🚨 Next.js: Unbounded next/image disk cache growth can exhaust storage

Summary

The default Next.js image optimization disk cache (/_next/image) did not have a configurable upper bound, allowing unbounded cache growth.

Impact

An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel.

Patches

Fixed by adding an LRU-backed disk cache with images.maximumDiskCacheSize, including eviction of least-recently-used entries when the limit is exceeded. Setting maximumDiskCacheSize: 0 disables disk caching.

Workarounds

If upgrade is not immediately possible:

• Periodically clean .next/cache/images.
• Reduce variant cardinality (e.g., tighten values for images.localPatterns, images.remotePatterns, and images.qualities)

🚨 Next.js: Unbounded postponed resume buffering can lead to DoS

Summary

A request containing the next-resume: 1 header (corresponding with a PPR resume request) would buffer request bodies without consistently enforcing maxPostponedStateSize in certain setups. The previous mitigation protected minimal-mode deployments, but equivalent non-minimal deployments remained vulnerable to the same unbounded postponed resume-body buffering behavior.

Impact

In applications using the App Router with Partial Prerendering capability enabled (via experimental.ppr or cacheComponents), an attacker could send oversized next-resume POST payloads that were buffered without consistent size enforcement in non-minimal deployments, causing excessive memory usage and potential denial of service.

Patches

Fixed by enforcing size limits across all postponed-body buffering paths and erroring when limits are exceeded.

Workarounds

If upgrade is not immediately possible:

• Block requests containing the next-resume header, as this is never valid to be sent from an untrusted client.

🚨 Next.js: null origin can bypass Server Actions CSRF checks

Summary

origin: null was treated as a "missing" origin during Server Action CSRF validation. As a result, requests from opaque contexts (such as sandboxed iframes) could bypass origin verification instead of being validated as cross-origin requests.

Impact

An attacker could induce a victim browser to submit Server Actions from a sandboxed context, potentially executing state-changing actions with victim credentials (CSRF).

Patches

Fixed by treating 'null' as an explicit origin value and enforcing host/origin checks unless 'null' is explicitly allowlisted in experimental.serverActions.allowedOrigins.

Workarounds

If upgrade is not immediately possible:

• Add CSRF tokens for sensitive Server Actions.
• Prefer SameSite=Strict on sensitive auth cookies.
• Do not allow 'null' in serverActions.allowedOrigins unless intentionally required and additionally protected.

🚨 Next.js: null origin can bypass dev HMR websocket CSRF checks

Summary

In next dev, cross-site protection for internal websocket endpoints could treat Origin: null as a bypass case even if allowedDevOrigins is configured, allowing privacy-sensitive/opaque contexts (for example sandboxed documents) to connect unexpectedly.

Impact

If a dev server is reachable from attacker-controlled content, an attacker may be able to connect to the HMR websocket channel and interact with dev websocket traffic. This affects development mode only.
Apps without a configured allowedDevOrigins still allow connections from any origin.

Patches

Fixed by validating Origin: null through the same cross-site origin-allowance checks used for other origins.

Workarounds

If upgrade is not immediately possible:

• Do not expose next dev to untrusted networks.
• Block websocket upgrades to /_next/webpack-hmr when Origin is null at your proxy.

🚨 Next.js: Unbounded next/image disk cache growth can exhaust storage

Summary

The default Next.js image optimization disk cache (/_next/image) did not have a configurable upper bound, allowing unbounded cache growth.

Impact

An attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel.

Patches

Fixed by adding an LRU-backed disk cache with images.maximumDiskCacheSize, including eviction of least-recently-used entries when the limit is exceeded. Setting maximumDiskCacheSize: 0 disables disk caching.

Workarounds

If upgrade is not immediately possible:

• Periodically clean .next/cache/images.
• Reduce variant cardinality (e.g., tighten values for images.localPatterns, images.remotePatterns, and images.qualities)

🚨 Next.js: HTTP request smuggling in rewrites

Summary

When Next.js rewrites proxy traffic to an external backend, a crafted DELETE/OPTIONS request using Transfer-Encoding: chunked could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.

Impact

An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel.

Patches

The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so content-length: 0 is added only when both content-length and transfer-encoding are absent, and transfer-encoding is no longer removed in that code path.

Workarounds

If upgrade is not immediately possible:

• Block chunked DELETE/OPTIONS requests on rewritten routes at your edge/proxy.
• Enforce authentication/authorization on backend routes per our security guidance.

🚨 Next.js: HTTP request smuggling in rewrites

Summary

When Next.js rewrites proxy traffic to an external backend, a crafted DELETE/OPTIONS request using Transfer-Encoding: chunked could trigger request boundary disagreement between the proxy and backend. This could allow request smuggling through rewritten routes.

Impact

An attacker could smuggle a second request to unintended backend routes (for example, internal/admin endpoints), bypassing assumptions that only the configured rewrite destination/path is reachable. This does not impact applications hosted on providers that handle rewrites at the CDN level, such as Vercel.

Patches

The vulnerability originated in an upstream library vendored by Next.js. It is fixed by updating that dependency’s behavior so content-length: 0 is added only when both content-length and transfer-encoding are absent, and transfer-encoding is no longer removed in that code path.

Workarounds

If upgrade is not immediately possible:

• Block chunked DELETE/OPTIONS requests on rewritten routes at your edge/proxy.
• Enforce authentication/authorization on backend routes per our security guidance.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js has Unbounded Memory Consumption via PPR Resume Endpoint

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:

1. Unbounded request body buffering: The server buffers the entire POST request body into memory using Buffer.concat() without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.

2. Unbounded decompression (zipbomb): The resume data cache is decompressed using inflateSync() without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.

Both attack vectors result in a fatal V8 out-of-memory error (FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.

To be affected, an application must run with experimental.ppr: true or cacheComponents: true configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.

Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

🚨 Next.js has Unbounded Memory Consumption via PPR Resume Endpoint

A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the Next-Resume: 1 header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion:

1. Unbounded request body buffering: The server buffers the entire POST request body into memory using Buffer.concat() without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory.

2. Unbounded decompression (zipbomb): The resume data cache is decompressed using inflateSync() without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion.

Both attack vectors result in a fatal V8 out-of-memory error (FATAL ERROR: Reached heap limit Allocation failed - JavaScript heap out of memory) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server.

To be affected, an application must run with experimental.ppr: true or cacheComponents: true configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable.

Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components

A vulnerability affects certain React Server Components packages for versions 19.0.x, 19.1.x, and 19.2.x and frameworks that use the affected packages, including Next.js 13.x, 14.x, 15.x, and 16.x using the App Router. The issue is tracked upstream as CVE-2026-23864.

A specially crafted HTTP request can be sent to any App Router Server Function endpoint that, when deserialized, may trigger excessive CPU usage, out-of-memory exceptions, or server crashes. This can result in denial of service in unpatched environments.

🚨 Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration

A DoS vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that remotePatterns is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.

🚨 Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration

A DoS vulnerability exists in self-hosted Next.js applications that have remotePatterns configured for the Image Optimizer. The image optimization endpoint (/_next/image) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that remotePatterns is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain.

Strongly consider upgrading to 15.5.10 and 16.1.5 to reduce risk and prevent availability issues in Next applications.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up

It was discovered that the fix for CVE-2025-55184 in React Server Components was incomplete and did not fully mitigate denial-of-service conditions across all payload types. As a result, certain crafted inputs could still trigger excessive resource consumption.

This vulnerability affects React versions 19.0.2, 19.1.3, and 19.2.2, as well as frameworks that bundle or depend on these versions, including Next.js 13.x, 14.x, 15.x, and 16.x when using the App Router. The issue is tracked upstream as CVE-2025-67779.

A malicious actor can send a specially crafted HTTP request to a Server Function endpoint that, when deserialized, causes the React Server Components runtime to enter an infinite loop. This can lead to sustained CPU consumption and cause the affected server process to become unresponsive, resulting in a denial-of-service condition in unpatched environments.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Vulnerable to Denial of Service with Server Components

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55184.

A malicious HTTP request can be crafted and sent to any App Router endpoint that, when deserialized, can cause the server process to hang and consume CPU. This can result in denial of service in unpatched environments.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next Server Actions Source Code Exposure

A vulnerability affects certain React packages for versions 19.0.0, 19.0.1, 19.1.0, 19.1.1, 19.1.2, 19.2.0, and 19.2.1 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55183.

A malicious HTTP request can be crafted and sent to any App Router endpoint that can return the compiled source code of Server Functions. This could reveal business logic, but would not expose secrets unless they were hardcoded directly into Server Function code.

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

🚨 Next.js is vulnerable to RCE in React flight protocol

A vulnerability affects certain React packages¹ for versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 and frameworks that use the affected packages, including Next.js 15.x and 16.x using the App Router. The issue is tracked upstream as CVE-2025-55182.

Fixed in:
React: 19.0.1, 19.1.2, 19.2.1
Next.js: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7, 15.6.0-canary.58, 16.1.0-canary.12+

The vulnerability also affects experimental canary releases starting with 14.3.0-canary.77. Users on any of the 14.3 canary builds should either downgrade to a 14.x stable release or 14.3.0-canary.76.

All users of stable 15.x or 16.x Next.js versions should upgrade to a patched, stable version immediately.

¹ The affected React packages are:

• react-server-dom-parcel
• react-server-dom-turbopack
• react-server-dom-webpack

🚨 Next.js Content Injection Vulnerability for Image Optimization

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

🚨 Next.js Content Injection Vulnerability for Image Optimization

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. The issue allowed attacker-controlled external image sources to trigger file downloads with arbitrary content and filenames under specific configurations. This behavior could be abused for phishing or malicious file delivery.

All users relying on images.domains or images.remotePatterns are encouraged to upgrade and verify that external image sources are strictly validated.

More details at Vercel Changelog

🚨 Next.js Affected by Cache Key Confusion for Image Optimization API Routes

A vulnerability in Next.js Image Optimization has been fixed in v15.4.5 and v14.2.31. When images returned from API routes vary based on request headers (such as Cookie or Authorization), these responses could be incorrectly cached and served to unauthorized users due to a cache key confusion bug.

All users are encouraged to upgrade if they use API routes to serve images that depend on request headers and have image optimization enabled.

More details at Vercel Changelog

🚨 Next.js Improper Middleware Redirect Handling Leads to SSRF

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

🚨 Next.js Improper Middleware Redirect Handling Leads to SSRF

A vulnerability in Next.js Middleware has been fixed in v14.2.32 and v15.4.7. The issue occurred when request headers were directly passed into NextResponse.next(). In self-hosted applications, this could allow Server-Side Request Forgery (SSRF) if certain sensitive headers from the incoming request were reflected back into the response.

All users implementing custom middleware logic in self-hosted environments are strongly encouraged to upgrade and verify correct usage of the next() function.

More details at Vercel Changelog

🚨 Next.JS vulnerability can lead to DoS via cache poisoning

Summary

A vulnerability affecting Next.js has been addressed. It impacted versions 15.0.4 through 15.1.8 and involved a cache poisoning bug leading to a Denial of Service (DoS) condition.

Under certain conditions, this issue may allow a HTTP 204 response to be cached for static pages, leading to the 204 response being served to all users attempting to access the page

More details: CVE-2025-49826

Credits

• Allam Rachid zhero;
• Allam Yasser (inzo)

🚨 Next.js has a Cache poisoning vulnerability due to omission of the Vary header

Summary

A cache poisoning issue in Next.js App Router >=15.3.0 and < 15.3.3 may have allowed RSC payloads to be cached and served in place of HTML, under specific conditions involving middleware and redirects. This issue has been fixed in Next.js 15.3.3.

Users on affected versions should upgrade immediately and redeploy to ensure proper caching behavior.

More details: CVE-2025-49005

🚨 Information exposure in Next.js dev server due to lack of origin verification

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

🚨 Information exposure in Next.js dev server due to lack of origin verification

Summary

A low-severity vulnerability in Next.js has been fixed in version 15.2.2. This issue may have allowed limited source code exposure when the dev server was running with the App Router enabled. The vulnerability only affects local development environments and requires the user to visit a malicious webpage while npm run dev is active.

Because the mitigation is potentially a breaking change for some development setups, to opt-in to the fix, you must configure allowedDevOrigins in your next config after upgrading to a patched version. Learn more.

Learn more: https://vercel.com/changelog/cve-2025-48068

Credit

Thanks to sapphi-red and Radman Siddiki for responsibly disclosing this issue.

🚨 Next.js Race Condition to Cache Poisoning

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

🚨 Next.js Race Condition to Cache Poisoning

Summary
We received a responsible disclosure from Allam Rachid (zhero) for a low-severity race-condition vulnerability in Next.js. This issue only affects the Pages Router under certain misconfigurations, causing normal endpoints to serve pageProps data instead of standard HTML.

Learn more here

Credit
Thank you to Allam Rachid (zhero) for the responsible disclosure. This research was rewarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Next.js may leak x-middleware-subrequest-id to external hosts

Summary

In the process of remediating CVE-2025-29927, we looked at other possible exploits of Middleware. We independently verified this low severity vulnerability in parallel with two reports from independent researchers.

Learn more here.

Credit

Thank you to Jinseo Kim kjsman and RyotaK (GMO Flatt Security Inc.) with takumi-san.ai for the responsible disclosure. These researchers were awarded as part of our bug bounty program.

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js 13.x, this issue is fixed in 13.5.9
• For Next.js 12.x, this issue is fixed in 12.3.5
• For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js 13.x, this issue is fixed in 13.5.9
• For Next.js 12.x, this issue is fixed in 12.3.5
• For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js 13.x, this issue is fixed in 13.5.9
• For Next.js 12.x, this issue is fixed in 12.3.5
• For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

🚨 Authorization Bypass in Next.js Middleware

Impact

It is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware.

Patches

• For Next.js 15.x, this issue is fixed in 15.2.3
• For Next.js 14.x, this issue is fixed in 14.2.25
• For Next.js 13.x, this issue is fixed in 13.5.9
• For Next.js 12.x, this issue is fixed in 12.3.5
• For Next.js 11.x, consult the below workaround.

Note: Next.js deployments hosted on Vercel are automatically protected against this vulnerability.

Workaround

If patching to a safe version is infeasible, we recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application.

Credits

• Allam Rachid (zhero;)
• Allam Yasser (inzo_)

🚨 Next.js Allows a Denial of Service (DoS) with Server Actions

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

🚨 Next.js Allows a Denial of Service (DoS) with Server Actions

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

🚨 Next.js Allows a Denial of Service (DoS) with Server Actions

Impact

A Denial of Service (DoS) attack allows attackers to construct requests that leaves requests to Server Actions hanging until the hosting provider cancels the function execution.

Note: Next.js server is idle during that time and only keeps the connection open. CPU and memory footprint are low during that time.

Deployments without any protection against long running Server Action invocations are especially vulnerable. Hosting providers like Vercel or Netlify set a default maximum duration on function execution to reduce the risk of excessive billing.

This is the same issue as if the incoming HTTP request has an invalid Content-Length header or never closes. If the host has no other mitigations to those then this vulnerability is novel.

This vulnerability affects only Next.js deployments using Server Actions.

Patches

This vulnerability was resolved in Next.js 14.2.21, 15.1.2, and 13.5.8. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

Thanks to the PackDraw team for responsibly disclosing this vulnerability.

