Skip to content

fix: replace deprecated @babel/polyfill with modern core-js approach #1497

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 3 commits into from
Aug 29, 2025
Merged

fix: replace deprecated @babel/polyfill with modern core-js approach #1497

merged 3 commits into from
Aug 29, 2025

Conversation

harekrishnarai
Copy link
Contributor

@harekrishnarai harekrishnarai commented Jun 20, 2025
edited
Loading

Changes

  • Dependencies removed: @babel/[email protected] (deprecated package)
  • Dependencies added: core-js@^3.23.3 and regenerator-runtime@^0.13.4 as dev dependencies
  • Code changed: Updated redirect_authorize.test.js to replace require('@babel/polyfill') with modern ES6 imports: import 'core-js/stable' and import 'regenerator-runtime/runtime'
  • Security fix: Eliminates vulnerable [email protected] dependency that was flagged in SEC-2155
  • Performance improvement: Avoids potential 100x slowdown associated with deprecated core-js versions
  • Maintenance: Follows official Babel migration path from deprecated @babel/polyfill to modern core-js approach
  • No breaking changes: Maintains identical polyfill functionality while using secure, maintained dependencies

References

Please include relevant links supporting this change such as a:

Testing

Please describe how this can be tested by reviewers. Be specific about anything not tested and reasons why. If this library has unit and/or integration testing, tests should be added for new functionality and existing tests should complete without errors.

  • All existing unit tests continue to pass (645 tests passing)
  • Integration tests execute successfully with new polyfill imports
  • Build process completes without errors (npm run build)
  • Dependency tree verified to contain only secure core-js version (npm ls core-js shows [email protected])
  • No new functionality added, only security/maintenance update - existing test coverage remains comprehensive
image
  • This change adds unit test coverage
  • This change adds integration test coverage

Checklist

@harekrishnarai
fix: replace deprecated @babel/polyfill with modern core-js approach
06cfbf1 
- Remove @babel/[email protected] which pulled in vulnerable [email protected]
- Add core-js@^3.23.3 and regenerator-runtime@^0.13.4 as dev dependencies
- Update integration test to use modern polyfill imports
- Resolves SEC-2155: [email protected] deprecation vulnerability

This change eliminates the security vulnerability while maintaining
the same polyfill functionality and avoiding performance issues
associated with older core-js versions.
@harekrishnarai harekrishnarai marked this pull request as ready for review June 20, 2025 13:48
@harekrishnarai harekrishnarai requested a review from a team as a code owner June 20, 2025 13:48
subhankarmaiti
subhankarmaiti previously approved these changes Aug 19, 2025
View reviewed changes
amitsingh05667
amitsingh05667 previously approved these changes Aug 26, 2025
View reviewed changes
@gyaneshgouraw-okta gyaneshgouraw-okta merged commit c7bc7a3 into auth0:master Aug 29, 2025
12 of 13 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@subhankarmaiti subhankarmaiti subhankarmaiti approved these changes

@gyaneshgouraw-okta gyaneshgouraw-okta gyaneshgouraw-okta approved these changes

@amitsingh05667 amitsingh05667 amitsingh05667 left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@harekrishnarai @subhankarmaiti @gyaneshgouraw-okta @amitsingh05667