Description
The @docusaurus/babel package lists @babel/runtime-corejs3 as a dependency, but it doesn't appear to be used anywhere in the codebase.
Evidence
-
The Babel preset explicitly disables corejs in transform-runtime:
In packages/docusaurus-babel/src/preset.ts:
[
require.resolve('@babel/plugin-transform-runtime'),
{
corejs: false, // <-- NOT using @babel/runtime-corejs3
helpers: true,
// ...
absoluteRuntime: absoluteRuntimePath, // points to @babel/runtime, not runtime-corejs3
},
]
-
No source code imports from @babel/runtime-corejs3:
A GitHub code search for runtime-corejs3 in this repo only returns hits in CHANGELOG.md and package.json - no actual usage in .ts or .js files.
-
The polyfill strategy uses @babel/preset-env, not @babel/runtime-corejs3:
The preset uses useBuiltIns: 'entry' with corejs: '3' in @babel/preset-env for browser polyfills, which uses regular core-js (global polyfills), not @babel/runtime-corejs3 (sandboxed polyfills).
Why This Matters
@babel/runtime-corejs3 depends on core-js-pure, which includes a postinstall script that executes JavaScript during npm install. While the current script is benign (just displays a donation banner), install scripts represent a supply chain attack vector.
Removing unused dependencies that execute install scripts helps harden projects against potential future supply chain attacks.
Suggested Fix
Remove @babel/runtime-corejs3 from packages/docusaurus-babel/package.json. The package only needs @babel/runtime (which is already listed and used).
Self-service
I'd be happy to submit a PR for this if the maintainers agree this dependency is unused.
Description
The
@docusaurus/babelpackage lists@babel/runtime-corejs3as a dependency, but it doesn't appear to be used anywhere in the codebase.Evidence
The Babel preset explicitly disables corejs in transform-runtime:
In
packages/docusaurus-babel/src/preset.ts:No source code imports from
@babel/runtime-corejs3:A GitHub code search for
runtime-corejs3in this repo only returns hits inCHANGELOG.mdandpackage.json- no actual usage in.tsor.jsfiles.The polyfill strategy uses
@babel/preset-env, not@babel/runtime-corejs3:The preset uses
useBuiltIns: 'entry'withcorejs: '3'in@babel/preset-envfor browser polyfills, which uses regularcore-js(global polyfills), not@babel/runtime-corejs3(sandboxed polyfills).Why This Matters
@babel/runtime-corejs3depends oncore-js-pure, which includes apostinstallscript that executes JavaScript duringnpm install. While the current script is benign (just displays a donation banner), install scripts represent a supply chain attack vector.Removing unused dependencies that execute install scripts helps harden projects against potential future supply chain attacks.
Suggested Fix
Remove
@babel/runtime-corejs3frompackages/docusaurus-babel/package.json. The package only needs@babel/runtime(which is already listed and used).Self-service
I'd be happy to submit a PR for this if the maintainers agree this dependency is unused.