🚨 Next.js authorization bypass vulnerability

Impact

If a Next.js application is performing authorization in middleware based on pathname, it was possible for this authorization to be bypassed.

Patches

This issue was patched in Next.js 14.2.15 and later.

If your Next.js application is hosted on Vercel, this vulnerability has been automatically mitigated, regardless of Next.js version.

Workarounds

There are no official workarounds for this vulnerability.

Credits

We'd like to thank tyage (GMO CyberSecurity by IERAE) for responsible disclosure of this issue.

🚨 Denial of Service condition in Next.js image optimization

Impact

The image optimization feature of Next.js contained a vulnerability which allowed for a potential Denial of Service (DoS) condition which could lead to excessive CPU consumption.

Not affected:

• The next.config.js file is configured with images.unoptimized set to true or images.loader set to a non-default value.
• The Next.js application is hosted on Vercel.

Patches

This issue was fully patched in Next.js 14.2.7. We recommend that users upgrade to at least this version.

Workarounds

Ensure that the next.config.js file has either images.unoptimized, images.loader or images.loaderFile assigned.

Credits

Brandon Dahler (brandondahler), AWS
Dimitrios Vlastaras

🚨 Next.js Cache Poisoning

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

• Next.js between 13.5.1 and 14.2.9
• Using pages router
• Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

• Deployments using only app router
• Deployments on Vercel are not affected

Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.

Workarounds

There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Credits

• Allam Rachid (zhero_)
• Henry Chen

🚨 Next.js Cache Poisoning

Impact

By sending a crafted HTTP request, it is possible to poison the cache of a non-dynamic server-side rendered route in the pages router (this does not affect the app router). When this crafted request is sent it could coerce Next.js to cache a route that is meant to not be cached and send a Cache-Control: s-maxage=1, stale-while-revalidate header which some upstream CDNs may cache as well.

To be potentially affected all of the following must apply:

• Next.js between 13.5.1 and 14.2.9
• Using pages router
• Using non-dynamic server-side rendered routes e.g. pages/dashboard.tsx not pages/blog/[slug].tsx

The below configurations are unaffected:

• Deployments using only app router
• Deployments on Vercel are not affected

Patches

This vulnerability was resolved in Next.js v13.5.7, v14.2.10, and later. We recommend upgrading regardless of whether you can reproduce the issue or not.

Workarounds

There are no official or recommended workarounds for this issue, we recommend that users patch to a safe version.

Credits

• Allam Rachid (zhero_)
• Henry Chen

🚨 Next.js Denial of Service (DoS) condition

Impact

A Denial of Service (DoS) condition was identified in Next.js. Exploitation of the bug can trigger a crash, affecting the availability of the server.

This vulnerability can affect all Next.js deployments on the affected versions.

Patches

This vulnerability was resolved in Next.js 13.5 and later. We recommend that users upgrade to a safe version.

Workarounds

There are no official workarounds for this vulnerability.

Credit

• Thai Vu of flyseccorp.com
• Aonan Guan (@0dd), Senior Cloud Security Engineer

🚨 Next.js Server-Side Request Forgery in Server Actions

Impact

A Server-Side Request Forgery (SSRF) vulnerability was identified in Next.js Server Actions by security researchers at Assetnote. If the Host header is modified, and the below conditions are also met, an attacker may be able to make requests that appear to be originating from the Next.js application server itself.

Prerequisites

• Next.js (<14.1.1) is running in a self-hosted* manner.
• The Next.js application makes use of Server Actions.
• The Server Action performs a redirect to a relative path which starts with a /.

* Many hosting providers (including Vercel) route requests based on the Host header, so we do not believe that this vulnerability affects any Next.js applications where routing is done in this manner.

Patches

This vulnerability was patched in #62561 and fixed in Next.js 14.1.1.

Workarounds

There are no official workarounds for this vulnerability. We recommend upgrading to Next.js 14.1.1.

Credit

Vercel and the Next.js team thank Assetnote for responsibly disclosing this issue to us, and for working with us to verify the fix. Thanks to:

Adam Kues - Assetnote
Shubham Shah - Assetnote

🚨 Next.js Vulnerable to HTTP Request Smuggling

Impact

Inconsistent interpretation of a crafted HTTP request meant that requests are treated as both a single request, and two separate requests by Next.js, leading to desynchronized responses. This led to a response queue poisoning vulnerability in the affected Next.js versions.

For a request to be exploitable, the affected route also had to be making use of the rewrites feature in Next.js.

Patches

The vulnerability is resolved in Next.js 13.5.1 and newer. This includes Next.js 14.x.

Workarounds

There are no official workarounds for this vulnerability. We recommend that you upgrade to a safe version.

References

https://portswigger.net/web-security/request-smuggling/advanced/response-queue-poisoning

🚨 Next.js missing cache-control header may lead to CDN caching empty reply

Next.js before 13.4.20-canary.13 lacks a cache-control header and thus empty prefetch responses may sometimes be cached by a CDN, causing a denial of service to all users requesting the same URL via that CDN. Cloudflare considers these requests cacheable assets.

Too many releases to show here. View the full release notes.

See the full diff on Github.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 15 commits:

• v7.29.0
• fix(parser): correctly parse type assertions in `extends` clause (#17765)
• [7.x backport] feat: Allow specifying startLine in code frame (#17739)
• Move changelog up to v7.28.5 to separate file (#17754)
• [7.x backport] Add attributes import declaration builder (#17750)
• fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (#17708)
• [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (#17737)
• [7.x backport] fix(parser): improve super type argument parsing (#17723)
• [7.x backport] feat(standalone): export async transform (#17663)
• Update polyfill packages (#17727)
• [7.x backport] feat: read standalone targets from data-targets (#17725)
• [babel 7] Delete Babel 8 fixtures (#17729)
• chore(Babel 7): ignore browserslist old data (#17724)
• [Babel 7] Improve generator performance (#17642)
• Add v7.28.6 to CHANGELOG.md [skip ci]

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 15 commits:

• v7.29.0
• fix(parser): correctly parse type assertions in `extends` clause (#17765)
• [7.x backport] feat: Allow specifying startLine in code frame (#17739)
• Move changelog up to v7.28.5 to separate file (#17754)
• [7.x backport] Add attributes import declaration builder (#17750)
• fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (#17708)
• [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (#17737)
• [7.x backport] fix(parser): improve super type argument parsing (#17723)
• [7.x backport] feat(standalone): export async transform (#17663)
• Update polyfill packages (#17727)
• [7.x backport] feat: read standalone targets from data-targets (#17725)
• [babel 7] Delete Babel 8 fixtures (#17729)
• chore(Babel 7): ignore browserslist old data (#17724)
• [Babel 7] Improve generator performance (#17642)
• Add v7.28.6 to CHANGELOG.md [skip ci]

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 15 commits:

• v7.29.0
• fix(parser): correctly parse type assertions in `extends` clause (#17765)
• [7.x backport] feat: Allow specifying startLine in code frame (#17739)
• Move changelog up to v7.28.5 to separate file (#17754)
• [7.x backport] Add attributes import declaration builder (#17750)
• fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (#17708)
• [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (#17737)
• [7.x backport] fix(parser): improve super type argument parsing (#17723)
• [7.x backport] feat(standalone): export async transform (#17663)
• Update polyfill packages (#17727)
• [7.x backport] feat: read standalone targets from data-targets (#17725)
• [babel 7] Delete Babel 8 fixtures (#17729)
• chore(Babel 7): ignore browserslist old data (#17724)
• [Babel 7] Improve generator performance (#17642)
• Add v7.28.6 to CHANGELOG.md [skip ci]

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 4 commits:

• v7.29.1
• [7.x backport] fix: ensure `targets.esmodules` is validated (#17771)
• [7.x backport] Fix undefined when 64 indents (#17776)
• Add v7.29.0 to CHANGELOG.md [skip ci]

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 43 commits:

• v7.28.6
• Remove Babel 8 from Babel 7 CI (#17675)
• Update test262 (#17628)
• Add script to materialize itBabel8&co in tests (#17623)
• [babel 8] Remove `@babel/types` dep from helper-builder-react-jsx (#17621)
• Polish(standalone): improve message on invalid preset/plugin (#17606)
• [babel 8] Rename `TSImportType.argument` to `.source` (#17610)
• Add script to remove Babel 7 tests (#17616)
• Run transform-runtime tests also in Babel 8 (#17615)
• fix: lint errors in main branch (#17612)
• Update test262 (#17614)
• fix: `path.evaluate` correctly returns `confident` (#17584)
• [babel 8] Fully remove import assertions (#17603)
• chore: Use Gulpfile.mts (#17579)
• [Babel 8] fix: Improve `traverse` types (#17574)
• Allow Babel 8 in compatible Babel 7 plugins (#17580)
• Add logic to materialize Babel 8 in source (#17605)
• chore: add node 24 to the matrix (#17607)
• chore: enable some ts-eslint rules (#17592)
• Update Babel (#17604)
• fix: add typings for eslint-plugin-development (#17587)
• Record and tuple cleanup (#17597)
• perf: remove redundant set in jsx meta visit (#17598)
• test: install browser-playwright (#17599)
• Update compat data (#17600)
• Update test262 (#17601)
• [Babel 8]: Bump glob to v12 (#17594)
• Improve Unicode handling in code-frame tokenizer (#17589)
• Update test262 (#17588)
• [Babel 8] chore: bump glob to v11 (#17590)
• fix: Preserve computed key evaluation order in nested object rest (#17576)
• Add `BABEL_7_TO_8_DANGEROUSLY_DISABLE_VERSION_CHECK` (#17569)
• fix: `transform-regenerator` correctly handles scope (#17556)
• fix: Update CONTRIBUTING.md to require node >=22.18.0 (#17585)
• Update test262 (#17583)
• Use `eslint.config.mts` (#17573)
• Fix traverse NodePath caching (#17568)
• fix: Keep jsx comments (#17538)
• [Babel 8] fix: Correctly handle export references (#17570)
• Update test262 (#17564)
• perf: Use lighter traversal for jsx `__source,__self` (#17555)
• Fully remove Records and Tuples support (#17528)
• Add v7.28.5 to CHANGELOG.md [skip ci]

7.27.1

v7.27.1 (2025-04-30)

Thanks @kermanx and @woaitsAryan for your first PRs!

👓 Spec Compliance

• babel-parser
  • #17254 Allow using of as lexical declaration within for (@JLHwung)
  • #17230 Disallow get/set in TSPropertySignature (@JLHwung)
• babel-parser, babel-types
  • #17193 Stricter TSImportType options parsing (@JLHwung)

🐛 Bug Fix

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-traverse
  • #17137 fix: do expressions should allow early exit (@kermanx)
• babel-helper-wrap-function, babel-plugin-transform-async-to-generator
  • #17251 Fix: propagate argument evaluation errors through async promise chain (@magic-akari)
• babel-helper-remap-async-to-generator, babel-plugin-transform-async-to-generator
  • #17231 fix apply()/call() annotated as pure (@Lacsw)
• babel-helper-fixtures, babel-parser
  • #17233 Create ChainExpression within TSInstantiationExpression (@JLHwung)
• babel-generator, babel-parser
  • #17226 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 2) (@JLHwung)
• babel-parser
  • #17224 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 1) (@JLHwung)
  • #17080 Fix start of TSParameterProperty (@JLHwung)
• babel-compat-data, babel-preset-env
  • #17228 Update firefox bugfix compat data (@JLHwung)
• babel-traverse
  • #17156 fix: Objects and arrays with multiple references should not be evaluated (@liuxingbaoyu)
• babel-generator
  • #17216 Fix: support const type parameter in generator (@JLHwung)

💅 Polish

• babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining, babel-plugin-proposal-decorators, babel-plugin-transform-arrow-functions, babel-plugin-transform-class-properties, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-traverse
  • #17221 Reduce generated names size for the 10th-11th (@nicolo-ribaudo)

🏠 Internal

• babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #17263 Remove unused regenerator-runtime dep in @babel/runtime (@nicolo-ribaudo)
• babel-compat-data, babel-preset-env
  • #17256 Tune plugin compat data (@JLHwung)
• babel-compat-data, babel-standalone
  • #17236 migrate babel-compat-data build script to mjs (@JLHwung)
• babel-register
  • #16844 Migrate @babel/register to cts (@liuxingbaoyu)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17205 Inline regenerator in the relevant packages (@nicolo-ribaudo)
• All packages
  • #17207 Enforce node protocol import (@JLHwung)

🔬 Output optimization

• babel-helpers, babel-plugin-transform-modules-commonjs, babel-runtime-corejs3
  • #16538 Reduce interopRequireWildcard size (@liuxingbaoyu)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17213 Reduce regeneratorRuntime size (@liuxingbaoyu)

Committers: 9

• Aryan Bharti (@woaitsAryan)
• Babel Bot (@babel-bot)
• Frolov Roman (@Lacsw)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu
• @magic-akari
• _Kerman (@kermanx)
• fisker Cheung (@fisker)

7.25.9

v7.25.9 (2024-10-22)

Thanks @victorenator for your first PR!

🐛 Bug Fix

• babel-parser, babel-template, babel-types
  • #16905 fix: Keep type annotations in syntacticPlaceholders mode (@liuxingbaoyu)
• babel-helper-compilation-targets, babel-preset-env
  • #16907 fix: support BROWSERSLIST{,_CONFIG} env (@JLHwung)
• Other
  • #16884 Analyze ClassAccessorProperty to prevent the no-undef rule (@victorenator)

🏠 Internal

• babel-helper-transform-fixture-test-runner
  • #16914 remove test options flaky (@JLHwung)
• Every package
  • #16917 fix: Accidentally published tsconfig files (@liuxingbaoyu)

🏃‍♀️ Performance

• babel-parser, babel-types
  • #16918 perf: Make VISITOR_KEYS etc. faster to access (@liuxingbaoyu)

Committers: 4

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Viktar Vaŭčkievič (@victorenator)
• @liuxingbaoyu

7.25.7

v7.25.7 (2024-10-02)

Thanks @DylanPiercey and @YuHyeonWook for your first PRs!

🐛 Bug Fix

• babel-helper-validator-identifier
  • #16825 fix: update identifier to unicode 16 (@JLHwung)
• babel-traverse
  • #16814 fix: issue with node path keys updated on unrelated paths (@DylanPiercey)
• babel-plugin-transform-classes
  • #16797 Use an inclusion rather than exclusion list for super() check (@nicolo-ribaudo)
• babel-generator
  • #16788 Fix printing of TS infer in compact mode (@nicolo-ribaudo)
  • #16785 Print TS type annotations for destructuring in assignment pattern (@nicolo-ribaudo)
  • #16778 Respect [no LineTerminator here] after nodes (@nicolo-ribaudo)

💅 Polish

• babel-types
  • #16852 Add deprecated JSDOC for fields (@liuxingbaoyu)

🏠 Internal

• babel-core
  • #16820 Allow sync loading of ESM when --experimental-require-module (@nicolo-ribaudo)
• babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env
  • #16858 Add browserslist config to external dependency (@JLHwung)
• babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone
  • #16809 Archive syntax-import-reflection and syntax-decimal (@nicolo-ribaudo)
• babel-generator
  • #16779 Simplify logic for [no LineTerminator here] before nodes (@nicolo-ribaudo)

🏃‍♀️ Performance

• babel-plugin-transform-typescript
  • #16875 perf: Avoid extra cloning of namespaces (@liuxingbaoyu)
• babel-types
  • #16842 perf: Improve @babel/types builders (@liuxingbaoyu)
  • #16828 Only access BABEL_TYPES_8_BREAKING at startup (@nicolo-ribaudo)

Committers: 8

• Babel Bot (@babel-bot)
• Dylan Piercey (@DylanPiercey)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu
• coderaiser (@coderaiser)
• fisker Cheung (@fisker)
• hwook (@YuHyeonWook)

7.24.7

v7.24.7 (2024-06-05)

🐛 Bug Fix

• babel-node
  • #16554 Allow extra flags in babel-node (@nicolo-ribaudo)
• babel-traverse
  • #16522 fix: incorrect constantViolations with destructuring (@liuxingbaoyu)
• babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management
  • #16524 fix: Transform using in switch correctly (@liuxingbaoyu)

🏠 Internal

• babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16525 Delete unused array helpers (@blakewilson)

Committers: 7

• Amjad Yahia Robeen Hassan (@amjed-98)
• Babel Bot (@babel-bot)
• Blake Wilson (@blakewilson)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Sukka (@SukkaW)
• @liuxingbaoyu

7.24.6

v7.24.6 (2024-05-24)

Thanks @amjed-98, @blakewilson, @coelhucas, and @SukkaW for your first PRs!

