Bump @babel/plugin-transform-modules-systemjs from 7.25.7 to 7.29.4

[dependabot]

Bumps @babel/plugin-transform-modules-systemjs from 7.25.7 to 7.29.4.

Release notes

Sourced from @​babel/plugin-transform-modules-systemjs's releases.

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser
  • #17782 Improve trailing comma comment handling (@​JLHwung)

📝 Documentation

• #17847 Replace npmjs.com links with npmx.dev (@​nicolo-ribaudo)

🏃‍♀️ Performance

• babel-helper-import-to-platform-api, babel-plugin-proposal-import-wasm-source, babel-plugin-transform-json-modules
  • #17818 Load async Wasm and JSON imports in parallel (@​nicolo-ribaudo)

Committers: 4

• Babel Bot (@​babel-bot)
• Huáng Jùnliàng (@​JLHwung)
• Nicolò Ribaudo (@​nicolo-ribaudo)
• @​liuxingbaoyu

v7.29.2 (2026-03-16)

👓 Spec Compliance

• babel-parser
  • #17840 [7.x backport] async x => {} must be in leading pos (@​JLHwung)

🐛 Bug Fix

• babel-helpers, babel-plugin-transform-async-generator-functions, babel-preset-env, babel-runtime-corejs3
  • #17805 [7.x backport] fix: Properly handle await in finally (@​liuxingbaoyu)
• babel-preset-env

... (truncated)

Commits

• a458f66 v7.29.4
• 32ebd5a [7.x backport]fix(systemjs): improve module string name support (#17974)
• aa8394e v7.29.0
• 0053db6 Update polyfill packages (#17727)
• 61647ae v7.28.5
• a177d55 [Babel 8] Use t.traverseFast to replace some path.traverse (#17518)
• eebd3a0 v7.27.1
• 317e332 Enforce node protocol import (#17207)
• fdc0fb5 [Babel 8] Bump nodejs requirements to ^20.19.0 || >= 22.12.0 (#17204)
• cd24cc0 chore: Update TS 5.7 (#17053)
• Additional commits viewable in compare view

Maintainer changes

This version was pushed to npm by GitHub Actions, a new releaser for @​babel/plugin-transform-modules-systemjs since your current version.

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
  You can disable automated security fix PRs for this repo from the Security Alerts page.

[cursor]

Stale comment

No blocking findings.

Security

• This bump resolves GHSA-fv7c-fp4j-7gwp / CVE-2026-44728, a High-severity code-generation/code-injection issue in @babel/plugin-transform-modules-systemjs affecting 7.12.0 through 7.29.3; 7.29.4 is the patched release.
• I did not find any additional advisories introduced by the new transitive helper packages pulled in alongside the fix.
• Supply-chain note: Dependabot reports a new npm releaser (GitHub Actions), but the package release corresponds to Babel's official v7.29.4 release and a verified upstream fix commit, so I did not see a separate ownership or provenance red flag from this update.

Safety Of Merging

• This PR is lockfile-only (yarn.lock). yarn why shows the package is only present transitively via @babel/preset-env.
• The upstream patch is narrowly scoped: it fixes how the SystemJS transform emits string-named imports/exports, especially around import * / export * interop.
• I could not find any checked-in repo config that enables modules: "systemjs" or emits System.register(...); the Babel paths in package.json, webpack.config.js, and config/jest/babelTransform.js all look like the standard babel-preset-react-app flow. That makes behavioral regression risk low for this repository's normal build/test path.

Assumptions

• This assessment assumes there is no external, untracked Babel configuration in CI or downstream packaging that forces @babel/preset-env to use modules: "systemjs".

Recommendation

• Merge. This closes a newly published High advisory with low observed compatibility risk for this repo.
• The only remaining thing to watch is the PR's Cypress check, since I did not run Cypress locally.

Local Verification

• yarn install --immutable
• yarn lint
• CI=true yarn test --coverage --maxWorkers=4 --workerThreads=true --reporters=default --reporters=jest-junit --reporters=jest-github-actions-reporter -> 92 suites passed, 816 tests passed
• yarn build -> succeeded; only the existing webpack asset-size warnings were reported

  

_{Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs}

[cursor]

No blocking findings.

Security

• I did not find any published CVEs or advisory hits for @babel/plugin-transform-modules-systemjs in either 7.25.7 or 7.29.4 from public package scanners.
• This update does not appear to resolve a known security issue; it looks like a routine bug-fix / maintenance refresh.
• Supply-chain signal looks normal: npm metadata still points at the official babel/babel repository, and the listed maintainers are the expected Babel maintainers. Dependabot notes the release was published by GitHub Actions, but I did not find evidence of a suspicious ownership or source change.

Safety Of Merging

• This PR only changes yarn.lock; the dependency is indirect via @babel/preset-env.
• In this repository, Babel is used in the build/test toolchain (babel-loader, babel-jest, babel-preset-react-app), and I found no references to SystemJS, System.register, or related configuration in the codebase.
• Upstream 7.29.4 is a Babel bug fix for SystemJS module string-name handling. Because this project does not appear to emit SystemJS modules, behavioral risk here is very low.
• The lockfile also refreshes a small set of Babel helper packages (@babel/traverse, @babel/types, @babel/parser, and related helpers), so the practical risk is limited to build-time transpilation internals rather than runtime application behavior.

Recommendation

• Recommend merge. I do not see a security reason to hold this PR, and the codebase does not appear to exercise the only behavior changed upstream.

Local Verification

• yarn install --immutable ✅
• yarn lint ✅
• CI=true yarn test ✅ (92 suites / 816 tests passed)
• yarn start ✅ (webpack compiled successfully)
• yarn exec cypress run could not be completed in this environment because the required Cypress binary was not present, and downloading it from download.cypress.io failed with an SSL/network error from the cloud runner.

Residual Risk

• If you want full end-to-end coverage before merging, rerun Cypress in CI or from an environment that can reach download.cypress.io. I do not see anything in this particular dependency bump that suggests an e2e-only regression.

  

_{Sent by Cursor Automation: Editor-UI - Tests Dependabot PRs}