,bind} and Reflect.{apply,construct} indirection, sever a host intrinsic's prototype chain, and escape via the bridge's thisEnsureThis proto-walk fallthrough. Two-layer structural fix in lib/bridge.js (apply-trap blocklist + cache check before proto-walk). See ATTACKS.md Category 30 and test/ghsa/GHSA-v6mx-mf47-r5wg/.
  • GHSA-q3fm-4wcw-g57x — Defense Invariant #11 hardening for defaultSandboxPrepareStackTrace (second variant of GHSA-9qj6-qjgg-37qq in a different file). The sandbox stack-trace formatter accumulated frames in a sandbox-realm array and .join-ed them, so a sandbox-installed setter on Array.prototype[N] (or .join override) observed bridge-internal state — no host reference reachable today, but one enrichment away from regressing into the GHSA-9qj6 RCE shape. Fixed in lib/setup-sandbox.js by folding frames through a primitive string accumulator (no Array.prototype slot reachable) and converting makeCallSiteGetters to localReflectDefineProperty for symmetry. See ATTACKS.md Category 28 Variant B and test/ghsa/GHSA-q3fm-4wcw-g57x/.
  • GHSA-76w7-j9cq-rx2j — Promise species hijack in the localPromise swallow tail. The swallow-tail apply(globalPromisePrototypeThen, this, [...]) call inside localPromise's constructor invoked the cached host Promise.prototype.then without first calling resetPromiseSpecies(this), so a sandbox subclass overriding [Symbol.species] could redirect the downstream child constructor to a user function and capture V8's internal (resolve, reject) capability — delivering a raw host-realm error (RangeError from deep recursion + e.stack) to a sandbox collector and reaching the host Function constructor via .constructor.constructor. One-line fix in lib/setup-sandbox.js adds the missing resetPromiseSpecies(this) before the swallow-tail call, matching the pattern already used by the .then/.catch/Reflect.apply overrides. See ATTACKS.md Category 31 and test/ghsa/GHSA-76w7-j9cq-rx2j/.
  • GHSA-m4wx-m65x-ghrr — NodeVM constructor patch bypass of GHSA-8hg8-63c5-gwmx: a truthy nesting paired with anything other than a real require config object produced a NESTING_OVERRIDE-only resolver → inner NodeVM with attacker-chosen requirechild_process RCE. Structural fix in lib/nodevm.js: destructure first, then reject at construction whenever nesting is truthy and requireOpts is not a non-null object or Resolver. Supersedes GHSA-8hg8-63c5-gwmx. See ATTACKS.md Category 25 and test/ghsa/GHSA-m4wx-m65x-ghrr/.
  • GHSA-6j2x-vhqr-qr7q — sandbox escape via WebAssembly JSPI (Node 24 behind --experimental-wasm-jspi, Node 26+ default). WebAssembly.promising returns Promise objects whose [[Prototype]] chain points directly at the host realm's Promise.prototype with no bridge proxy in between, so p.finally() reaches host Promise.prototype.finally, V8's SpeciesConstructor reads an attacker-controlled p.constructor getter, and the eventual host-realm rejection is dispatched through the attacker's class with no bridge wrapping — e.constructor.constructor('return process')() then evaluates in the host realm. Structural fix in lib/setup-sandbox.js: delete WebAssembly.promising and WebAssembly.Suspending at sandbox bootstrap, mirroring the existing WebAssembly.JSTag removal. Adds Defense Invariant #12 (no sandbox-visible object may have a host-realm prototype chain without bridge interposition). See ATTACKS.md Category 33 and test/ghsa/GHSA-6j2x-vhqr-qr7q/.
  • GHSA-rp36-8xq3-r6c4 — NodeVM builtin denylist bypass via process and inspector/promises. The exact-match denylist in lib/builtin.js missed two host-passthrough families: process (whose getBuiltinModule(name) reloads any core module regardless of the embedder's allow/deny configuration) and inspector/promises (whose Session().post('Runtime.evaluate', ...) evaluates attacker JS in the host realm). Structural fix promotes the check to family-prefix via isDangerousBuiltin(key), strips the node: URL prefix, and adds process to the dangerous set — enforced at both BUILTIN_MODULES source and addDefaultBuiltin. Supersedes GHSA-947f-4v7f-x2v8. Adds Defense Invariant #13. See ATTACKS.md Category 21 (extended) and test/ghsa/GHSA-rp36-8xq3-r6c4/.
  • GHSA-r9pm-gxmw-wv6p — NodeVM builtin: ['*'] wildcard exposed Node's undocumented underscored network builtins (_http_client, _http_server, the _http_* / _tls_* / _stream_* siblings), letting sandbox code make outbound HTTP requests and open listening sockets even when the documented -http/-https/-net/-tls exclusions were used — SSRF-class capability bypass (CVSS 8.6). Structural fix in lib/builtin.js: BUILTIN_MODULES filter now excludes any name starting with _, so '*' expands only to documented public builtins; explicit opt-in, mock, and override paths remain functional. See ATTACKS.md Category 34 and test/ghsa/GHSA-r9pm-gxmw-wv6p/.
  • GHSA-9g8x-92q2-p28f — NodeVM builtin allowlist surfaced four process-wide observability builtins (diagnostics_channel, async_hooks, perf_hooks, v8) that read state from the entire host process rather than the sandbox: HTTP IncomingMessage headers (incl. auth tokens) via diagnostics_channel.subscribe, embedder AsyncLocalStorage context via async_hooks.executionAsyncResource, embedder performance.mark labels via perf_hooks, and the full V8 heap via v8.getHeapSnapshot / v8.queryObjects. Fix in lib/builtin.js: extends DANGEROUS_BUILTINS with the four names, reusing the existing two-layer enforcement (BUILTIN_MODULES filter + addDefaultBuiltin rejection, family-prefix and node:-normalised via isDangerousBuiltin). mock/override escape hatches preserved. See ATTACKS.md Category 35 and test/ghsa/GHSA-9g8x-92q2-p28f/.