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • #16514 Fix source maps for private member expressions (@nicolo-ribaudo)
• babel-core, babel-generator, babel-plugin-transform-modules-commonjs
  • #16515 Fix source maps for template literals (@nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16485 Support undecorated static accessor in anonymous classes (@JLHwung)
  • #16484 Fix decorator bare yield await (@JLHwung)
• babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3
  • #16483 Fix: throw TypeError if addInitializer is called after finished (@JLHwung)
• babel-parser, babel-plugin-transform-typescript
  • #16476 fix: Correctly parse cls.fn<C> = x (@liuxingbaoyu)

🏠 Internal

• babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16501 Generate helper metadata at build time (@nicolo-ribaudo)
• babel-helpers
  • #16499 Add tsconfig.json for @babel/helpers/src/helpers (@nicolo-ribaudo)
• babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16495 Move all runtime helpers to individual files (@nicolo-ribaudo)
• babel-parser, babel-traverse
  • #16482 Statically generate boilerplate for bitfield accessors (@nicolo-ribaudo)
• Other
  • #16466 Migrate import assertions syntax (@JLHwung)

Committers: 9

• Amjad Yahia Robeen Hassan (@amjed-98)
• Babel Bot (@babel-bot)
• Blake Wilson (@blakewilson)
• Huáng Jùnliàng (@JLHwung)
• Lucas Coelho (@coelhucas)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Sukka (@SukkaW)
• Zzzen (@Zzzen)
• @liuxingbaoyu

7.24.3

v7.24.3 (2024-03-20)

🐛 Bug Fix

• babel-helper-module-imports
  • #16370 fix: do not inject the same imported identifier multiple times (@ota-meshi)

Committers: 2

• Nicolò Ribaudo (@nicolo-ribaudo)
• Yosuke Ota (@ota-meshi)

7.24.1

v7.24.1 (2024-03-19)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16350 Fix decorated class computed keys ordering (@JLHwung)
  • #16344 Fix decorated class static field private access (@JLHwung)
• babel-plugin-proposal-decorators, babel-plugin-proposal-json-modules, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env
  • #16329 Respect moduleName for @babel/runtime/regenerator imports (@nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties
  • #16331 Fix decorator memoiser binding kind (@JLHwung)
• babel-helper-create-class-features-plugin, babel-helper-replace-supers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties
  • #16325 Fix decorator evaluation private environment (@JLHwung)

📝 Documentation

• #16319 Update SECURITY.md (@nicolo-ribaudo)

🏠 Internal

• babel-code-frame, babel-highlight
  • #16359 Replace chalk with picocolors (@nicolo-ribaudo)
• babel-helper-fixtures, babel-helpers, babel-plugin-bugfix-safari-id-destructuring-collision-in-function-expression, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-unicode-sets-regex, babel-preset-env, babel-preset-flow
  • #16352 Run Babel transform tests on old node if possible (@JLHwung)
• babel-helper-module-imports, babel-plugin-proposal-import-wasm-source, babel-plugin-proposal-json-modules, babel-plugin-proposal-record-and-tuple, babel-plugin-transform-react-jsx-development, babel-plugin-transform-react-jsx
  • #16349 Support merging imports in import injector (@nicolo-ribaudo)
• Other
  • #16332 Test Babel 7 plugins compatibility with Babel 8 core (@nicolo-ribaudo)

🔬 Output optimization

• babel-helper-replace-supers, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-parameters, babel-plugin-transform-runtime
  • #16345 Optimize the use of assertThisInitialized after super() (@liuxingbaoyu)
• babel-plugin-transform-class-properties, babel-plugin-transform-classes
  • #16343 Use simpler assertThisInitialized more often (@liuxingbaoyu)
• babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-object-rest-spread, babel-traverse
  • #16342 Consider well-known and registered symbols as literals (@nicolo-ribaudo)
• babel-core, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-proposal-function-bind, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-flow-comments, babel-plugin-transform-flow-strip-types, babel-plugin-transform-function-name, babel-plugin-transform-modules-systemjs, babel-plugin-transform-parameters, babel-plugin-transform-private-property-in-object, babel-plugin-transform-react-jsx, babel-plugin-transform-runtime, babel-plugin-transform-spread, babel-plugin-transform-typescript, babel-preset-env
  • #16326 Reduce the use of class names (@liuxingbaoyu)

Committers: 4

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu

7.22.15

v7.22.15 (2023-09-04)

🐛 Bug Fix

• babel-core
  • #15923 Only perform config loading re-entrancy check for cjs (@nicolo-ribaudo)

🏠 Internal

• Every package
  • #15892 Add explicit .ts/.js extension to all imports in src (@nicolo-ribaudo)

Committers: 4

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu

7.22.5

v7.22.5 (2023-06-08)

🐛 Bug Fix

• babel-preset-env, babel-standalone
  • #15675 Fix using syntax-unicode-sets-regex in standalone (@nicolo-ribaudo)

💅 Polish

• babel-core
  • #15683 Suggest -transform- when resolving missing plugins (@nicolo-ribaudo)

Committers: 4

• Avery (@nullableVoidPtr)
• Babel Bot (@babel-bot)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu

7.21.4

v7.21.4 (2023-03-31)

🐛 Bug Fix

• babel-core, babel-helper-module-imports, babel-preset-typescript
  • #15478 Fix support for import/export in .cts files (@liuxingbaoyu)
• babel-generator
  • #15496 Fix compact printing of non-null assertion operators (@rtsao)

💅 Polish

• babel-helper-create-class-features-plugin, babel-plugin-proposal-class-properties, babel-plugin-transform-typescript, babel-traverse
  • #15427 Fix moving comments of removed nodes (@nicolo-ribaudo)

🏠 Internal

• Other
  • #15519 Update Prettier integration test (@fisker)
• babel-parser
  • #15510 refactor: introduce lookaheadInLineCharCode (@JLHwung)
• babel-code-frame, babel-highlight
  • #15499 Polish babel-code-frame highlight test (@JLHwung)

Committers: 6

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Ryan Tsao (@rtsao)
• @liuxingbaoyu
• fisker Cheung (@fisker)

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 43 commits:

• v7.28.6
• Remove Babel 8 from Babel 7 CI (#17675)
• Update test262 (#17628)
• Add script to materialize itBabel8&co in tests (#17623)
• [babel 8] Remove `@babel/types` dep from helper-builder-react-jsx (#17621)
• Polish(standalone): improve message on invalid preset/plugin (#17606)
• [babel 8] Rename `TSImportType.argument` to `.source` (#17610)
• Add script to remove Babel 7 tests (#17616)
• Run transform-runtime tests also in Babel 8 (#17615)
• fix: lint errors in main branch (#17612)
• Update test262 (#17614)
• fix: `path.evaluate` correctly returns `confident` (#17584)
• [babel 8] Fully remove import assertions (#17603)
• chore: Use Gulpfile.mts (#17579)
• [Babel 8] fix: Improve `traverse` types (#17574)
• Allow Babel 8 in compatible Babel 7 plugins (#17580)
• Add logic to materialize Babel 8 in source (#17605)
• chore: add node 24 to the matrix (#17607)
• chore: enable some ts-eslint rules (#17592)
• Update Babel (#17604)
• fix: add typings for eslint-plugin-development (#17587)
• Record and tuple cleanup (#17597)
• perf: remove redundant set in jsx meta visit (#17598)
• test: install browser-playwright (#17599)
• Update compat data (#17600)
• Update test262 (#17601)
• [Babel 8]: Bump glob to v12 (#17594)
• Improve Unicode handling in code-frame tokenizer (#17589)
• Update test262 (#17588)
• [Babel 8] chore: bump glob to v11 (#17590)
• fix: Preserve computed key evaluation order in nested object rest (#17576)
• Add `BABEL_7_TO_8_DANGEROUSLY_DISABLE_VERSION_CHECK` (#17569)
• fix: `transform-regenerator` correctly handles scope (#17556)
• fix: Update CONTRIBUTING.md to require node >=22.18.0 (#17585)
• Update test262 (#17583)
• Use `eslint.config.mts` (#17573)
• Fix traverse NodePath caching (#17568)
• fix: Keep jsx comments (#17538)
• [Babel 8] fix: Correctly handle export references (#17570)
• Update test262 (#17564)
• perf: Use lighter traversal for jsx `__source,__self` (#17555)
• Fully remove Records and Tuples support (#17528)
• Add v7.28.5 to CHANGELOG.md [skip ci]

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 43 commits:

• v7.28.6
• Remove Babel 8 from Babel 7 CI (#17675)
• Update test262 (#17628)
• Add script to materialize itBabel8&co in tests (#17623)
• [babel 8] Remove `@babel/types` dep from helper-builder-react-jsx (#17621)
• Polish(standalone): improve message on invalid preset/plugin (#17606)
• [babel 8] Rename `TSImportType.argument` to `.source` (#17610)
• Add script to remove Babel 7 tests (#17616)
• Run transform-runtime tests also in Babel 8 (#17615)
• fix: lint errors in main branch (#17612)
• Update test262 (#17614)
• fix: `path.evaluate` correctly returns `confident` (#17584)
• [babel 8] Fully remove import assertions (#17603)
• chore: Use Gulpfile.mts (#17579)
• [Babel 8] fix: Improve `traverse` types (#17574)
• Allow Babel 8 in compatible Babel 7 plugins (#17580)
• Add logic to materialize Babel 8 in source (#17605)
• chore: add node 24 to the matrix (#17607)
• chore: enable some ts-eslint rules (#17592)
• Update Babel (#17604)
• fix: add typings for eslint-plugin-development (#17587)
• Record and tuple cleanup (#17597)
• perf: remove redundant set in jsx meta visit (#17598)
• test: install browser-playwright (#17599)
• Update compat data (#17600)
• Update test262 (#17601)
• [Babel 8]: Bump glob to v12 (#17594)
• Improve Unicode handling in code-frame tokenizer (#17589)
• Update test262 (#17588)
• [Babel 8] chore: bump glob to v11 (#17590)
• fix: Preserve computed key evaluation order in nested object rest (#17576)
• Add `BABEL_7_TO_8_DANGEROUSLY_DISABLE_VERSION_CHECK` (#17569)
• fix: `transform-regenerator` correctly handles scope (#17556)
• fix: Update CONTRIBUTING.md to require node >=22.18.0 (#17585)
• Update test262 (#17583)
• Use `eslint.config.mts` (#17573)
• Fix traverse NodePath caching (#17568)
• fix: Keep jsx comments (#17538)
• [Babel 8] fix: Correctly handle export references (#17570)
• Update test262 (#17564)
• perf: Use lighter traversal for jsx `__source,__self` (#17555)
• Fully remove Records and Tuples support (#17528)
• Add v7.28.5 to CHANGELOG.md [skip ci]

7.27.1

v7.27.1 (2025-04-30)

Thanks @kermanx and @woaitsAryan for your first PRs!

👓 Spec Compliance

• babel-parser
  • #17254 Allow using of as lexical declaration within for (@JLHwung)
  • #17230 Disallow get/set in TSPropertySignature (@JLHwung)
• babel-parser, babel-types
  • #17193 Stricter TSImportType options parsing (@JLHwung)

🐛 Bug Fix

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-traverse
  • #17137 fix: do expressions should allow early exit (@kermanx)
• babel-helper-wrap-function, babel-plugin-transform-async-to-generator
  • #17251 Fix: propagate argument evaluation errors through async promise chain (@magic-akari)
• babel-helper-remap-async-to-generator, babel-plugin-transform-async-to-generator
  • #17231 fix apply()/call() annotated as pure (@Lacsw)
• babel-helper-fixtures, babel-parser
  • #17233 Create ChainExpression within TSInstantiationExpression (@JLHwung)
• babel-generator, babel-parser
  • #17226 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 2) (@JLHwung)
• babel-parser
  • #17224 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 1) (@JLHwung)
  • #17080 Fix start of TSParameterProperty (@JLHwung)
• babel-compat-data, babel-preset-env
  • #17228 Update firefox bugfix compat data (@JLHwung)
• babel-traverse
  • #17156 fix: Objects and arrays with multiple references should not be evaluated (@liuxingbaoyu)
• babel-generator
  • #17216 Fix: support const type parameter in generator (@JLHwung)

💅 Polish

• babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining, babel-plugin-proposal-decorators, babel-plugin-transform-arrow-functions, babel-plugin-transform-class-properties, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-traverse
  • #17221 Reduce generated names size for the 10th-11th (@nicolo-ribaudo)

🏠 Internal

• babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #17263 Remove unused regenerator-runtime dep in @babel/runtime (@nicolo-ribaudo)
• babel-compat-data, babel-preset-env
  • #17256 Tune plugin compat data (@JLHwung)
• babel-compat-data, babel-standalone
  • #17236 migrate babel-compat-data build script to mjs (@JLHwung)
• babel-register
  • #16844 Migrate @babel/register to cts (@liuxingbaoyu)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17205 Inline regenerator in the relevant packages (@nicolo-ribaudo)
• All packages
  • #17207 Enforce node protocol import (@JLHwung)

🔬 Output optimization

• babel-helpers, babel-plugin-transform-modules-commonjs, babel-runtime-corejs3
  • #16538 Reduce interopRequireWildcard size (@liuxingbaoyu)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17213 Reduce regeneratorRuntime size (@liuxingbaoyu)

Committers: 9

• Aryan Bharti (@woaitsAryan)
• Babel Bot (@babel-bot)
• Frolov Roman (@Lacsw)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu
• @magic-akari
• _Kerman (@kermanx)
• fisker Cheung (@fisker)

7.25.9

v7.25.9 (2024-10-22)

Thanks @victorenator for your first PR!

