Upgrade @babel/runtime to >=7.26.10 to address security advisory GHSA-968p-4wvh-cqc8Β #1928
Description
Hi π
First, thank you for your great work on WatermelonDB β it's an excellent library and an essential part of our React Native project.
I'm opening this issue to kindly request an upgrade of the @babel/runtime dependency to version ^7.26.10 or later. This is in response to the following security advisory:
Advisory: GHSA-968p-4wvh-cqc8
Severity: Moderate
Issue: Inefficient regular expression complexity in generated code when transpiling named capturing groups with .replace()
Affected versions: <7.26.10
Currently, WatermelonDB depends on a version below this threshold (e.g., @babel/runtime@7.20.13 in 0.27.1), which causes security tools like npm audit to raise warnings.
Why this matters
Security compliance (especially for teams enforcing npm audit or similar tools)
Compatibility with enterprise policies or CI pipelines that fail on known vulnerabilities
Peace of mind for developers who rely on the package in production
Suggested change
Please consider bumping the @babel/runtime dependency in package.json and releasing a patch version. If this is blocked by compatibility concerns, any guidance on safe overrides (e.g. Yarn resolutions) would also be greatly appreciated.
Thanks again for your continued maintenance of WatermelonDB!