fix: @babel/preset-env vulnerabilities (v3.0.4)#670
Merged
Conversation
@babel/preset-env@7.23.2 depends on @babel/plugin-transform-modules-systemjs@7.29.0, which has vulnerabilities. The latest @babel/preset-env version fixed this
Fondryext
reviewed
May 18, 2026
Fondryext
left a comment
Fondryext
left a comment
Contributor
There was a problem hiding this comment.
Just fyi, the version bump looks good but those test failures are real, so the packages need to be remade, or maybe there really is a version conflict.
> @yext/search-ui-react@3.0.3 prepare > husky added 2 packages, and audited 1678 packages in 2s 367 packages are looking for funding run `npm fund` for details 18 vulnerabilities (5 low, 4 moderate, 9 high) To address issues that do not require attention, run: npm audit fix To address all issues possible (including breaking changes), run: npm audit fix --force Some issues need review, and may require choosing a different dependency. Run `npm audit` for details.
![semgrep-code-yext[bot]](https://avatars.githubusercontent.com/u/931250?s=60&v=4){kind=small}
| @@ -16757,13 +16788,13 @@ | |||
| "license": "MIT" | |||
| }, | |||
| "node_modules/mapbox-gl": { | |||
There was a problem hiding this comment.
Legal Risk
mapbox-gl 3.24.0 was released under the non-standard license, a license that
is currently prohibited by your organization. Merging is blocked until this is resolved.
Recommendation
Reach out to your security team or Semgrep admin to address this issue. In special cases, exceptions may be made for dependencies with violating licenses, however, the general recommendation is to avoid using a dependency under such a license.
Contributor
Author
I might be wrong, but I don't think my change caused this. The same failure occurred in the last search-ui-react PR too. |
Fondryext
approved these changes
May 19, 2026
anguyen-yext2
added a commit
that referenced
this pull request
Jun 8, 2026
* feat: allow users to turn analytics on and off (v2.1.0) (#632) * feat: allow users to turn analytics on and off (v2.1.0) This PR adds a new property to the SearchAnalyticsConfig, which can be used to start with analytics enabled or disabled by default. Three new methods are added to the analytics object- two to turn analytics on/off, and one to get the current enabled status. J=WAT-5404 TEST=auto, manual Ran test site locally with debugging and buttons to turn analytics on and off, saw expected behavior. * Update various names to be in-line with pages code * Automated update to repo's documentation from github action * Add enableYextAnalytics function to window * drop unneeded parens --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> * release: v2.1.0 * More accessbilities fixes for autocomplete results (#635) * More accessbilities fixes for autocomplete results Associate the visible label with the input via `label` + `htmlFor`, and wire `DropdownInput` with `inputId` and `aria-labelledby`. Change the instructions container from `hidden` to `sr-only`, so `aria-describedby` references content that is actually exposed to screen readers. J=WAT-5357 TEST=manual tested with voice over enabled on test-site * Update snapshots --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> * release: v2.1.1 * chore: suppress error/warning spam, fix key errors etc (#642) * fix: point TypeScript output to dist directory (#644) * suppress error/warning spam, fix key errors etc * set ts output dir to dist * retry logic to WCAG * release: v2.1.2 * fix: improve accessibility in FilterSearch and Facets (v2.2.0) (#638) * fix linting; added optional region landmark semantics to FilterSearch * Automated update to repo's documentation from github action * chore: suppress error/warning spam, fix key errors etc (#642) * fix: point TypeScript output to dist directory (#644) * suppress error/warning spam, fix key errors etc * set ts output dir to dist * retry logic to WCAG * release: v2.1.2 * revert fieldset legend accessibility change * Automated update to repo's documentation from github action * optional toggle to show label on facet/static filter searchable sections; update locales * add group section semantics to filter search results when multiple sections --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> * hotfix: improve accessibility in FilterSearch (v2.2.0) (#649) - make sure autocomplete option count is announced when the input is cleared too - detect all stale state value usages when using React.useState and fix to use a functional state update (eg setValue(value + 1) becomes setValue(prev => prev + 1)) * chore: update svgo and storybook (#651) * release: v2.2.0 * chore: upgrade mapbox-gl version for accessibility issues (v3.0.0) (#654) - current version has some accessibility issues that will be addressed by this upgrade - removed unnecessary @types/mapbox-gl import since mapbox-gl provides its own types - replace Mapbox-owned public types in search-ui-react with library-owned, version-stable interfaces - replace deprecated Mapbox aliases usage This PR also includes some improvements that I noticed when testing: - test-site pin popups not showing up - clean up the map listeners properly - memoizes the debounced function so it stays the same across renders unless milliseconds changes J=WAT-5461 TEST=auto,manual verified test-site still function as expected verified that locator functions as expected and that there is no longer any accessibility errors on live site * release: v3.0.0 * chore: upgrade transitive handlebars dependency (#657) * fix: various accessibility improvements (v3.0.1) (#659) * various improvements * Update snapshots --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> * release: v3.0.1 * fix: axios and vite vulns This PR ups the axios and vite versions we use to avoid the vulnerabilities in each. J=VULN-43399, VULN-43501, VULN-43502 * release: v3.0.2 * fix: up node version in tests to 20 (#665) * fix: up node version in tests to 20 We recently upped the node versions in the reusable workflows to 20, so do the same here * remake package locks * Automated update to THIRD-PARTY-NOTICES from github action's 3rd party notices check * Update snapshots * try remaking with node 20 --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> * Version 3.0.3: fix lodash vulns (#664) * Version 3.0.3: fix lodash vulns The versions of lodash and lodash-es used have a vuln, so this PR bumps them to a safe version. J=TECHOPS-17980 * bump versions higher * seeing weird build errors, remake package locks * Automated update to THIRD-PARTY-NOTICES from github action's 3rd party notices check * Update snapshots * remake package locks --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> * release: v3.0.3 * fix: @babel/preset-env vulnerabilities (v3.0.4) (#670) @babel/preset-env@7.23.2 depends on @babel/plugin-transform-modules-systemjs@7.29.0, which has vulnerabilities. The latest @babel/preset-env version fixed this * release: v3.0.4 * fix: axios vulns (v3.0.5) (#673) * fix: axios vulns (v3.0.5) This axios version bump should fix two vulns: - Prototype Pollution - Inefficient Regular Expression Complexity J=VULN-44767,VULN-44820 * Update snapshots --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> * release: v3.0.5 --------- Co-authored-by: Fondryext <160865254+Fondryext@users.noreply.github.com> Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Jacob Fondriest <jfondriest@yext.com> Co-authored-by: anguyen-yext2 <143001514+anguyen-yext2@users.noreply.github.com> Co-authored-by: anguyen-yext2 <anguyen@yext.com> Co-authored-by: Kyle Gerner <49618240+k-gerner@users.noreply.github.com> Co-authored-by: Kyle Gerner <kgerner@yext.com>
Fondryext
added a commit
that referenced
this pull request
Jun 16, 2026
* feat: allow users to turn analytics on and off (v2.1.0) (#632) * feat: allow users to turn analytics on and off (v2.1.0) This PR adds a new property to the SearchAnalyticsConfig, which can be used to start with analytics enabled or disabled by default. Three new methods are added to the analytics object- two to turn analytics on/off, and one to get the current enabled status. J=WAT-5404 TEST=auto, manual Ran test site locally with debugging and buttons to turn analytics on and off, saw expected behavior. * Update various names to be in-line with pages code * Automated update to repo's documentation from github action * Add enableYextAnalytics function to window * drop unneeded parens --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> * release: v2.1.0 * More accessbilities fixes for autocomplete results (#635) * More accessbilities fixes for autocomplete results Associate the visible label with the input via `label` + `htmlFor`, and wire `DropdownInput` with `inputId` and `aria-labelledby`. Change the instructions container from `hidden` to `sr-only`, so `aria-describedby` references content that is actually exposed to screen readers. J=WAT-5357 TEST=manual tested with voice over enabled on test-site * Update snapshots --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> * release: v2.1.1 * chore: suppress error/warning spam, fix key errors etc (#642) * fix: point TypeScript output to dist directory (#644) * suppress error/warning spam, fix key errors etc * set ts output dir to dist * retry logic to WCAG * release: v2.1.2 * fix: improve accessibility in FilterSearch and Facets (v2.2.0) (#638) * fix linting; added optional region landmark semantics to FilterSearch * Automated update to repo's documentation from github action * chore: suppress error/warning spam, fix key errors etc (#642) * fix: point TypeScript output to dist directory (#644) * suppress error/warning spam, fix key errors etc * set ts output dir to dist * retry logic to WCAG * release: v2.1.2 * revert fieldset legend accessibility change * Automated update to repo's documentation from github action * optional toggle to show label on facet/static filter searchable sections; update locales * add group section semantics to filter search results when multiple sections --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> * hotfix: improve accessibility in FilterSearch (v2.2.0) (#649) - make sure autocomplete option count is announced when the input is cleared too - detect all stale state value usages when using React.useState and fix to use a functional state update (eg setValue(value + 1) becomes setValue(prev => prev + 1)) * chore: update svgo and storybook (#651) * release: v2.2.0 * chore: upgrade mapbox-gl version for accessibility issues (v3.0.0) (#654) - current version has some accessibility issues that will be addressed by this upgrade - removed unnecessary @types/mapbox-gl import since mapbox-gl provides its own types - replace Mapbox-owned public types in search-ui-react with library-owned, version-stable interfaces - replace deprecated Mapbox aliases usage This PR also includes some improvements that I noticed when testing: - test-site pin popups not showing up - clean up the map listeners properly - memoizes the debounced function so it stays the same across renders unless milliseconds changes J=WAT-5461 TEST=auto,manual verified test-site still function as expected verified that locator functions as expected and that there is no longer any accessibility errors on live site * release: v3.0.0 * chore: upgrade transitive handlebars dependency (#657) * fix: various accessibility improvements (v3.0.1) (#659) * various improvements * Update snapshots --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> * release: v3.0.1 * fix: axios and vite vulns This PR ups the axios and vite versions we use to avoid the vulnerabilities in each. J=VULN-43399, VULN-43501, VULN-43502 * release: v3.0.2 * fix: up node version in tests to 20 (#665) * fix: up node version in tests to 20 We recently upped the node versions in the reusable workflows to 20, so do the same here * remake package locks * Automated update to THIRD-PARTY-NOTICES from github action's 3rd party notices check * Update snapshots * try remaking with node 20 --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> * Version 3.0.3: fix lodash vulns (#664) * Version 3.0.3: fix lodash vulns The versions of lodash and lodash-es used have a vuln, so this PR bumps them to a safe version. J=TECHOPS-17980 * bump versions higher * seeing weird build errors, remake package locks * Automated update to THIRD-PARTY-NOTICES from github action's 3rd party notices check * Update snapshots * remake package locks --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> * release: v3.0.3 * fix: @babel/preset-env vulnerabilities (v3.0.4) (#670) @babel/preset-env@7.23.2 depends on @babel/plugin-transform-modules-systemjs@7.29.0, which has vulnerabilities. The latest @babel/preset-env version fixed this * release: v3.0.4 * fix: axios vulns (v3.0.5) (#673) * fix: axios vulns (v3.0.5) This axios version bump should fix two vulns: - Prototype Pollution - Inefficient Regular Expression Complexity J=VULN-44767,VULN-44820 * Update snapshots --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> * release: v3.0.5 * fix: up esbuild to avoid vuln (v3.0.6) (#677) * fix: up esbuild to avoid vuln As title suggests. Avoids: GHSA-gv7w-rqvm-qjhr J=VULN-44973 TEST=compile * remake package locks * Automated update to THIRD-PARTY-NOTICES from github action's 3rd party notices check * Update snapshots * override --------- Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> * release: v3.0.6 * try remake * up rollup --------- Co-authored-by: Fondryext <160865254+Fondryext@users.noreply.github.com> Co-authored-by: github-actions <41898282+github-actions[bot]@users.noreply.github.com> Co-authored-by: Jacob Fondriest <jfondriest@yext.com> Co-authored-by: anguyen-yext2 <143001514+anguyen-yext2@users.noreply.github.com> Co-authored-by: anguyen-yext2 <anguyen@yext.com> Co-authored-by: Kyle Gerner <49618240+k-gerner@users.noreply.github.com> Co-authored-by: Kyle Gerner <kgerner@yext.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
@babel/preset-env@7.23.2 depends on @babel/plugin-transform-modules-systemjs@7.29.0, which has vulnerabilities. The latest @babel/preset-env version fixed this