🐛 Bug Fix

• babel-parser, babel-template, babel-types
  • #16905 fix: Keep type annotations in syntacticPlaceholders mode (@liuxingbaoyu)
• babel-helper-compilation-targets, babel-preset-env
  • #16907 fix: support BROWSERSLIST{,_CONFIG} env (@JLHwung)
• Other
  • #16884 Analyze ClassAccessorProperty to prevent the no-undef rule (@victorenator)

🏠 Internal

• babel-helper-transform-fixture-test-runner
  • #16914 remove test options flaky (@JLHwung)
• Every package
  • #16917 fix: Accidentally published tsconfig files (@liuxingbaoyu)

🏃‍♀️ Performance

• babel-parser, babel-types
  • #16918 perf: Make VISITOR_KEYS etc. faster to access (@liuxingbaoyu)

Committers: 4

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Viktar Vaŭčkievič (@victorenator)
• @liuxingbaoyu

7.25.7

v7.25.7 (2024-10-02)

Thanks @DylanPiercey and @YuHyeonWook for your first PRs!

🐛 Bug Fix

• babel-helper-validator-identifier
  • #16825 fix: update identifier to unicode 16 (@JLHwung)
• babel-traverse
  • #16814 fix: issue with node path keys updated on unrelated paths (@DylanPiercey)
• babel-plugin-transform-classes
  • #16797 Use an inclusion rather than exclusion list for super() check (@nicolo-ribaudo)
• babel-generator
  • #16788 Fix printing of TS infer in compact mode (@nicolo-ribaudo)
  • #16785 Print TS type annotations for destructuring in assignment pattern (@nicolo-ribaudo)
  • #16778 Respect [no LineTerminator here] after nodes (@nicolo-ribaudo)

💅 Polish

• babel-types
  • #16852 Add deprecated JSDOC for fields (@liuxingbaoyu)

🏠 Internal

• babel-core
  • #16820 Allow sync loading of ESM when --experimental-require-module (@nicolo-ribaudo)
• babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env
  • #16858 Add browserslist config to external dependency (@JLHwung)
• babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone
  • #16809 Archive syntax-import-reflection and syntax-decimal (@nicolo-ribaudo)
• babel-generator
  • #16779 Simplify logic for [no LineTerminator here] before nodes (@nicolo-ribaudo)

🏃‍♀️ Performance

• babel-plugin-transform-typescript
  • #16875 perf: Avoid extra cloning of namespaces (@liuxingbaoyu)
• babel-types
  • #16842 perf: Improve @babel/types builders (@liuxingbaoyu)
  • #16828 Only access BABEL_TYPES_8_BREAKING at startup (@nicolo-ribaudo)

Committers: 8

• Babel Bot (@babel-bot)
• Dylan Piercey (@DylanPiercey)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu
• coderaiser (@coderaiser)
• fisker Cheung (@fisker)
• hwook (@YuHyeonWook)

7.24.8

v7.24.8 (2024-07-11)

Thanks @H0onnn, @jkup and @SreeXD for your first pull requests!

👓 Spec Compliance

• babel-parser
  • #16567 Do not use strict mode in TS declare (@liuxingbaoyu)

🐛 Bug Fix

• babel-generator
  • #16630 Correctly print parens around in in for heads (@nicolo-ribaudo)
  • #16626 Fix printing of comments in await using (@nicolo-ribaudo)
  • #16591 fix typescript code generation for yield expression inside type expre… (@SreeXD)
• babel-parser
  • #16613 Disallow destructuring assignment in using declarations (@H0onnn)
  • #16490 fix: do not add .value: undefined to regexp literals (@liuxingbaoyu)
• babel-types
  • #16615 Remove boolean props from ObjectTypeInternalSlot visitor keys (@nicolo-ribaudo)
• babel-plugin-transform-typescript
  • #16566 fix: Correctly handle export import x = (@liuxingbaoyu)

💅 Polish

• babel-generator
  • #16625 Avoid unnecessary parens around async in for await (@nicolo-ribaudo)
• babel-traverse
  • #16619 Avoid checking Scope.globals multiple times (@liuxingbaoyu)

Committers: 9

• Amjad Yahia Robeen Hassan (@amjed-98)
• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Jon Kuperman (@jkup)
• Nagendran N (@SreeXD)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Sukka (@SukkaW)
• @H0onnn
• @liuxingbaoyu

7.24.7

v7.24.7 (2024-06-05)

🐛 Bug Fix

• babel-node
  • #16554 Allow extra flags in babel-node (@nicolo-ribaudo)
• babel-traverse
  • #16522 fix: incorrect constantViolations with destructuring (@liuxingbaoyu)
• babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management
  • #16524 fix: Transform using in switch correctly (@liuxingbaoyu)

🏠 Internal

• babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16525 Delete unused array helpers (@blakewilson)

Committers: 7

• Amjad Yahia Robeen Hassan (@amjed-98)
• Babel Bot (@babel-bot)
• Blake Wilson (@blakewilson)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Sukka (@SukkaW)
• @liuxingbaoyu

7.24.6

v7.24.6 (2024-05-24)

Thanks @amjed-98, @blakewilson, @coelhucas, and @SukkaW for your first PRs!

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • #16514 Fix source maps for private member expressions (@nicolo-ribaudo)
• babel-core, babel-generator, babel-plugin-transform-modules-commonjs
  • #16515 Fix source maps for template literals (@nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16485 Support undecorated static accessor in anonymous classes (@JLHwung)
  • #16484 Fix decorator bare yield await (@JLHwung)
• babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3
  • #16483 Fix: throw TypeError if addInitializer is called after finished (@JLHwung)
• babel-parser, babel-plugin-transform-typescript
  • #16476 fix: Correctly parse cls.fn<C> = x (@liuxingbaoyu)

🏠 Internal

• babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16501 Generate helper metadata at build time (@nicolo-ribaudo)
• babel-helpers
  • #16499 Add tsconfig.json for @babel/helpers/src/helpers (@nicolo-ribaudo)
• babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16495 Move all runtime helpers to individual files (@nicolo-ribaudo)
• babel-parser, babel-traverse
  • #16482 Statically generate boilerplate for bitfield accessors (@nicolo-ribaudo)
• Other
  • #16466 Migrate import assertions syntax (@JLHwung)

Committers: 9

• Amjad Yahia Robeen Hassan (@amjed-98)
• Babel Bot (@babel-bot)
• Blake Wilson (@blakewilson)
• Huáng Jùnliàng (@JLHwung)
• Lucas Coelho (@coelhucas)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Sukka (@SukkaW)
• Zzzen (@Zzzen)
• @liuxingbaoyu

7.24.1

v7.24.1 (2024-03-19)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16350 Fix decorated class computed keys ordering (@JLHwung)
  • #16344 Fix decorated class static field private access (@JLHwung)
• babel-plugin-proposal-decorators, babel-plugin-proposal-json-modules, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-preset-env
  • #16329 Respect moduleName for @babel/runtime/regenerator imports (@nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-class-properties
  • #16331 Fix decorator memoiser binding kind (@JLHwung)
• babel-helper-create-class-features-plugin, babel-helper-replace-supers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties
  • #16325 Fix decorator evaluation private environment (@JLHwung)

📝 Documentation

• #16319 Update SECURITY.md (@nicolo-ribaudo)

🏠 Internal

• babel-code-frame, babel-highlight
  • #16359 Replace chalk with picocolors (@nicolo-ribaudo)
• babel-helper-fixtures, babel-helpers, babel-plugin-bugfix-safari-id-destructuring-collision-in-function-expression, babel-plugin-proposal-pipeline-operator, babel-plugin-transform-unicode-sets-regex, babel-preset-env, babel-preset-flow
  • #16352 Run Babel transform tests on old node if possible (@JLHwung)
• babel-helper-module-imports, babel-plugin-proposal-import-wasm-source, babel-plugin-proposal-json-modules, babel-plugin-proposal-record-and-tuple, babel-plugin-transform-react-jsx-development, babel-plugin-transform-react-jsx
  • #16349 Support merging imports in import injector (@nicolo-ribaudo)
• Other
  • #16332 Test Babel 7 plugins compatibility with Babel 8 core (@nicolo-ribaudo)

🔬 Output optimization

• babel-helper-replace-supers, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-parameters, babel-plugin-transform-runtime
  • #16345 Optimize the use of assertThisInitialized after super() (@liuxingbaoyu)
• babel-plugin-transform-class-properties, babel-plugin-transform-classes
  • #16343 Use simpler assertThisInitialized more often (@liuxingbaoyu)
• babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-object-rest-spread, babel-traverse
  • #16342 Consider well-known and registered symbols as literals (@nicolo-ribaudo)
• babel-core, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-proposal-function-bind, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-flow-comments, babel-plugin-transform-flow-strip-types, babel-plugin-transform-function-name, babel-plugin-transform-modules-systemjs, babel-plugin-transform-parameters, babel-plugin-transform-private-property-in-object, babel-plugin-transform-react-jsx, babel-plugin-transform-runtime, babel-plugin-transform-spread, babel-plugin-transform-typescript, babel-preset-env
  • #16326 Reduce the use of class names (@liuxingbaoyu)

Committers: 4

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu

7.23.4

v7.23.4 (2023-11-20)

🐛 Bug Fix

• babel-generator
  • #16104 fix: Pure comments missing parentheses (@liuxingbaoyu)

Committers: 4

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu

7.22.5

v7.22.5 (2023-06-08)

🐛 Bug Fix

• babel-preset-env, babel-standalone
  • #15675 Fix using syntax-unicode-sets-regex in standalone (@nicolo-ribaudo)

💅 Polish

• babel-core
  • #15683 Suggest -transform- when resolving missing plugins (@nicolo-ribaudo)

Committers: 4

• Avery (@nullableVoidPtr)
• Babel Bot (@babel-bot)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu

7.21.5

v7.21.5 (2023-04-28)

👓 Spec Compliance

• babel-generator, babel-parser, babel-types
  • #15539 fix: Remove mixins and implements for DeclareInterface and InterfaceDeclaration (@liuxingbaoyu)

🐛 Bug Fix

• babel-core, babel-generator, babel-plugin-transform-modules-commonjs, babel-plugin-transform-react-jsx
  • #15515 fix: ) position with createParenthesizedExpressions (@liuxingbaoyu)
• babel-preset-env
  • #15580 Add syntax import meta to preset env (@JLHwung)

💅 Polish

• babel-types
  • #15546 Improve the layout of generated validators (@liuxingbaoyu)
• babel-core
  • #15535 Use lt instead of lte to check TS version for .cts config (@nicolo-ribaudo)

🏠 Internal

• babel-core
  • #15575 Use synchronous import.meta.resolve (@nicolo-ribaudo)
• babel-helper-fixtures, babel-preset-typescript
  • #15568 Handle .overrides and .env when resolving plugins/presets from fixture options (@JLHwung)
• babel-helper-create-class-features-plugin, babel-helper-create-regexp-features-plugin
  • #15548 Use semver package to compare versions (@nicolo-ribaudo)

Committers: 4

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu

7.19.4

v7.19.4 (2022-10-10)

👓 Spec Compliance

• babel-plugin-transform-block-scoping
  • #15019 fix: check constant violation inside loops (@nicolo-ribaudo)
• babel-helpers, babel-plugin-proposal-destructuring-private, babel-plugin-proposal-object-rest-spread, babel-plugin-transform-destructuring
  • #14985 Disallow rest object destructuring of null/undefined (@nicolo-ribaudo)

🐛 Bug Fix

• babel-plugin-transform-react-jsx-development, babel-plugin-transform-typescript, babel-types
  • #14109 Fix: properly scope variables in TSModuleBlock (@The-x-Theorist)
• babel-plugin-transform-destructuring, babel-plugin-transform-react-constant-elements, babel-traverse
  • #15027 fix: mark var declarations in loops as not constant (@nicolo-ribaudo)
• babel-helper-string-parser, babel-parser, babel-types
  • #14964 Never throw for invalid escapes in tagged templates (@nicolo-ribaudo)
• babel-generator, babel-parser
  • #14980 Improve module expression parsing/printing (@JLHwung)
• babel-plugin-transform-destructuring
  • #14984 Fix holes handling in optimized array destructuring (@nicolo-ribaudo)

💅 Polish

• babel-cli, babel-core, babel-generator, babel-helper-create-class-features-plugin, babel-helper-fixtures, babel-helper-simple-access, babel-helper-transform-fixture-test-runner, babel-helpers, babel-plugin-bugfix-safari-id-destructuring-collision-in-function-expression, babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining, babel-plugin-external-helpers, babel-plugin-proposal-async-do-expressions, babel-plugin-proposal-async-generator-functions, babel-plugin-proposal-class-properties, babel-plugin-proposal-class-static-block, babel-plugin-proposal-decorators, babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-plugin-proposal-duplicate-named-capturing-groups-regex, babel-plugin-proposal-dynamic-import, babel-plugin-proposal-function-bind, babel-plugin-proposal-function-sent, babel-plugin-proposal-json-strings, babel-plugin-proposal-logical-assignment-operators, babel-plugin-proposal-nullish-coalescing-operator, babel-plugin-proposal-object-rest-spread, babel-plugin-proposal-optional-chaining, babel-plugin-proposal-partial-application, babel-plugin-proposal-pipeline-operator, babel-plugin-proposal-private-methods, babel-plugin-proposal-private-property-in-object, babel-plugin-proposal-record-and-tuple, babel-plugin-syntax-typescript, babel-plugin-transform-arrow-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-block-scoping, babel-plugin-transform-classes, babel-plugin-transform-computed-properties, babel-plugin-transform-destructuring, babel-plugin-transform-duplicate-keys, babel-plugin-transform-exponentiation-operator, babel-plugin-transform-flow-comments, babel-plugin-transform-flow-strip-types, babel-plugin-transform-for-of, babel-plugin-transform-function-name, babel-plugin-transform-jscript, babel-plugin-transform-modules-amd, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-modules-umd, babel-plugin-transform-new-target, babel-plugin-transform-object-super, babel-plugin-transform-parameters, babel-plugin-transform-proto-to-assign, babel-plugin-transform-react-constant-elements, babel-plugin-transform-react-inline-elements, babel-plugin-transform-react-jsx-development, babel-plugin-transform-react-jsx-self, babel-plugin-transform-react-jsx, babel-plugin-transform-react-pure-annotations, babel-plugin-transform-regenerator, babel-plugin-transform-runtime, babel-plugin-transform-shorthand-properties, babel-plugin-transform-spread, babel-plugin-transform-strict-mode, babel-plugin-transform-template-literals, babel-plugin-transform-typeof-symbol, babel-plugin-transform-typescript, babel-plugin-transform-unicode-escapes, babel-preset-env, babel-preset-react, babel-preset-typescript, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime, babel-traverse
  • #14979 Improve comments generation (@liuxingbaoyu)
• babel-cli, babel-core, babel-generator, babel-helper-fixtures, babel-helper-transform-fixture-test-runner, babel-plugin-transform-destructuring, babel-plugin-transform-modules-commonjs, babel-traverse
  • #14967 Improve source map generation (@liuxingbaoyu)

🏠 Internal

• Other
  • #15001 Run test262 again (@nicolo-ribaudo)
• babel-compat-data, babel-preset-env
  • #14976 Internally rename proposal-* to transform-* in preset-env (@nicolo-ribaudo)

Committers: 5

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Sneh Khatri (@The-x-Theorist)
• @liuxingbaoyu

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 63 commits:

