Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Is this action affected by the CVE-2023-45133 vulnerability #402

Open
yiming-wang-trend opened this issue Dec 27, 2023 · 0 comments
Open

Comments

@yiming-wang-trend
Copy link

CVE-2023-45133
Babel is a compiler for writingJavaScript. In @babel/traverse prior to versions 7.23.2 and 8.0.0-alpha.4 and all versions of babel-traverse, using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.

We grep the entire repo to see if there is any code that uses the babel/traverse, and found only package-lock.json contains the dependencies, there is no place for it in the./src code.
MicrosoftTeams-image (2)

Could anyone confirm whether the presence of babel/traverse would still expose our project to this vulnerability? If so, what steps would be recommended to mitigate this risk?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant