Skip to content

fix(ci): patch @babel/core advisory, bump deploy action to v0.11.0#211

Merged
ryzizub merged 2 commits into
2026from
claude/determined-haslett-6c6322
Jun 30, 2026
Merged

fix(ci): patch @babel/core advisory, bump deploy action to v0.11.0#211
ryzizub merged 2 commits into
2026from
claude/determined-haslett-6c6322

Conversation

@ryzizub

@ryzizub ryzizub commented Jun 30, 2026

Copy link
Copy Markdown
Member

Summary

Two CI fixes:

  • Pin @babel/core to ^7.29.6 via npm overrides to clear advisory GHSA-4x5r-pxfx-6jf8.
  • Bump FirebaseExtended/action-hosting-deploy @v0@v0.11.0 in both hosting workflows.

Why

  • @babel/core: the Dependabot security-update job fails with security_update_not_possible. @babel/core is only a transitive dep (@astrojs/react@vitejs/plugin-react), and the only patch path Dependabot finds would downgrade @astrojs/react 5.0.3 → 2.3.2. An overrides entry forces the safe version directly, which the @vitejs/plugin-react ^7.29.0 peer range accepts.
  • Deploy action: @v0 is the 2020 alpha tag, frozen on a deprecated GitHub Actions Node runtime that GitHub is sunsetting. v0.11.0 moves to the node24 runtime and pulls in the latest firebase-tools plus ~6 years of fixes. May also clear the FAILED_PRECONDITION "supplied version … is the current active version" preview-deploy error (newer firebase-tools), though that's a server-side condition for byte-identical builds and isn't guaranteed.

Behavior

  • npm audit: babel advisory cleared (@babel/core resolves to 7.29.7).
  • @astrojs/react 5.0.3 / astro 6.1.10 / react 19.2.5 / firebase 12.12.0 unchanged — lockfile churn limited to the @babel/* subtree.
  • npm run build passes (11 pages).
  • Both the PR-preview deploy and the live merge deploy use the new action.

Files

  • package.json — add overrides.@babel/core
  • package-lock.json — re-resolved @babel/* subtree
  • .github/workflows/firebase-hosting-pull-request.yml · .github/workflows/firebase-hosting-merge.yml — action @v0@v0.11.0

ryzizub and others added 2 commits June 30, 2026 23:57
Dependabot's security update for @babel/core (GHSA-4x5r-pxfx-6jf8 —
arbitrary file read via sourceMappingURL comment, affects <=7.29.0) fails
with security_update_not_possible: @babel/core is only a transitive dep
(@astrojs/react -> @vitejs/plugin-react), and the patch path Dependabot
finds would downgrade @astrojs/react 5.0.3 -> 2.3.2.

Add an npm overrides entry forcing @babel/core to ^7.29.6 (resolves to
7.29.7), which satisfies the @vitejs/plugin-react ^7.29.0 peer range and
clears the advisory without changing @astrojs/react, astro, react, or
firebase. Build verified.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The `@v0` tag is the 2020 alpha release, pinned to a deprecated GitHub
Actions Node runtime that GitHub is sunsetting. v0.11.0 moves the action
to the node24 runtime (FirebaseExtended/action-hosting-deploy#450) and
pulls in ~6 years of accumulated fixes plus the latest firebase-tools by
default. Applied to both the PR preview deploy and the live merge deploy.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
@ryzizub ryzizub changed the title fix(deps): pin @babel/core to clear sourceMappingURL advisory fix(ci): clear @babel/core advisory + bump action-hosting-deploy to v0.11.0 Jun 30, 2026
@github-actions

Copy link
Copy Markdown

Visit the preview URL for this PR (updated for commit 7e10a24):

https://devfest-public--pr211-claude-determined-ha-haadklim.web.app

(expires Fri, 03 Jul 2026 22:01:08 GMT)

🔥 via Firebase Hosting GitHub Action 🌎

Sign: 012b97aa22a34482dd432649ee74495ebf4fb2e2

@ryzizub ryzizub changed the title fix(ci): clear @babel/core advisory + bump action-hosting-deploy to v0.11.0 fix(ci): patch @babel/core advisory, bump deploy action to v0.11.0 Jun 30, 2026
@ryzizub ryzizub merged commit f346c93 into 2026 Jun 30, 2026
3 checks passed
@ryzizub ryzizub deleted the claude/determined-haslett-6c6322 branch June 30, 2026 22:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant