Bump the npm-security group across 1 directory with 2 updates

[dependabot]

Bumps the npm-security group with 2 updates in the / directory: @babel/core and form-data.

Updates @babel/core from 7.28.5 to 7.29.6

Release notes

Sourced from @​babel/core's releases.

v7.29.6 (2026-05-25)

🐛 Bug Fix

• babel-generator
  • #18014 Catchup source map position in preserveFormat (@​nicolo-ribaudo)
• babel-core
  • #18001 [7.x packport]Improve input source map handling (@​JLHwung)
• babel-core, babel-generator
  • #17998 Preserve original identifier names from input sourcemaps (#17992) (@​Andarist)

Committers: 3

• Huáng Jùnliàng (@​JLHwung)
• Mateusz Burzyński (@​Andarist)
• Nicolò Ribaudo (@​nicolo-ribaudo)

v7.29.5 (2026-05-05)

🏠 Internal

• babel-preset-env
  • Update @babel/* dependencies

v7.29.4 (2026-05-05)

🐛 Bug Fix

• babel-plugin-transform-modules-systemjs
  • #17974 [7.x backport]fix(systemjs): improve module string name support (@​JLHwung)

Committers: 1

• Huáng Jùnliàng (@​JLHwung)

v7.29.3 (2026-04-30)

👓 Spec Compliance

• babel-parser
  • #17923 Support flow extends bound (@​JLHwung)

🐛 Bug Fix

• babel-helper-create-class-features-plugin, babel-plugin-proposal-decorators
  • #17931 fix(decorators): replace super within all removed static elements (@​JLHwung)
• babel-register
  • #17915 Fix thread synchronization issues in @babel/register (@​liuxingbaoyu)
• babel-compat-data, babel-plugin-bugfix-safari-rest-destructuring-rhs-array, babel-preset-env
  • #17788 Add bugfix plugin for Safari array rest destructuring bug (@​JLHwung)

💅 Polish

• babel-parser
  • #17782 Improve trailing comma comment handling (@​JLHwung)

📝 Documentation

• #17847 Replace npmjs.com links with npmx.dev (@​nicolo-ribaudo)

... (truncated)

Commits

• 04ea6b2 v7.29.6
• 99f498a [7.x packport]Improve input source map handling (#18001)
• feba0a3 Preserve original identifier names from input sourcemaps (#17992) (#17998)
• aa8394e v7.29.0
• ad0d03f [7.x backport] feat: Allow specifying startLine in code frame (#17739)
• d7f4008 v7.28.6
• e130225 Polish(standalone): improve message on invalid preset/plugin (#17606)
• 99dcba5 chore: enable some ts-eslint rules (#17592)
• c92c491 Improve Unicode handling in code-frame tokenizer (#17589)
• d725e39 Add BABEL_7_TO_8_DANGEROUSLY_DISABLE_VERSION_CHECK (#17569)
• Additional commits viewable in compare view

Updates form-data from 4.0.5 to 4.0.6

Changelog

Sourced from form-data's changelog.

v4.0.6 - 2026-06-12

Commits

• [Fix] escape CR, LF, and " in field names and filenames 8dff42c
• [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape f31d21e
• [Deps] update hasown, mime-types 92ae0eb
• [Dev Deps] update js-randomness-predictor 67b0f65

Commits

• 64190db v4.0.6
• 92ae0eb [Deps] update hasown, mime-types
• f31d21e [Dev Deps] update @ljharb/eslint-config, auto-changelog, tape
• 8dff42c [Fix] escape CR, LF, and " in field names and filenames
• 67b0f65 [Dev Deps] update js-randomness-predictor
• See full diff in compare view

Agent Merge Criteria

Status: blocked; not mergeable on 2026-06-20 without an explicit maintainer waiver of the full hosted failures.

• Head SHA verified: 9c708504d4d1b6b2ff7162285175c2a1c4a2b39a.
• Base / release gate: targets main; release tracker Release gate: react_on_rails 17.0.0 #3823 Agent Release Mode block reads Mode: development. agent-coord doctor/status timed out, so backend phase was not used.
• Required CI: gh pr checks 4052 --repo shakacode/react_on_rails --required currently shows required-pr-gate passing, and .agents/skills/pr-batch/bin/pr-ci-readiness 4052 --repo shakacode/react_on_rails now returns READY because required checks are configured.
• Full hosted CI: still failing under the intentionally requested ready-for-hosted-ci + force-full-hosted-ci labels; gh pr checks shows 43 pass / 14 skipping / 3 failing.
• Failing hosted jobs: build-dummy-app-webpack-test-bundles (https://github.com/shakacode/react_on_rails/actions/runs/27853711881/job/82437369686), dummy-app-rspack-rsc-runtime-gate (https://github.com/shakacode/react_on_rails/actions/runs/27853711881/job/82437369677), and build-dummy-app-webpack-test-bundles (https://github.com/shakacode/react_on_rails/actions/runs/27853711889/job/82437386705).
• Merge state: GitHub reports UNSTABLE.
• Reviews: current-head review-thread scan found 0 unresolved threads and 0 changes-requested review objects.
• Ledger: script/pr-merge-ledger 4052 --repo shakacode/react_on_rails --changelog-classification not_user_visible --strict passed with complete_allowed: true, 0 unknown fields, and 0 violations; this does not override failing full hosted CI.
• Lockfile/dependency scope: pnpm-lock.yaml changes are present and were reviewed as dependency maintenance.
• Blocker: hosted CI fails in Pro dummy locale generation; evidence and likely fix are documented in Bump the npm-security group across 1 directory with 2 updates #4052 (comment).
• Merge method: do not merge until full hosted CI is green or a maintainer explicitly waives the non-required hosted failures.

[github-actions]

size-limit report 📦

Path	Size
react-on-rails/client bundled (gzip)	63.33 KB (0%)
react-on-rails/client bundled (gzip) (time)	63.33 KB (0%)
react-on-rails/client bundled (brotli)	54.35 KB (0%)
react-on-rails/client bundled (brotli) (time)	54.35 KB (0%)
react-on-rails-pro/client bundled (gzip)	64.27 KB (0%)
react-on-rails-pro/client bundled (gzip) (time)	64.27 KB (0%)
react-on-rails-pro/client bundled (brotli)	55.21 KB (0%)
react-on-rails-pro/client bundled (brotli) (time)	55.21 KB (0%)
registerServerComponent/client bundled (gzip)	74.43 KB (0%)
registerServerComponent/client bundled (gzip) (time)	74.43 KB (0%)
registerServerComponent/client bundled (brotli)	64.04 KB (0%)
registerServerComponent/client bundled (brotli) (time)	64.04 KB (-0.1% 🔽)
wrapServerComponentRenderer/client bundled (gzip)	67.23 KB (0%)
wrapServerComponentRenderer/client bundled (gzip) (time)	67.23 KB (0%)
wrapServerComponentRenderer/client bundled (brotli)	57.67 KB (0%)
wrapServerComponentRenderer/client bundled (brotli) (time)	57.67 KB (0%)

[justin808]

CI process update after #4036 merged:

Please rebase or otherwise update this PR onto current main before relying on CI results. #4036 changed the hosted-CI commands, labels, local CI defaults, and required PR gate behavior.

Post-merge audit tracker: #4055

Legacy labels currently present here: full-ci. Please replace them during the rebase/update pass.

Recommended update path:

1. Rebase/update onto current main (git fetch origin main && git rebase origin/main, then git push --force-with-lease if you own the branch; otherwise use the GitHub update/rebase path appropriate for the branch owner).
2. Run bin/ci-local before pushing; it now auto-detects the PR base and runs optimized local CI by default. Use bin/ci-local --all only when broad local coverage is warranted.
3. Make sure the PR body has a self-contained Why section; issue links are helpful context, but the PR description should stand on its own.
4. Use +ci-status before requesting hosted CI.
5. Use +ci-run-hosted for optimized hosted GitHub Actions after the final push.
6. Use +ci-force-full only when intentionally bypassing optimized selection.

Vocabulary changes:

• full-ci -> ready-for-hosted-ci only when optimized hosted CI should persist.
• full-ci-no-benchmarks -> hosted-ci-no-benchmarks when suppressing benchmark labels.
• force-full intent -> force-full-hosted-ci or +ci-force-full.
• Legacy commands +ci-run-full, +ci-skip-full, /run-skipped-ci, /run-skipped-tests, and /stop-run-skipped-ci are removed.

[justin808]

+ci-status

[github-actions]

CI Status

Head SHA: 9c708504d4d1
Changed files: 4
Docs-only heuristic (matches ci-changes-detector metadata paths): no
ready-for-hosted-ci label: absent
force-full-hosted-ci label: absent
Current hosted-CI waiver: not present for this SHA

Only the required gate is active unless hosted CI is requested.

[justin808]

+ci-force-full

[github-actions]

Force-Full Hosted CI Requested

Triggered 9 workflow(s) for 9c708504d4d1.
Mode: force-full hosted CI (bypasses optimized change selection).
Added ready-for-hosted-ci and force-full-hosted-ci, so future commits will bypass optimized hosted CI selection until +ci-stop-full is used.

View progress in the Actions tab.

[claude]

Dependency Security Update Review

PR: Bump npm-security group — @babel/core 7.28.5 → 7.29.6 and form-data 4.0.5 → 4.0.6

---

Overview

This is a Dependabot security update touching 4 files: two package.json manifests and one pnpm-lock.yaml lockfile. All changes are confined to dev dependencies.

---

Security Assessment

form-data 4.0.5 → 4.0.6 — the more important of the two updates.

The changelog entry reads:

[Fix] escape CR, LF, and " in field names and filenames

This is a header injection fix. Unescaped CR (\r) and LF (\n) characters in multipart Content-Disposition headers can be used to inject arbitrary headers into a multipart body, potentially leading to request smuggling or boundary confusion in downstream parsers. The fix is strictly additive (output escaping only), so no breaking changes are expected.

Even though form-data is only a dev dependency here (used in the node-renderer package's tests), taking this fix is correct — dev dependencies with injection vulnerabilities affect CI infrastructure and developer machines.

@babel/core 7.28.5 → 7.29.6 — routine bug-fix releases.

Notable fixes across the range:

• Source map correctness improvements (preserveFormat, input source map handling, identifier name preservation from input sourcemaps — issues #17998, #18001)
• @babel/register thread synchronization fix (#17915)
• Decorator transpilation fix for static elements (#17931)
• Safari array rest destructuring bug-fix plugin added (#17788)

None of these are security-relevant; they are correctness and tooling improvements. All are within the existing ^ semver ranges so no API contract change.

---

Diff Quality

• Lock file entries are mechanically regenerated by pnpm and look correct — all @babel/core@7.28.5 peer-dep strings are consistently replaced with @babel/core@7.29.6.
• The form-data specifier is tightened from ^4.0.1 → ^4.0.6, which is appropriate to prevent future fresh installs from resolving to the unpatched version.
• The @babel/core lower bound in package.json is bumped from ^7.20.12 → ^7.29.6 and in packages/react-on-rails-pro-node-renderer/package.json from ^7.26.10 → ^7.29.6, correctly locking out older buggy versions.
• No production dependencies were modified — all changes are in devDependencies.

---

Verdict

✅ Approve and merge. This is a clean, well-scoped security update. The form-data header-injection fix should not be deferred. No functional changes to production code; CI green is sufficient validation.

[justin808]

Agent blocker note

I updated this PR onto current main with merge commit 9c708504d4d1, removed the legacy full-ci label, ran +ci-status, then requested +ci-force-full for the current head.

Dependency update validation is clean locally for the package/lockfile surface:

• pnpm install --frozen-lockfile --ignore-scripts
• git diff --check origin/main...HEAD
• pnpm --filter react-on-rails run build
• pnpm --filter react-on-rails-pro run build
• pnpm --filter react-on-rails-pro-node-renderer run build
• pnpm --filter react-on-rails-pro-node-renderer run type-check
• pnpm run lint
• pnpm start format.listDifferent

Hosted force-full CI is currently blocked by a Pro dummy setup issue introduced on current main, not by the dependency bump itself. The failing jobs are:

• build-dummy-app-webpack-test-bundles: https://github.com/shakacode/react_on_rails/actions/runs/27853711881/job/82437369686
• build-dummy-app-webpack-test-bundles: https://github.com/shakacode/react_on_rails/actions/runs/27853711889/job/82437386705
• dummy-app-rspack-rsc-runtime-gate: https://github.com/shakacode/react_on_rails/actions/runs/27853711881/job/82437369677

All three fail during locale generation with:

ReactOnRails::Error: Error configuring /config/initializers/react_on_rails.rb: invalid value for `config.i18n_dir`.
Directory does not exist: .../react_on_rails_pro/spec/dummy/client/app/i18n/generated.

I reproduced the same failure locally with:

cd react_on_rails_pro/spec/dummy
RAILS_ENV=test NODE_ENV=test bin/shakapacker-precompile-hook

Root-cause evidence: #4128 changed the Pro dummy to import generated locale modules from client/app/i18n/generated, but that empty output directory is not tracked in fresh checkouts. The locale compiler validates config.i18n_dir before writing translations.js/default.js, so the build aborts before it can create them.

Next action: add/track the Pro dummy generated locale output directory, or adjust the locale compiler/hook to create configured output directories before validation. I did not push that Pro-dummy fix here because it widens this Dependabot PR into Pro package setup changes.

[justin808]

@dependabot rebase

[dependabot]

Looks like this PR has been edited by someone other than Dependabot. That means Dependabot can't rebase it - sorry!

If you're happy for Dependabot to recreate it from scratch, overwriting any edits, you can request @dependabot recreate.

[justin808]

Closing to keep the 17.0.0 release focused. Tracked in #4187 for later consolidation — reopen or comment @dependabot recreate when we pick these back up. (Security bump — flagged for priority in the tracker.)

[dependabot]

This pull request was built based on a group rule. Closing it will not ignore any of these versions in future pull requests.

To ignore these dependencies, configure ignore rules in dependabot.yml