• v7.27.1
• Bumped picocolors to 1.1.1 (#17279)
• Rebuild Makefile.mjs (#17275)
• Allow `using of` as lexical declaration within for (#17254)
• fix invalid gulp watch usage (#17273)
• Update actions/checkout action to v4 (#17269)
• [babel 8] Remove unnecessary CJS ESM wrapper (#17261)
• Remove unused `regenerator-runtime` dep in `@babel/runtime` (#17263)
• [babel 8] Drop CJS support from `@babel/parser` (#17265)
• Update Yarn to 4.9.1 (#17266)
• Update fixture (#17264)
• Update fixture
• fix: do expressions should allow early exit (#17137)
• Include Babel 8 in coverage report (#17260)
• Ignore browser-only files in coverage reports (#17262)
• Update test262 (#17259)
• Fix: propagate argument evaluation errors through async promise chain (#17251)
• Tune plugin compat data (#17256)
• chore: bump compat-data sources (#17253)
• [Babel 8] perf: Improve traverse performance (#16965)
• Update error stack test (#17252)
• Update test262 (#17248)
• [Babel 8]: Remove record and tuple syntax support (#17242)
• Update `jest-light-runner` to v0.7.0 (#17245)
• Fix build script on Windows (#17244)
• fix `apply()`/`call()` annotated as pure (#17231)
• Reduce `interopRequireWildcard` size (#16538)
• Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 3) (#17235)
• Create ChainExpression within TSInstantiationExpression (#17233)
• Stricter TSImportType options parsing (#17193)
• migrate babel-compat-data build script to mjs (#17236)
• Update test262 (#17234)
• Bump typescript-eslint to 8.29.1 (#17232)
• Disallow get/set in TSPropertySignature (#17230)
• Use `class` and add type definitions for `regenerator` (#17220)
• Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 2) (#17226)
• Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 1) (#17224)
• Update firefox bugfix compat data (#17228)
• Migrate `@babel/register` to cts (#16844)
• test: add basic typescript-eslint integration tests (#17219)
• Harden variable declarator validations (#17217)
• Reduce generated names size for the 10th-11th (#17221)
• fix: Objects and arrays with multiple references should not be evaluated (#17156)
• Reduce `regeneratorRuntime` size (#17213)
• build(deps): bump @babel/helpers from 7.24.4 to 7.27.0 (#17218)
• Enforce node protocol import (#17207)
• Use esm for makefile js (#17214)
• add require-esm babel-register test (#17206)
• Fix: support const type parameter in generator (#17216)
• Babel 8 cleanup (#17211)
• Run tests imported from regenerator (#17205)
• Use imported regenerator transform files (#17205)
• Re-convert regeneratorRuntime to helper format (#17205)
• Delete remaining original regenerator files (#17205)
• Move regenerator files to the relevant packages (#17205)
• Remove bundled regeneratorRuntime helper (#17205)
• Prepare LICENSE files for incorporating regenerator (#17205)
• Merge remote-tracking branch 'regenerator/main'
• Update test262 (#17208)
• Fix start of TSParameterProperty (#17080)
• [Babel 8] Bump nodejs requirements to `^20.19.0 || >= 22.12.0` (#17204)
• [babel 8] Deprecate uppercase builders (#17133)
• Add v7.27.0 to CHANGELOG.md [skip ci]

7.28.5

v7.28.5 (2025-10-23)

Thank you @CO0Ki3, @Olexandr88, and @youthfulhps for your first PRs!

👓 Spec Compliance

• babel-parser
  • #17446 Allow Runtime Errors for Function Call Assignment Targets (@liuxingbaoyu)
• babel-helper-validator-identifier
  • #17501 fix: update identifier to unicode 17 (@fisker)

🐛 Bug Fix

• babel-plugin-proposal-destructuring-private
  • #17534 Allow mixing private destructuring and rest (@CO0Ki3)
• babel-parser
  • #17521 Improve @babel/parser error typing (@JLHwung)
  • #17491 fix: improve ts-only declaration parsing (@JLHwung)
• babel-plugin-proposal-discard-binding, babel-plugin-transform-destructuring
  • #17519 fix: rest correctly returns plain array (@liuxingbaoyu)
• babel-helper-create-class-features-plugin, babel-helper-member-expression-to-functions, babel-plugin-transform-block-scoping, babel-plugin-transform-optional-chaining, babel-traverse, babel-types
  • #17503 Fix JSXIdentifier handling in isReferencedIdentifier (@JLHwung)
• babel-traverse
  • #17504 fix: ensure scope.push register in anonymous fn (@JLHwung)

🏠 Internal

• babel-types
  • #17494 Type checking babel-types scripts (@JLHwung)

🏃‍♀️ Performance

• babel-core
  • #17490 Faster finding of locations in buildCodeFrameError (@liuxingbaoyu)

Committers: 8

• Babel Bot (@babel-bot)
• Byeongho Yoo (@youthfulhps)
• Huáng Jùnliàng (@JLHwung)
• Hyeon Dokko (@CO0Ki3)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @Olexandr88
• @liuxingbaoyu
• fisker Cheung (@fisker)

7.27.1

v7.27.1 (2025-04-30)

Thanks @kermanx and @woaitsAryan for your first PRs!

👓 Spec Compliance

• babel-parser
  • #17254 Allow using of as lexical declaration within for (@JLHwung)
  • #17230 Disallow get/set in TSPropertySignature (@JLHwung)
• babel-parser, babel-types
  • #17193 Stricter TSImportType options parsing (@JLHwung)

🐛 Bug Fix

• babel-plugin-proposal-destructuring-private, babel-plugin-proposal-do-expressions, babel-traverse
  • #17137 fix: do expressions should allow early exit (@kermanx)
• babel-helper-wrap-function, babel-plugin-transform-async-to-generator
  • #17251 Fix: propagate argument evaluation errors through async promise chain (@magic-akari)
• babel-helper-remap-async-to-generator, babel-plugin-transform-async-to-generator
  • #17231 fix apply()/call() annotated as pure (@Lacsw)
• babel-helper-fixtures, babel-parser
  • #17233 Create ChainExpression within TSInstantiationExpression (@JLHwung)
• babel-generator, babel-parser
  • #17226 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 2) (@JLHwung)
• babel-parser
  • #17224 Fill optional AST properties when both estree and typescript parser plugin are enabled (Part 1) (@JLHwung)
  • #17080 Fix start of TSParameterProperty (@JLHwung)
• babel-compat-data, babel-preset-env
  • #17228 Update firefox bugfix compat data (@JLHwung)
• babel-traverse
  • #17156 fix: Objects and arrays with multiple references should not be evaluated (@liuxingbaoyu)
• babel-generator
  • #17216 Fix: support const type parameter in generator (@JLHwung)

💅 Polish

• babel-plugin-bugfix-v8-spread-parameters-in-optional-chaining, babel-plugin-proposal-decorators, babel-plugin-transform-arrow-functions, babel-plugin-transform-class-properties, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-traverse
  • #17221 Reduce generated names size for the 10th-11th (@nicolo-ribaudo)

🏠 Internal

• babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #17263 Remove unused regenerator-runtime dep in @babel/runtime (@nicolo-ribaudo)
• babel-compat-data, babel-preset-env
  • #17256 Tune plugin compat data (@JLHwung)
• babel-compat-data, babel-standalone
  • #17236 migrate babel-compat-data build script to mjs (@JLHwung)
• babel-register
  • #16844 Migrate @babel/register to cts (@liuxingbaoyu)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17205 Inline regenerator in the relevant packages (@nicolo-ribaudo)
• All packages
  • #17207 Enforce node protocol import (@JLHwung)

🔬 Output optimization

• babel-helpers, babel-plugin-transform-modules-commonjs, babel-runtime-corejs3
  • #16538 Reduce interopRequireWildcard size (@liuxingbaoyu)
• babel-helpers, babel-plugin-transform-async-generator-functions, babel-plugin-transform-regenerator, babel-preset-env, babel-runtime-corejs3
  • #17213 Reduce regeneratorRuntime size (@liuxingbaoyu)

Committers: 9

• Aryan Bharti (@woaitsAryan)
• Babel Bot (@babel-bot)
• Frolov Roman (@Lacsw)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu
• @magic-akari
• _Kerman (@kermanx)
• fisker Cheung (@fisker)

7.25.9

v7.25.9 (2024-10-22)

Thanks @victorenator for your first PR!

🐛 Bug Fix

• babel-parser, babel-template, babel-types
  • #16905 fix: Keep type annotations in syntacticPlaceholders mode (@liuxingbaoyu)
• babel-helper-compilation-targets, babel-preset-env
  • #16907 fix: support BROWSERSLIST{,_CONFIG} env (@JLHwung)
• Other
  • #16884 Analyze ClassAccessorProperty to prevent the no-undef rule (@victorenator)

🏠 Internal

• babel-helper-transform-fixture-test-runner
  • #16914 remove test options flaky (@JLHwung)
• Every package
  • #16917 fix: Accidentally published tsconfig files (@liuxingbaoyu)

🏃‍♀️ Performance

• babel-parser, babel-types
  • #16918 perf: Make VISITOR_KEYS etc. faster to access (@liuxingbaoyu)

Committers: 4

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Viktar Vaŭčkievič (@victorenator)
• @liuxingbaoyu

7.25.7

v7.25.7 (2024-10-02)

Thanks @DylanPiercey and @YuHyeonWook for your first PRs!

🐛 Bug Fix

• babel-helper-validator-identifier
  • #16825 fix: update identifier to unicode 16 (@JLHwung)
• babel-traverse
  • #16814 fix: issue with node path keys updated on unrelated paths (@DylanPiercey)
• babel-plugin-transform-classes
  • #16797 Use an inclusion rather than exclusion list for super() check (@nicolo-ribaudo)
• babel-generator
  • #16788 Fix printing of TS infer in compact mode (@nicolo-ribaudo)
  • #16785 Print TS type annotations for destructuring in assignment pattern (@nicolo-ribaudo)
  • #16778 Respect [no LineTerminator here] after nodes (@nicolo-ribaudo)

💅 Polish

• babel-types
  • #16852 Add deprecated JSDOC for fields (@liuxingbaoyu)

🏠 Internal

• babel-core
  • #16820 Allow sync loading of ESM when --experimental-require-module (@nicolo-ribaudo)
• babel-helper-compilation-targets, babel-helper-plugin-utils, babel-preset-env
  • #16858 Add browserslist config to external dependency (@JLHwung)
• babel-plugin-proposal-destructuring-private, babel-plugin-syntax-decimal, babel-plugin-syntax-import-reflection, babel-standalone
  • #16809 Archive syntax-import-reflection and syntax-decimal (@nicolo-ribaudo)
• babel-generator
  • #16779 Simplify logic for [no LineTerminator here] before nodes (@nicolo-ribaudo)

🏃‍♀️ Performance

• babel-plugin-transform-typescript
  • #16875 perf: Avoid extra cloning of namespaces (@liuxingbaoyu)
• babel-types
  • #16842 perf: Improve @babel/types builders (@liuxingbaoyu)
  • #16828 Only access BABEL_TYPES_8_BREAKING at startup (@nicolo-ribaudo)

Committers: 8

• Babel Bot (@babel-bot)
• Dylan Piercey (@DylanPiercey)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu
• coderaiser (@coderaiser)
• fisker Cheung (@fisker)
• hwook (@YuHyeonWook)

7.24.7

v7.24.7 (2024-06-05)

🐛 Bug Fix

• babel-node
  • #16554 Allow extra flags in babel-node (@nicolo-ribaudo)
• babel-traverse
  • #16522 fix: incorrect constantViolations with destructuring (@liuxingbaoyu)
• babel-helper-transform-fixture-test-runner, babel-plugin-proposal-explicit-resource-management
  • #16524 fix: Transform using in switch correctly (@liuxingbaoyu)

🏠 Internal

• babel-helpers, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16525 Delete unused array helpers (@blakewilson)

Committers: 7

• Amjad Yahia Robeen Hassan (@amjed-98)
• Babel Bot (@babel-bot)
• Blake Wilson (@blakewilson)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Sukka (@SukkaW)
• @liuxingbaoyu

7.24.6

v7.24.6 (2024-05-24)

Thanks @amjed-98, @blakewilson, @coelhucas, and @SukkaW for your first PRs!

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-transform-class-properties
  • #16514 Fix source maps for private member expressions (@nicolo-ribaudo)
• babel-core, babel-generator, babel-plugin-transform-modules-commonjs
  • #16515 Fix source maps for template literals (@nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #16485 Support undecorated static accessor in anonymous classes (@JLHwung)
  • #16484 Fix decorator bare yield await (@JLHwung)
• babel-helpers, babel-plugin-proposal-decorators, babel-runtime-corejs3
  • #16483 Fix: throw TypeError if addInitializer is called after finished (@JLHwung)
• babel-parser, babel-plugin-transform-typescript
  • #16476 fix: Correctly parse cls.fn<C> = x (@liuxingbaoyu)

🏠 Internal

• babel-core, babel-helpers, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16501 Generate helper metadata at build time (@nicolo-ribaudo)
• babel-helpers
  • #16499 Add tsconfig.json for @babel/helpers/src/helpers (@nicolo-ribaudo)
• babel-cli, babel-helpers, babel-plugin-external-helpers, babel-plugin-proposal-decorators, babel-plugin-transform-class-properties, babel-plugin-transform-modules-commonjs, babel-plugin-transform-modules-systemjs, babel-plugin-transform-runtime, babel-preset-env, babel-runtime-corejs2, babel-runtime-corejs3, babel-runtime
  • #16495 Move all runtime helpers to individual files (@nicolo-ribaudo)
• babel-parser, babel-traverse
  • #16482 Statically generate boilerplate for bitfield accessors (@nicolo-ribaudo)
• Other
  • #16466 Migrate import assertions syntax (@JLHwung)

Committers: 9

• Amjad Yahia Robeen Hassan (@amjed-98)
• Babel Bot (@babel-bot)
• Blake Wilson (@blakewilson)
• Huáng Jùnliàng (@JLHwung)
• Lucas Coelho (@coelhucas)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Sukka (@SukkaW)
• Zzzen (@Zzzen)
• @liuxingbaoyu

7.24.5

v7.24.5 (2024-04-29)

Thanks @romgrk and @sossost for your first PRs!

🐛 Bug Fix

• babel-plugin-transform-classes, babel-traverse
  • #16377 fix: TypeScript annotation affects output (@liuxingbaoyu)
• babel-helpers, babel-plugin-proposal-explicit-resource-management, babel-runtime-corejs3
  • #16440 Fix suppressed error order (@sossost)
  • #16408 Await nullish async disposable (@JLHwung)

💅 Polish

• babel-parser
  • #16407 Recover from exported using declaration (@JLHwung)

🏠 Internal

• Other
  • #16414 Relax ESLint peerDependency constraint to allow v9 (@liuxingbaoyu)
• babel-parser
  • #16425 Improve @babel/parser AST types (@nicolo-ribaudo)
  • #16417 Always pass type argument to .startNode (@nicolo-ribaudo)
• babel-helper-create-class-features-plugin, babel-helper-member-expression-to-functions, babel-helper-module-transforms, babel-helper-split-export-declaration, babel-helper-wrap-function, babel-helpers, babel-plugin-bugfix-firefox-class-in-computed-class-key, babel-plugin-proposal-explicit-resource-management, babel-plugin-transform-block-scoping, babel-plugin-transform-destructuring, babel-plugin-transform-object-rest-spread, babel-plugin-transform-optional-chaining, babel-plugin-transform-parameters, babel-plugin-transform-private-property-in-object, babel-plugin-transform-react-jsx-self, babel-plugin-transform-typeof-symbol, babel-plugin-transform-typescript, babel-traverse
  • #16439 Make NodePath<T | U> distributive (@nicolo-ribaudo)
• babel-plugin-proposal-partial-application, babel-types
  • #16421 Remove JSXNamespacedName from valid CallExpression args (@nicolo-ribaudo)
• babel-plugin-transform-class-properties, babel-preset-env
  • #16406 Do not load unnecessary Babel 7 syntax plugins in Babel 8 (@nicolo-ribaudo)

🏃‍♀️ Performance

• babel-helpers, babel-preset-env, babel-runtime-corejs3
  • #16357 Performance: improve objectWithoutPropertiesLoose on V8 (@romgrk)

Committers: 6

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• Rom Grk (@romgrk)
• @liuxingbaoyu
• ynnsuis (@sossost)

7.22.20

v7.22.20 (2023-09-16)

🏠 Internal

• babel-helper-validator-identifier
  • #15973 Remove special-casing of U+200C and U+200D (@nicolo-ribaudo)
• babel-plugin-transform-dotall-regex
  • #15974 Update Unicode test fixtures (@JLHwung)

↩️ Revert

• babel-helper-remap-async-to-generator, babel-helper-wrap-function, babel-plugin-proposal-explicit-resource-management, babel-plugin-proposal-function-sent, babel-plugin-transform-async-generator-functions, babel-plugin-transform-async-to-generator, babel-plugin-transform-block-scoping, babel-plugin-transform-class-properties, babel-plugin-transform-classes, babel-plugin-transform-parameters, babel-plugin-transform-runtime, babel-preset-env
  • #15979 Revert "Improve output when wrapping functions" (@jjonescz)

Committers: 3

• Huáng Jùnliàng (@JLHwung)
• Jan Jones (@jjonescz)
• Nicolò Ribaudo (@nicolo-ribaudo)

7.22.19

v7.22.19 (2023-09-14)

Re-published 7.22.18, due to a releasing error.

7.22.15

v7.22.15 (2023-09-04)

🐛 Bug Fix

• babel-core
  • #15923 Only perform config loading re-entrancy check for cjs (@nicolo-ribaudo)

🏠 Internal

• Every package
  • #15892 Add explicit .ts/.js extension to all imports in src (@nicolo-ribaudo)

Committers: 4

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu

7.22.5

v7.22.5 (2023-06-08)

🐛 Bug Fix

• babel-preset-env, babel-standalone
  • #15675 Fix using syntax-unicode-sets-regex in standalone (@nicolo-ribaudo)

💅 Polish

• babel-core
  • #15683 Suggest -transform- when resolving missing plugins (@nicolo-ribaudo)

Committers: 4

• Avery (@nullableVoidPtr)
• Babel Bot (@babel-bot)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu

7.19.1

v7.19.1 (2022-09-14)

Thanks @hegemonic for your first PR!

🐛 Bug Fix

• babel-core
  • #14930 Avoid fancy stack traces size computation (@nicolo-ribaudo)
• babel-traverse
  • #14932 fix: isForAwaitStatement is broken (@JLHwung)
• Other
  • #14872 Use the built-in class fields and private methods rules in ESLint 8 (@JLHwung)
• babel-parser
  • #14920 [estree] attach comments after directives at the end of file (@hegemonic)
  • #14900 [ts] allow redeclaring a var/type with the same name as import (@liuxingbaoyu)
• babel-plugin-transform-typescript
  • #14913 fix: do not remove type import used in TS import= (@JLHwung)

Committers: 5

• Babel Bot (@babel-bot)
• Huáng Jùnliàng (@JLHwung)
• Jeff Williams (@hegemonic)
• Nicolò Ribaudo (@nicolo-ribaudo)
• @liuxingbaoyu

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 48 commits:

• v7.28.5
• Add v8.0.0-beta.3 to .github/CHANGELOG-v8.md [skip ci]
• Bump Babel 8 version to 8.0.0-beta.3
• Update Yarn (#17561)
• Update plugin-babel-release-tool (#17560)
• Use Node.js latest for release action (#17559)
• Do not pass npm token when trusted publishing (#17557)
• Try trusted publishing (#17551)
• Allow mixing private destructuring and rest (#17534)
• Improve `@babel/core` types (#17404)
• Update test262 (#17546)
• Update compat data (#17549)
• docs: edited broken badges (#17550)
• Fix Prettier e2e test for Babel 8 (#17539)
• Enable `strictNullChecks` for `traverse` (#17499)
• Improve `@babel/parser` error typing (#17521)
• chore: Fix typo in variable name (#17535)
• fix: `require.resolve` unexpectedly resolves to `.mjs` (#17533)
• Update test262 (#17536)
• ci: remove jest from Babel 7 e2e test suites (#17532)
• Type check runtime scripts (#17522)
• [Babel 8] Improve scope information collection performance (#17043)
• Update test262 (#17527)
• Enable `strictNullChecks` for `parser` (#17498)
• [Babel 8] Use `t.traverseFast` to replace some `path.traverse` (#17518)
• chore: simplify parseArrayLike (#17526)
• fix: `rest` correctly returns plain array (#17519)
• Run Prettier E2E test only on Babel 8 (#17523)
• Update test262 (#17516)
• Update compat data (#17515)
• Allow `Runtime Errors for Function Call Assignment Targets` (#17446)
• [babel 8] Update default `@babel/runtime` version (#17512)
• [babel 8] Remove `semver` dependency from transform-runtime (#17511)
• [Babel 8] Treat `allowSuperOutsideMethod` as top-level only (#17505)
• Faster finding of locations in `buildCodeFrameError` (#17490)
• Enable `strictNullChecks` for `generator` (#17497)
• [Babel 8] Better node type definitions for `computed` (#17500)
• Update compat data (#17508)
• Update test262 (#17509)
• Bump regexpu-core to 6.3.1 (#17507)
• Update identifier parsing to unicode 17 (#17501)
• fix: improve ts-only declaration parsing (#17491)
• Fix `JSXIdentifier` handling in `isReferencedIdentifier` (#17503)
• fix: ensure scope.push register in anonymous fn (#17504)
• Type checking babel-types scripts (#17494)
• Add v8.0.0-beta.2 to .github/CHANGELOG-v8.md [skip ci]
• Bump Babel 8 version to 8.0.0-beta.2
• Add v7.28.4 to CHANGELOG.md [skip ci]

🚨 Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups

Impact

When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).

Your generated code is vulnerable if all the following conditions are true:

• You use Babel to compile regular expression named capturing groups
• You use the .replace method on a regular expression that contains named capturing groups
• Your code uses untrusted strings as the second argument of .replace

If you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:

• you use duplicated named capturing groups, and target any browser older than Chrome/Edge 126, Opera 112, Firefox 129, Safari 17.4, or Node.js 23
• you use any named capturing groups, and target any browser older than Chrome 64, Opera 71, Edge 79, Firefox 78, Safari 11.1, or Node.js 10

You can verify what transforms @babel/preset-env is using by enabling the debug option.

Patches

This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.

Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.

Workarounds

If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).

References

This vulnerability was reported and fixed in #17173.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 8 commits:

• v7.29.2
• chore: Remove Babel 8 steps from the Babel 7 CI (#17874)
• [7.x backport] async x => {} must be in leading pos (#17840)
• [7.x backport] Do not use the latest Node.js version in CI (#17841)
• chore: update eslint peer deps (#17813)
• [7.x backport] fix: Properly handle await in finally (#17805)
• [7.x backport] preset-env include/exclude should accept bugfix plugins (#17789)
• Add v7.29.1 to CHANGELOG.md [skip ci]

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 8 commits:

• v7.29.2
• chore: Remove Babel 8 steps from the Babel 7 CI (#17874)
• [7.x backport] async x => {} must be in leading pos (#17840)
• [7.x backport] Do not use the latest Node.js version in CI (#17841)
• chore: update eslint peer deps (#17813)
• [7.x backport] fix: Properly handle await in finally (#17805)
• [7.x backport] preset-env include/exclude should accept bugfix plugins (#17789)
• Add v7.29.1 to CHANGELOG.md [skip ci]

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 43 commits:

• v7.28.6
• Remove Babel 8 from Babel 7 CI (#17675)
• Update test262 (#17628)
• Add script to materialize itBabel8&co in tests (#17623)
• [babel 8] Remove `@babel/types` dep from helper-builder-react-jsx (#17621)
• Polish(standalone): improve message on invalid preset/plugin (#17606)
• [babel 8] Rename `TSImportType.argument` to `.source` (#17610)
• Add script to remove Babel 7 tests (#17616)
• Run transform-runtime tests also in Babel 8 (#17615)
• fix: lint errors in main branch (#17612)
• Update test262 (#17614)
• fix: `path.evaluate` correctly returns `confident` (#17584)
• [babel 8] Fully remove import assertions (#17603)
• chore: Use Gulpfile.mts (#17579)
• [Babel 8] fix: Improve `traverse` types (#17574)
• Allow Babel 8 in compatible Babel 7 plugins (#17580)
• Add logic to materialize Babel 8 in source (#17605)
• chore: add node 24 to the matrix (#17607)
• chore: enable some ts-eslint rules (#17592)
• Update Babel (#17604)
• fix: add typings for eslint-plugin-development (#17587)
• Record and tuple cleanup (#17597)
• perf: remove redundant set in jsx meta visit (#17598)
• test: install browser-playwright (#17599)
• Update compat data (#17600)
• Update test262 (#17601)
• [Babel 8]: Bump glob to v12 (#17594)
• Improve Unicode handling in code-frame tokenizer (#17589)
• Update test262 (#17588)
• [Babel 8] chore: bump glob to v11 (#17590)
• fix: Preserve computed key evaluation order in nested object rest (#17576)
• Add `BABEL_7_TO_8_DANGEROUSLY_DISABLE_VERSION_CHECK` (#17569)
• fix: `transform-regenerator` correctly handles scope (#17556)
• fix: Update CONTRIBUTING.md to require node >=22.18.0 (#17585)
• Update test262 (#17583)
• Use `eslint.config.mts` (#17573)
• Fix traverse NodePath caching (#17568)
• fix: Keep jsx comments (#17538)
• [Babel 8] fix: Correctly handle export references (#17570)
• Update test262 (#17564)
• perf: Use lighter traversal for jsx `__source,__self` (#17555)
• Fully remove Records and Tuples support (#17528)
• Add v7.28.5 to CHANGELOG.md [skip ci]

🚨 Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code

Impact

Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.

Known affected plugins are:

• @babel/plugin-transform-runtime
• @babel/preset-env when using its useBuiltIns option
• Any "polyfill provider" plugin that depends on @babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regenerator

No other plugins under the @babel/ namespace are impacted, but third-party plugins might be.

Users that only compile trusted code are not impacted.

Patches

The vulnerability has been fixed in @babel/traverse@7.23.2.

Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.

Workarounds

• Upgrade @babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version.
• If you cannot upgrade @babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions:
  • @babel/plugin-transform-runtime v7.23.2
  • @babel/preset-env v7.23.2
  • @babel/helper-define-polyfill-provider v0.4.3
  • babel-plugin-polyfill-corejs2 v0.4.6
  • babel-plugin-polyfill-corejs3 v0.8.5
  • babel-plugin-polyfill-es-shims v0.10.0
  • babel-plugin-polyfill-regenerator v0.5.3

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 15 commits:

• v7.29.0
• fix(parser): correctly parse type assertions in `extends` clause (#17765)
• [7.x backport] feat: Allow specifying startLine in code frame (#17739)
• Move changelog up to v7.28.5 to separate file (#17754)
• [7.x backport] Add attributes import declaration builder (#17750)
• fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (#17708)
• [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (#17737)
• [7.x backport] fix(parser): improve super type argument parsing (#17723)
• [7.x backport] feat(standalone): export async transform (#17663)
• Update polyfill packages (#17727)
• [7.x backport] feat: read standalone targets from data-targets (#17725)
• [babel 7] Delete Babel 8 fixtures (#17729)
• chore(Babel 7): ignore browserslist old data (#17724)
• [Babel 7] Improve generator performance (#17642)
• Add v7.28.6 to CHANGELOG.md [skip ci]

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 15 commits:

• v7.29.0
• fix(parser): correctly parse type assertions in `extends` clause (#17765)
• [7.x backport] feat: Allow specifying startLine in code frame (#17739)
• Move changelog up to v7.28.5 to separate file (#17754)
• [7.x backport] Add attributes import declaration builder (#17750)
• fix(traverse): provide a hub when traversing a File or Program and no parentPath is given (#17708)
• [7.x backport] fix: Rename switch discriminant references when body creates shadowing variable (#17737)
• [7.x backport] fix(parser): improve super type argument parsing (#17723)
• [7.x backport] feat(standalone): export async transform (#17663)
• Update polyfill packages (#17727)
• [7.x backport] feat: read standalone targets from data-targets (#17725)
• [babel 7] Delete Babel 8 fixtures (#17729)
• chore(Babel 7): ignore browserslist old data (#17724)
• [Babel 7] Improve generator performance (#17642)
• Add v7.28.6 to CHANGELOG.md [skip ci]

0.3.5

What's Changed

• Add ignoreList support: 9add0c2

Full Changelog: v0.3.4...v0.3.5

0.3.4

Full Changelog: v0.3.3...v0.3.4

0.3.3

Full Changelog: v0.3.2...v0.3.3

0.3.2

Internal

• [meta] fix "exports" for node 13.0-13.6 by @ljharb in #4
• Fix built sources paths

New Contributors

• @ljharb made their first contribution in #4

Full Changelog: v0.3.1...v0.3.2

Does any of this look wrong? Please let us know.

0.3.24

What's Changed

• Add ignoreList (and x_google_ignoreList) support: 1027ce6

Full Changelog: v0.3.23...v0.3.24

0.3.23

Full Changelog: v0.3.22...v0.3.23

0.3.22

What's Changed

• Specify all exported types to unbreak TS v4.* by @jridgewell in #34

Full Changelog: v0.3.21...v0.3.22

0.3.21

What's Changed

• Use export type * by @jridgewell in #32

Full Changelog: v0.3.20...v0.3.21

0.3.20

What's Changed

• Fix handling of sectioned source maps missing 'names' array by @RandomByte in #29

New Contributors

• @RandomByte made their first contribution in #29

Full Changelog: v0.3.19...v0.3.20

0.3.19

What's Changed

• Unpins the @jridgewell/resolve-uri and @jridgewell/sourcemap-codec dependencies so they can be de-duped.

Full Changelog: v0.3.16...v0.3.17

0.3.18

What's Changed

• fix: add "types" field to package.json by @dominikg in #24

New Contributors

• @dominikg made their first contribution in #24

Full Changelog: v0.3.17...v0.3.18

0.3.17

What's Changed

• Add support for bias in allGeneratedPositionsFor by @jridgewell in #23

Full Changelog: v0.3.16...v0.3.17

0.3.16

What's Changed

• Add allGeneratedPositionsFor by @connor4312 in #19
• Be more permissive with readonly input types by @jridgewell in #20

New Contributors

• @connor4312 made their first contribution in #19

Full Changelog: v0.3.15...v0.3.16

0.3.15

What's Changed

• Fix presortedDecodedMap to only copy sourcemap fields by @jridgewell in #15

Full Changelog: v0.3.14...v0.3.15

Does any of this look wrong? Please let us know.

Too many releases to show here. View the full release notes.

See the full diff on Github.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 5 commits:

• chore(release): publish 8.57.1
• fix(eslint-plugin): [prefer-optional-chain] no report for property on intersection type (#12126)
• chore: add missing pnpm cache to workflows (#12133)
• chore: improve pnpm cache handling (#12130)
• docs(website): auto-inject JSON-LD data for FAQ pages (#12110)

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 5 commits:

• chore(release): publish 8.57.1
• fix(eslint-plugin): [prefer-optional-chain] no report for property on intersection type (#12126)
• chore: add missing pnpm cache to workflows (#12133)
• chore: improve pnpm cache handling (#12130)
• docs(website): auto-inject JSON-LD data for FAQ pages (#12110)

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 5 commits:

• chore(release): publish 8.57.1
• fix(eslint-plugin): [prefer-optional-chain] no report for property on intersection type (#12126)
• chore: add missing pnpm cache to workflows (#12133)
• chore: improve pnpm cache handling (#12130)
• docs(website): auto-inject JSON-LD data for FAQ pages (#12110)

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 5 commits:

• chore(release): publish 8.57.1
• fix(eslint-plugin): [prefer-optional-chain] no report for property on intersection type (#12126)
• chore: add missing pnpm cache to workflows (#12133)
• chore: improve pnpm cache handling (#12130)
• docs(website): auto-inject JSON-LD data for FAQ pages (#12110)

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by 5 commits:

• chore(release): publish 8.57.1
• fix(eslint-plugin): [prefer-optional-chain] no report for property on intersection type (#12126)
• chore: add missing pnpm cache to workflows (#12133)
• chore: improve pnpm cache handling (#12130)
• docs(website): auto-inject JSON-LD data for FAQ pages (#12110)

3.1.9 (from changelog)

Commits

• [Deps] update call-bind, es-abstract, es-object-atoms, get-intrinsic, is-string 3b934ae
• [Refactor] use call-bound and math-intrinsics directly 160ea60
• [Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, hastrict-mode, tape 4e4c67d
• [Tests] replace aud with npm audit 9c5ec1c
• [Dev Deps] add missing peer dep 863d207

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 22 commits:

• v3.1.9
• [Refactor] use `call-bound` and `math-intrinsics` directly
• [Deps] update `call-bind`, `es-abstract`, `es-object-atoms`, `get-intrinsic`, `is-string`
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@es-shims/api`, `@ljharb/eslint-config`, `auto-changelog`, `hastrict-mode`, `tape`
• [Tests] replace `aud` with `npm audit`
• v3.1.8
• [Deps] update `call-bind`, `define-properties`, `es-abstract`, `get-intrinsic`
• [Refactor] use `es-object-atoms` where possible
• [Dev Deps] update `aud`, `npmignore`, `tape`
• [Tests] use `call-bind` instead of `function-bind`
• [actions] remove redundant finisher
• v3.1.7
• [Deps] update `define-properties`, `es-abstract`, `get-intrinsic`
• [Dev Deps] update `@es-shims/api`, `@ljharb/eslint-config`, `aud`, `tape`
• v3.1.6
• [meta] add `auto-changelog`
• [Deps] update `es-abstract`, `get-intrinsic`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `aud`, `tape`
• [actions] update rebase action to use reusable workflow
• [readme] note that FF 102+ no longer needs this package

1.3.3 (from changelog)

Commits

• [actions] split out node 10-20, and 20+ 1afcd57
• [Deps] update call-bind, define-properties, es-abstract, es-shim-unscopables 152c437
• [Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, function-bind npmignore, object-inspect, tape e39e33d
• [Tests] replace aud with npm audit 6868723
• [Dev Deps] add missing peer dep 800f3e3

1.3.2 (from changelog)

Commits

• [Deps] update define-properties, es-abstract fb625eb
• [Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, object-inspect, tape 1fde275

1.3.1 (from changelog)

Commits

• [meta] use npmignore to autogenerate an npmignore file e339ed7
• [meta] add auto-changelog bb5cbd6
• [Deps] update define-properties, es-abstract 8067910
• [actions] update rebase action to use reusable workflow d4d9b28
• [Dev Deps] update aud, object-inspect, tape d9d7300

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 15 commits:

• v1.3.3
• [Deps] update `call-bind`, `define-properties`, `es-abstract`, `es-shim-unscopables`
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@es-shims/api`, `@ljharb/eslint-config`, `auto-changelog`, `function-bind` `npmignore`, `object-inspect`, `tape`
• [actions] split out node 10-20, and 20+
• [Tests] replace `aud` with `npm audit`
• v1.3.2
• [Deps] update `define-properties`, `es-abstract`
• [Dev Deps] update `@es-shims/api`, `@ljharb/eslint-config`, `aud`, `object-inspect`, `tape`
• v1.3.1
• [meta] add `auto-changelog`
• [Deps] update `define-properties`, `es-abstract`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `aud`, `object-inspect`, `tape`
• [actions] update rebase action to use reusable workflow

1.3.3 (from changelog)

Commits

• [actions] split out node 10-20, and 20+ 8727281
• [Tests] add test coverage 6e78327
• [Deps] update call-bind, es-abstract e027dd1
• [Dev Deps] update @es-shims/api, @ljharb/eslint-config, auto-changelog, object-inspect, tape 7322d84
• [Dev Deps] update aud, npmignore, object-inspect, tape 958bf5c
• [Deps] update call-bind, define-properties, es-abstract, es-shim-unscopables b3698fb
• [Tests] replace aud with npm audit e0461ed
• [Dev Deps] add missing peer dep e7160b5

1.3.2 (from changelog)

Commits

• [Deps] update define-properties, es-abstract 1737863
• [Dev Deps] update @es-shims/api, @ljharb/eslint-config, aud, object-inspect, tape 2337759

1.3.1 (from changelog)

Commits

• [meta] use npmignore to autogenerate an npmignore file 3587a34
• [meta] add auto-changelog d66bdea
• [Deps] update define-properties, es-abstract d64c486
• [actions] update rebase action to use reusable workflow 8d657d0
• [Dev Deps] update aud, object-inspect, tape aa22741
• [Tests] use for-each instead of foreach 748a78d

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 19 commits:

• v1.3.3
• [Deps] update `call-bind`, `es-abstract`
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@es-shims/api`, `@ljharb/eslint-config`, `auto-changelog`, `object-inspect`, `tape`
• [actions] split out node 10-20, and 20+
• [Tests] replace `aud` with `npm audit`
• [Deps] update `call-bind`, `define-properties`, `es-abstract`, `es-shim-unscopables`
• [Dev Deps] update `aud`, `npmignore`, `object-inspect`, `tape`
• [Tests] add test coverage
• v1.3.2
• [Deps] update `define-properties`, `es-abstract`
• [Dev Deps] update `@es-shims/api`, `@ljharb/eslint-config`, `aud`, `object-inspect`, `tape`
• v1.3.1
• [meta] add `auto-changelog`
• [Deps] update `define-properties`, `es-abstract`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `aud`, `object-inspect`, `tape`
• [Tests] use `for-each` instead of `foreach`
• [actions] update rebase action to use reusable workflow

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

1.0.8 (from changelog)

Commits

• [Refactor] extract out some helpers and avoid get-intrinsic usage 407fd5e
• [Refactor] replace code with extracted call-bind-apply-helpers 81018fb
• [Tests] use set-function-length/env 0fc311d
• [actions] split out node 10-20, and 20+ 77a0cad
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, es-value-fixtures, gopd, object-inspect, tape a145d10
• [Tests] replace aud with npm audit 30ca3dd
• [Deps] update set-function-length 57c79a3
• [Dev Deps] add missing peer dep 601cfa5

1.0.7 (from changelog)

Commits

• [Refactor] use es-define-property 09b76a0
• [Deps] update get-intrinsic, set-function-length ad5136d

1.0.6 (from changelog)

Commits

• [Dev Deps] update aud, npmignore, tape d564d5c
• [Deps] update get-intrinsic, set-function-length cfc2bdc
• [Refactor] use es-errors, so things that only need those do not need get-intrinsic 64cd289
• [meta] add missing engines.node 32a4038

1.0.5 (from changelog)

Commits

• [Fix] throw an error on non-functions as early as possible f262408
• [Deps] update set-function-length 3fff271

1.0.3 (from changelog)

Commits

• [actions] reuse common workflows a994df6
• [meta] use npmignore to autogenerate an npmignore file eef3ef2
• [readme] flesh out content 1845ccf
• [actions] use node/install instead of node/run; use codecov action 5b47d53
• [Refactor] use set-function-length a0e165c
• [Dev Deps] update @ljharb/eslint-config, aud, tape 9c50103
• [meta] simplify "exports" 019c6d0
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, safe-publish-latest, tape 23bd718
• [actions] update codecov uploader 62552d7
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, auto-changelog, tape ec81665
• [Dev Deps] update eslint, @ljharb/eslint-config, safe-publish-latest, tape 35d67fc
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, tape 0266d8d
• [Dev Deps] update @ljharb/eslint-config, aud, tape 43a5b28
• [Deps] update define-data-property, function-bind, get-intrinsic 780eb36
• [Dev Deps] update aud, tape 90d50ad
• [meta] use prepublishOnly script for npm 7+ 44c5433
• [Deps] update get-intrinsic 86bfbfc
• [Deps] update get-intrinsic 5c53354
• [actions] update checkout action 4c393a8
• [Deps] update get-intrinsic 4e70bde
• [Deps] update get-intrinsic 55ae803

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 43 commits:

• v1.0.8
• [Refactor] replace code with extracted `call-bind-apply-helpers`
• [Tests] use `set-function-length/env`
• [Refactor] extract out some helpers and avoid get-intrinsic usage
• [Deps] update `set-function-length`
• [Dev Deps] add missing peer dep
• [Dev Deps] update `@ljharb/eslint-config`, `auto-changelog`, `es-value-fixtures`, `gopd`, `object-inspect`, `tape`
• [Tests] replace `aud` with `npm audit`
• [actions] split out node 10-20, and 20+
• v1.0.7
• [Refactor] use `es-define-property`
• [Deps] update `get-intrinsic`, `set-function-length`
• v1.0.6
• [Refactor] use `es-errors`, so things that only need those do not need `get-intrinsic`
• [meta] add missing `engines.node`
• [Deps] update `get-intrinsic`, `set-function-length`
• [Dev Deps] update `aud`, `npmignore`, `tape`
• v1.0.5
• [Deps] update `set-function-length`
• [Fix] throw an error on non-functions as early as possible
• v1.0.4
• v1.0.3
• [Refactor] use `set-function-length`
• [Deps] update `define-data-property`, `function-bind`, `get-intrinsic`
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `tape`
• [Deps] update `get-intrinsic`
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `tape`
• [Deps] update `get-intrinsic`
• [Dev Deps] update `aud`, `tape`
• [actions] update checkout action
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`, `tape`
• [Deps] update `get-intrinsic`
• [actions] reuse common workflows
• [meta] simplify "exports"
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `safe-publish-latest`, `tape`
• [readme] flesh out content
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `auto-changelog`, `safe-publish-latest`, `tape`
• [actions] update codecov uploader
• [Deps] update `get-intrinsic`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `tape`
• [actions] use `node/install` instead of `node/run`; use `codecov` action
• [meta] use `prepublishOnly` script for npm 7+

🚨 debug@4.4.2 contains malware after npm account takeover

Impact

On 8 September 2025, the npm publishing account for debug was taken over after a phishing attack. Version 4.4.2 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect cryptocurrency transactions to the attacker's own addresses from within browser environments.

Local environments, server environments, command line applications, etc. are not affected. If the package was used in a browser context (e.g. a direct <script> inclusion, or via a bundling tool such as Babel, Rollup, Vite, Next.js, etc.) there is a chance the malware still exists and such bundles will need to be rebuilt.

The malware seemingly only targets cryptocurrency transactions and wallets such as MetaMask. See references below for more information on the payload.

Patches

npm removed the offending package from the registry over the course of the day on 8 September, preventing further downloads from npm proper.

On 13 September, the package owner published new patch versions to help cache-bust those using private registries who might still have the compromised version cached. This version is functionally identical to the previously known-good version, published as a patch version bump above the compromised version.

Users should upgrade to the latest patch version, completely remove their node_modules directory, clean their package manager's global cache, and rebuild any browser bundles from scratch.

Those operating private registries or registry mirrors should purge the offending versions from any caches.

References

• https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised
• https://socket.dev/blog/npm-author-qix-compromised-in-major-supply-chain-attack
• https://www.ox.security/blog/npm-packages-compromised/

Point of Contact

In the event suspicious behavior is still observed for the package listed in this security advisory after performing all of the above cleaning operations (see Patches above), please reach out via one of the following channels of communication:

• Bluesky, package owner: https://bsky.app/profile/bad-at-computer.bsky.social
• debug repository, tracking issue (applies to all packages affected in the breach): #1005

4.4.3

Functionally identical release to 4.4.1.

Version 4.4.2 is compromised. Please see #1005.

4.4.1

What's Changed

• fix(Issue-996): replace whitespaces in namespaces string with commas globally by @pdahal-cx in #997
• fixes #987 fallback to localStorage.DEBUG if debug is not defined by @lzilioli in #988

New Contributors

• @pdahal-cx made their first contribution in #997
• @lzilioli made their first contribution in #988

Full Changelog: 4.4.0...4.4.1

4.4.0

Fixes (hopefully) the inefficient regex warnings in .enable().

Minor version as this is invariably going to break certain users who misuse the .enable() API and expected it to work with regexes, which was never supported nor documented. That's on you, sorry - that functionality won't be added back.

Full Changelog: 4.3.7...4.4.0

4.3.7

What's Changed

• Upgrade ms to version 2.1.3 by @realityking in #819

Full Changelog: 4.3.6...4.3.7

4.3.6

What's Changed

• Avoid using deprecated RegExp.$1 by @bluwy in #969

New Contributors

• @bluwy made their first contribution in #969

Full Changelog: 4.3.5...4.3.6

4.3.5

Patch

• cac39b1 Fix/debug depth (#926)

Thank you @calvintwr for the fix.