Upgrade notes

  • If you constructed NodeVM({ nesting: <truthy> }) without an explicit require config object, new NodeVM(...) now throws (GHSA-m4wx-m65x-ghrr). This covers every shape that previously silently produced a vm2-only resolver: omitting require entirely, or setting it to any falsy value (false/undefined/null/0/'') or any truthy non-object value (true/number/string/symbol/function); and also any truthy nesting value, not only nesting: true (1/'yes'/{}/[]/function). Either drop nesting, or pass an explicit require config object (e.g. require: { builtin: [] }) to acknowledge that vm2 will be requireable from inside the sandbox. The error message is actionable and links to the README hardening section.

[3.11.3]

Patch release — no API changes.

Security fix

  • GHSA-248r-7h7q-cr24 — async generator yield*-return thenable exception capture. Calling i.return(thenable) on an async generator delegating to a no-return inner iterator let V8's PromiseResolveThenableJob capture synchronous throws from the thenable's .then and surface them to sandbox code as iterator results — bypassing both the transformer's catch instrumentation and the globalPromise.prototype.then rejection sanitiser. Two-layer defense on %AsyncGeneratorPrototype%.next/.return/.throw in lib/setup-sandbox.js: every iterator-result promise routes value and rejection through handleException, and every thenable argument is replaced with a sandbox-realm wrapper whose .then is a fixed safeThen that sanitises sync throws and recursively re-wraps any nested thenable handed to resolve(...). When safeThen reads value.then and it is non-function, the wrapper always resolves with a {__proto__: null} shadow so V8's re-read of .then cannot observe attacker-controlled values — closing every counting/self-replacing-getter TOCTOU variant. Trade-off: identity is not preserved for non-thenable values passed to i.return(x). ATTACKS.md Category 29.

[3.11.2]

Three advisories closed. Patch release — no API changes.

Security fixes

  • GHSA-2cm2-m3w5-gp2f — Internal state reachable via computed property access on globalThis. The previous fix (GHSA-wp5r-2gw5-m7q7) tightened the transformer's identifier-rejection but left globalThis['VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL'] and every reflective probe of the global object (bracket access, Reflect.get, Object.getOwnPropertyDescriptor, Object.getOwnPropertyNames enumeration) returning the live state object — the transformer is a syntactic gate and cannot see through dynamic property keys. Structural fix: the bootstrap script (vm.js's setupSandboxScript source) now declares let VM2_INTERNAL_STATE_DO_NOT_USE_OR_PROGRAM_WILL_FAIL at the script's top level, which lands the binding in the context's [[GlobalLexicalEnvironment]] — reachable a...

    Description has been truncated

Bumps the npm_and_yarn group with 3 updates in the / directory: [@babel/core](https://github.com/babel/babel/tree/HEAD/packages/babel-core), [shell-quote](https://github.com/ljharb/shell-quote) and [tar](https://github.com/isaacs/node-tar).
Bumps the npm_and_yarn group with 2 updates in the /turbopack/crates/turbopack-tracing/tests/node-file-trace directory: [axios](https://github.com/axios/axios) and [vm2](https://github.com/patriksimek/vm2).


Updates `@babel/core` from 7.26.10 to 7.29.6
- [Release notes](https://github.com/babel/babel/releases)
- [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md)
- [Commits](https://github.com/babel/babel/commits/v7.29.6/packages/babel-core)

Updates `shell-quote` from 1.7.3 to 1.8.4
- [Changelog](https://github.com/ljharb/shell-quote/blob/main/CHANGELOG.md)
- [Commits](ljharb/shell-quote@v1.7.3...v1.8.4)

Updates `tar` from 7.5.7 to 7.5.16
- [Release notes](https://github.com/isaacs/node-tar/releases)
- [Changelog](https://github.com/isaacs/node-tar/blob/main/CHANGELOG.md)
- [Commits](isaacs/node-tar@v7.5.7...v7.5.16)

Updates `axios` from 1.13.6 to 1.16.0
- [Release notes](https://github.com/axios/axios/releases)
- [Changelog](https://github.com/axios/axios/blob/v1.x/CHANGELOG.md)
- [Commits](axios/axios@v1.13.6...v1.16.0)

Updates `follow-redirects` from 1.15.11 to 1.16.0
- [Release notes](https://github.com/follow-redirects/follow-redirects/releases)
- [Commits](follow-redirects/follow-redirects@v1.15.11...v1.16.0)

Updates `vm2` from 3.10.5 to 3.11.4
- [Release notes](https://github.com/patriksimek/vm2/releases)
- [Changelog](https://github.com/patriksimek/vm2/blob/main/CHANGELOG.md)
- [Commits](patriksimek/vm2@v3.10.5...v3.11.4)

---
updated-dependencies:
- dependency-name: "@babel/core"
  dependency-version: 7.29.6
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: shell-quote
  dependency-version: 1.8.4
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: tar
  dependency-version: 7.5.16
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: axios
  dependency-version: 1.16.0
  dependency-type: direct:development
  dependency-group: npm_and_yarn
- dependency-name: follow-redirects
  dependency-version: 1.16.0
  dependency-type: indirect
  dependency-group: npm_and_yarn
- dependency-name: vm2
  dependency-version: 3.11.4
  dependency-type: direct:development
  dependency-group: npm_and_yarn
...

Signed-off-by: dependabot[bot] <support@github.com>
@dependabot dependabot Bot added dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code labels Jul 2, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file javascript Pull requests that update javascript code

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants