fix(ci): patch @babel/core advisory, bump deploy action to v0.11.0#211
Merged
Conversation
Dependabot's security update for @babel/core (GHSA-4x5r-pxfx-6jf8 — arbitrary file read via sourceMappingURL comment, affects <=7.29.0) fails with security_update_not_possible: @babel/core is only a transitive dep (@astrojs/react -> @vitejs/plugin-react), and the patch path Dependabot finds would downgrade @astrojs/react 5.0.3 -> 2.3.2. Add an npm overrides entry forcing @babel/core to ^7.29.6 (resolves to 7.29.7), which satisfies the @vitejs/plugin-react ^7.29.0 peer range and clears the advisory without changing @astrojs/react, astro, react, or firebase. Build verified. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
The `@v0` tag is the 2020 alpha release, pinned to a deprecated GitHub Actions Node runtime that GitHub is sunsetting. v0.11.0 moves the action to the node24 runtime (FirebaseExtended/action-hosting-deploy#450) and pulls in ~6 years of accumulated fixes plus the latest firebase-tools by default. Applied to both the PR preview deploy and the live merge deploy. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
|
Visit the preview URL for this PR (updated for commit 7e10a24): https://devfest-public--pr211-claude-determined-ha-haadklim.web.app (expires Fri, 03 Jul 2026 22:01:08 GMT) 🔥 via Firebase Hosting GitHub Action 🌎 Sign: 012b97aa22a34482dd432649ee74495ebf4fb2e2 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Two CI fixes:
@babel/coreto^7.29.6via npmoverridesto clear advisory GHSA-4x5r-pxfx-6jf8.FirebaseExtended/action-hosting-deploy@v0→@v0.11.0in both hosting workflows.Why
@babel/core: the Dependabot security-update job fails withsecurity_update_not_possible.@babel/coreis only a transitive dep (@astrojs/react→@vitejs/plugin-react), and the only patch path Dependabot finds would downgrade@astrojs/react5.0.3 → 2.3.2. Anoverridesentry forces the safe version directly, which the@vitejs/plugin-react^7.29.0peer range accepts.@v0is the 2020 alpha tag, frozen on a deprecated GitHub Actions Node runtime that GitHub is sunsetting. v0.11.0 moves to thenode24runtime and pulls in the latestfirebase-toolsplus ~6 years of fixes. May also clear theFAILED_PRECONDITION"supplied version … is the current active version" preview-deploy error (newerfirebase-tools), though that's a server-side condition for byte-identical builds and isn't guaranteed.Behavior
npm audit: babel advisory cleared (@babel/coreresolves to7.29.7).@astrojs/react5.0.3 /astro6.1.10 /react19.2.5 /firebase12.12.0 unchanged — lockfile churn limited to the@babel/*subtree.npm run buildpasses (11 pages).Files
package.json— addoverrides.@babel/corepackage-lock.json— re-resolved@babel/*subtree.github/workflows/firebase-hosting-pull-request.yml·.github/workflows/firebase-hosting-merge.yml— action@v0→@v0.11.0