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 18 commits:

• 4.4.3
• 4.4.1
• remove istanbul
• fixes #987 fallback to localStorage.DEBUG if debug is not defined (#988)
• Replace whitespaces in namespaces string with commas globally instead of just the first space occurrence. (#997)
• 4.4.0
• fix inefficient .enable() regex and .enabled() test
• 4.3.7
• Upgrade ms to version 2.1.3 (#819)
• remove archaic badges from readme
• 4.3.6
• Avoid using deprecated RegExp.$1
• 4.3.5
• update authorship contact info
• Fix/debug depth (#926)
• remove .github folder (and the outdated issue templates)
• Update ISSUE_TEMPLATE.md
• Update ISSUE_TEMPLATE.md

1.2.1 (from changelog)

Commits

• [Refactor] use define-data-property e7782a7
• [actions] use reusable rebase action cd249c3
• [Dev Deps] update @ljharb/eslint-config, aud, tape 8205f97

1.2.0 (from changelog)

Commits

• [New] if the predicate is boolean true, it compares the existing value with === as the predicate d8dd6fc
• [meta] add auto-changelog 7ebe2b0
• [meta] use npmignore to autogenerate an npmignore file 647478a
• [Dev Deps] update @ljharb/eslint-config, aud, tape e620d70
• [Dev Deps] update aud, tape f1e5072
• [actions] update checkout action 628b3af

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 11 commits:

• v1.2.1
• [actions] use reusable rebase action
• [Refactor] use `define-data-property`
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `tape`
• v1.2.0
• [New] if the predicate is boolean `true`, it compares the existing value with `===` as the predicate
• [meta] add `auto-changelog`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `@ljharb/eslint-config`, `aud`, `tape`
• [Dev Deps] update `aud`, `tape`
• [actions] update checkout action

See the full diff on Github. The new version differs by 2 commits:

• 1.5.321
• generate new version

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

1.3.0 (from changelog)

Commits

• [actions] reuse common workflows bb72efc
• [Tests] use es-value-fixtures a912f7b
• [Tests] migrate tests to Github Actions 510baf0
• [New] add types 69ba1fd
• [meta] remove unused Makefile 4ea66e6
• [actions] use node/install instead of node/run; use codecov action 3c31937
• [meta] do not publish github action workflow files 389567e
• [meta] use npmignore to autogenerate an npmignore file 9f3aa76
• [actions] split out node 10-20, and 20+ c60d7d8
• [Tests] run nyc on all tests; use tape runner 29cbb89
• [meta] add auto-changelog ea744b2
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, function.prototype.name, has-symbols, object-inspect, object-is, tape e5c3c79
• [actions] add automatic rebasing / merge commit blocking a5a6f00
• [Dev Deps] update @ljharb/eslint-config, es-value-fixtures, function.prototype.name, npmignore, object-inspect, object-is, tape 7941fd5
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, es-value-fixtures, foreach, object-inspect, tape eb1c79c
• [Dev Deps] update eslint, @ljharb/eslint-config, function.prototype.name, object-inspect, safe-publish-latest, tape 249b42f
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, function.prototype.name, object-inspect, object-is, tape d57d5e9
• [actions] update codecov uploader 003b62c
• [actions] add "Allow Edits" workflow 75ee990
• [Dev Deps] update eslint, @ljharb/eslint-config, tape, object-is; add safe-publish-latest ba5da7b
• [readme] remove travis badge 6f7aec7
• [Dev Deps] update eslint, @ljharb/eslint-config, aud, object-inspect, tape 3291fd5
• [Dev Deps] update eslint, @ljharb/eslint-config, function.prototype.name, has-symbols, object-inspect 53007f2
• [actions] update checkout action 69640db
• [Dev Deps] update eslint, @ljharb/eslint-config, object-is, tape; add aud c9d644e
• [Tests] use for-each instead of foreach e9117bb
• [readme] add github actions/codecov badges 53cd375
• [Deps] update is-callable, is-date-object, is-symbol 8116c68
• [Tests] fix test skipping for Symbol.toPrimitive e6268ef
• [actions] switch Automatic Rebase workflow to pull_request_target event da41c40
• [Deps] update is-callable, is-date-object 96fe13f
• [Tests] replace aud with npm audit 0b53154
• [meta] use prepublishOnly script for npm 7+ 9d7d485
• [Deps] update is-callable 3c990b6
• [Deps] update is-callable 9bcfff2
• [Deps] update is-callable 1eb5478
• [meta] only run aud on prod deps 1fcd896
• [Deps] update is-symbol 7174a47

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 39 commits:

• v1.3.0
• [meta] add `auto-changelog`
• [New] add types
• [Tests] fix test skipping for `Symbol.toPrimitive`
• [actions] split out node 10-20, and 20+
• [Deps] update `is-callable`
• [Dev Deps] update `@ljharb/eslint-config`, `es-value-fixtures`, `function.prototype.name`, `npmignore`, `object-inspect`, `object-is`, `tape`
• [Tests] replace `aud` with `npm audit`
• [Tests] use `for-each` instead of `foreach`
• [meta] use `npmignore` to autogenerate an npmignore file
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `es-value-fixtures`, `foreach`, `object-inspect`, `tape`
• [actions] update checkout action
• [actions] reuse common workflows
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `function.prototype.name`, `object-inspect`, `safe-publish-latest`, `tape`
• [actions] update codecov uploader
• [meta] do not publish github action workflow files
• [Tests] use `es-value-fixtures`
• [readme] add github actions/codecov badges
• [Deps] update `is-callable`, `is-date-object`, `is-symbol`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `object-inspect`, `tape`
• [Deps] update `is-callable`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `function.prototype.name`, `has-symbols`, `object-inspect`, `object-is`, `tape`
• [actions] use `node/install` instead of `node/run`; use `codecov` action
• [meta] use `prepublishOnly` script for npm 7+
• [Deps] update `is-callable`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `aud`, `function.prototype.name`, `object-inspect`, `object-is`, `tape`
• [readme] remove travis badge
• [Tests] migrate tests to Github Actions
• [Tests] run `nyc` on all tests; use `tape` runner
• [actions] add "Allow Edits" workflow
• [actions] switch Automatic Rebase workflow to `pull_request_target` event
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `object-is`, `tape`; add `aud`
• [meta] only run `aud` on prod deps
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `tape`, `object-is`; add `safe-publish-latest`
• [Deps] update `is-callable`, `is-date-object`
• [Deps] update `is-symbol`
• [Dev Deps] update `eslint`, `@ljharb/eslint-config`, `function.prototype.name`, `has-symbols`, `object-inspect`
• [meta] remove unused Makefile
• [actions] add automatic rebasing / merge commit blocking

3.2.0

Patches

• Declare separate ESM and CommonJS TypeScript definitions: a72e1c3
  Previously, only ESM definitions were shipped but were exported in a way that could cause tool/resolution ambiguity.

Chores

• Update Node.js version matrix in CI suite: a8c6820

---

Full Changelog: v3.1.2...v3.2.0

3.1.2

Patches

• Support TypeScript’s nodenext module resolution mode (#10): d872fbd

  Thank you @NMinhNguyen

Chores

• Add licenses.dev badge to README: 02dcb8b
• Update CI matrix versions: 3c916b2

---

Full Changelog: v3.1.1...v3.1.2

Does any of this look wrong? Please let us know.

See the full diff on Github. The new version differs by 7 commits:

• 3.2.0
• fix: separate CJS vs ESM type defs
• chore(ci): update matrix & images
• 3.1.2
• fix: add "types" conditions (#10)
• fix(ci): update versions
• chore: add licenses badge

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

2.12.0 (from changelog)

Added

• Ignore type imports for named rule (#931, thanks @mattijsbliek)
• Add documentation for no-useless-path-segments rule (#1068, thanks @manovotny)
• packageDir option for no-extraneous-dependencies can be array-valued (#1085, thanks @hulkish)

2.11.0 (from changelog)

Added

• Fixer for first (#1046, thanks @fengkfengk)
• allow-require option for no-commonjs rule (#880, thanks @futpib)

Fixed

• memory/CPU regression where ASTs were held in memory (#1058, thanks @klimashkin/@lukeapage)

2.10.0 (from changelog)

Added

• Autofixer for order rule (#908, thanks @tihonove)
• Add no-cycle rule: reports import cycles.

2.9.0 (from changelog)

Added

• Add group-exports rule: style-guide rule to report use of multiple named exports (#721, thanks @robertrossmann)
• Add no-self-import rule: forbids a module from importing itself. (#727, #449, #447, thanks @giodamelio).
• Add no-default-export rule (#889, thanks @isiahmeadows)
• Add no-useless-path-segments rule (#912, thanks @graingert and @danny-andrews)
• ... and more! check the commits for v2.9.0

2.8.0 (from changelog)

Added

• exports-last rule (#620 + #632, thanks @k15a)

Changed

• Case-sensitivity checking ignores working directory and ancestors. (#720 + #858, thanks @laysent)

Fixed

• support scoped modules containing hyphens (#744, thanks @rosswarren)
• core-modules now resolves files inside declared modules (#886 / #891, thanks @mplewis)
• TypeError for missing AST fields from TypeScript (#842 / #944, thanks @alexgorbatchev)

Does any of this look wrong? Please let us know.

Too many releases to show here. View the full release notes.

See the full diff on Github. The new version differs by more commits than we can show here.

6.10.2 (from changelog)

Fixed

• [patch] no-redundandant-roles: allow <img src="*.svg" role="img" /> #936

Commits

• [meta] fix changelog URLs 0d01a1a
• [Refactor] remove no-longer-needed es-iterator-helpers aa075bd
• [Refactor] avoid spreading things that are already arrays d15d3ab
• [Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types, @babel/register 5dad7c4
• [Tests] aria-role: Add valid test for <svg role="img" /> daba189
• [Docs] label-has-associated-control: add line breaks for readability 0bc6378
• [Tests] label-has-associated-control: add additional test cases 30d2318
• [Tests] Add tests to reinforce required attributes for role="heading" d92446c

6.10.1 (from changelog)

Commits

• [Fix] handle interactive/noninteractive changes from aria-query 4925ba8
• [Docs] Use consistent spelling of 'screen reader' cb6788c
• [Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types, @babel/register, auto-changelog, eslint-plugin-import, tape 518a77e
• [Deps] update es-iterator-helpers, string.prototype.includes eed03a3
• [meta] package.json - Update jscodeshift & remove babel-jest 2ee940c
• [Docs] Remove accidental whitespace in CONTRIBUTING.md a262131
• [Deps] unpin aria-query e517937

6.10.0 (from changelog)

Fixed

• [New] label-has-associated-control: add additional error message #1005
• [Fix] label-has-associated-control: ignore undetermined label text #966

Commits

• [Tests] switch from jest to tape a284cbf
• [New] add eslint 9 support deac4fd
• [New] add attributes setting a1ee7f8
• [New] allow polymorphic linting to be restricted 6cd1a70
• [Tests] remove duplicate tests 74d5dec
• [Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types 6eca235
• [readme] remove deprecated travis ci badge; add github actions badge 0be7ea9
• [Tests] use npm audit instead of aud 05a5e49
• [Deps] update axobject-query 912e98c
• [Deps] unpin axobject-query 75147aa
• [Deps] update axe-core 27ff7cb
• [readme] fix jsxA11y import name ce846e0
• [readme] fix typo in shareable config section in readme cca288b

6.9.0

Added

• add support for Flat Config 6b5f096
• no-noninteractive-element-to-interactive-role: allow menuitemradio and menuitemcheckbox on <li> c0733f9

Fixed

• img-redundant-alt: fixed multibyte character support #969
• Revert "[Fix] isNonInteractiveElement: Upgrade aria-query to 5.3.0 and axobject-query to 3.2.1" 75d5dd7
• ensure summary remains non-interactive 6a048da

Changed

• [meta] fix changelog links #960
• [Robustness] use safe-regex-test 4c7e781
• [actions] update actions/checkout 51a1ca7
• [Deps] pin aria-query and axobject-query, add ls-engines test to CI 32fd82c
• [Deps] remove @babel/runtime 0a98ad8
• [Deps] unpin axe-core b3559cf
• [Deps] move object.entries to dev deps 1be7b70

Full Changelog: v6.8.0...v6.9.0

6.8.0 (from changelog)

Merged

• Allow title attribute or aria-label attribute instead of accessible child in the "anchor-has-content" rule #727

Fixed

• [Docs] aria-activedescendant-has-tabindex: align with changes from #708 #924
• [Fix] control-has-associated-label: don't accept whitespace as an accessible label #918

Commits

• [Tests] migrate helper parsers function from eslint-plugin-react ce4d57f
• [Refactor] use es-iterator-helpers 52de824
• [New] mouse-events-have-key-events: add hoverInHandlers/hoverOutHandlers config db64898
• [New] add polymorphicPropName setting for polymorphic components fffb05b
• [Fix] isNonInteractiveElement: Upgrade aria-query to 5.3.0 and axobject-query to 3.2.1 64bfea6
• [Refactor] use hasown instead of has 9a8edde
• [actions] update used actions 10c061a
• [Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types, @babel/register, aud, eslint-doc-generator, eslint-plugin-import, minimist 6d5022d
• [Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/register, eslint-doc-generator, eslint-plugin-import 4dc7f1e
• [New] anchor-has-content: Allow title attribute OR aria-label attribute e6bfd5c
• [patch] mouse-events-have-key-events: rport the attribute, not the node eadd70c
• [Deps] update @babel/runtime, array-includes, array.prototype.flatmap, object.entries, object.fromentries 46ffbc3
• [Deps] update @babel/runtime, axobject-query, jsx-ast-utils, semver 5999555
• [Fix] pin aria-query and axe-core to fix failing tests on main 8d8f016
• [patch] move semver from Deps to Dev Deps 4da13e7
• [Deps] update ast-types-flow b755318
• [Dev Deps] update eslint-plugin-import f1c976b
• [Deps] unpin language-tags 3d1d26d
• [Docs] no-static-element-interactions: tabIndex is written tabindex 1271153
• [Deps] Upgrade ast-types-flow to mitigate Docker user namespacing problems f0d2ddb
• [Dev Deps] pin jackspeak since 2.1.2+ depends on npm aliases, which kill the install process in npm < 6 0c278f4

6.7.1 (from changelog)

Commits

• [Fix] no-aria-hidden-on-focusable rule's missing export b01219e

6.7.0 (from changelog)

Merged

• New rule: prefer-tag-over-role #833

Fixed

• [Tests] aria-role: add now-passing test #756
• [Docs] control-has-associated-label: fix metadata #892
• [New] add no-aria-hidden-on-focusable rule #881

Commits

• [Docs] automate docs with eslint-doc-generator 6d7a857
• [Refactor] use fromEntries, flatMap, etc; better use iteration methods 3d77c84
• [New] add anchor-ambiguous-text rule 7f6463e
• [New] add getAccessibleChildText util 630116b
• [New] Add isFocusable utils method e199d17
• [Docs] update eslint-doc-generator to v1.0.0 6b9855b
• [Fix] no-noninteractive-element-interactions: Ignore contenteditable elements in no-noninteractive-element-interactions 9aa878b
• [New] anchor-ambiguous-text: ignore punctuation bbae2c4
• [New] anchor-ambiguous-text, getAccessibleChildText: Implements check for alt tags on <img /> elements bb84abc
• [meta] use npmignore to autogenerate an npmignore file 6ad2312
• [meta] add auto-changelog 283817b
• [Docs] missing descriptions in some rules 79b975a
• [Deps] update aria-query, axobject-query 7b3cda3
• [Dev Deps] update @babel/cli, @babel/core, @babel/eslint-parser, @babel/plugin-transform-flow-strip-types, aud, object.assign 0852947
• [meta] move .eslintignore to ignorePatterns 65be35b
• [Dev Deps] update @babel/cli, @babel/core, aud, eslint-doc-generator 60c2df5
• [Deps] update @babel/runtime, array-includes, axe-core 4abc751
• [Deps] update @babel/runtime, axe-core 89f766c
• [meta] run the build in prepack, not prepublish e411ce3
• [Dev Deps] update @babel/core, minimist cccdb62
• [Dev Deps] update markdown-magic 3382059
• [Fix] expose prefer-tag-over-role 38d52f8
• [Docs] label-has-for: reran generate-list-of-rules 9a2af01
• [Deps] pin language-tags to v1.0.5 f84bb74
• [Dev Deps] update @babel/core cf3f8d0
• [Deps] update axe-core 0a73cf4
• [Deps] update @babel/runtime 053f04d
• [Deps] update @babel/runtime bccf0ae
• [Deps] update jsx-ast-utils c9687cc
• [readme] Preventing code repetition in user's eslint config file 8b889bf
• [Docs] prefer-tag-over-role: rename docs file 0bdf95b