[Snyk] Upgrade core-js from 3.29.1 to 3.48.0

[JJediny]

Snyk has created this PR to upgrade core-js from 3.29.1 to 3.48.0.

ℹ️ Keep your dependencies up-to-date. This makes it easier to fix existing vulnerabilities and to more quickly identify and fix newly disclosed vulnerabilities when they affect your project.

---

• The recommended version is 32 versions ahead of your current version.

• The recommended version was released a month ago.

Release notes

Package name: core-js

• 3.48.0 - 2026-01-21
  
  • Changes v3.47.0...v3.48.0 (126 commits)
  • Map upsert proposal:
    • Built-ins:
      • Map.prototype.getOrInsert
      • Map.prototype.getOrInsertComputed
      • WeakMap.prototype.getOrInsert
      • WeakMap.prototype.getOrInsertComputed
    • Moved to stable ES, January 2026 TC39 meeting
    • Added es. namespace modules, /es/ and /stable/ namespaces entries
  • Use CreateDataProperty / CreateDataPropertyOrThrow in some missed cases, #1497
  • Minor fix / optimization in the RegExp constructor (NCG and dotAll) polyfill
  • Added some more workarounds for a Safari < 13 bug with silent ignore of non-writable array .length
  • Added detection of a Webkit bug: Iterator.prototype.flatMap throws on iterator without return method
  • Added detection of a V8 ~ Chromium < 144 bug: Uint8Array.prototype.setFromHex throws an error on length-tracking views over ResizableArrayBuffer
  • Compat data improvements:
    • Map upsert proposal features marked as shipped in V8 ~ Chrome 145
    • Joint iteration proposal features marked as shipped in FF148
    • Iterator.concat marked as shipped in Bun 1.3.7
    • Added Rhino 1.9.0 compat data
    • Added Deno 2.6 compat data mapping
    • Added Opera Android 93 and 94 compat data mapping
    • Added Electron 41 compat data mapping
    • Iterator.prototype.flatMap marked as supported from Safari 26.2 and Bun 1.2.21 because of a bug: throws on iterator without return method
    • Uint8Array.prototype.setFromHex marked as supported from V8 ~ Chromium 144 because of a bug: throws an error on length-tracking views over ResizableArrayBuffer
• 3.47.0 - 2025-11-18
  
  • Changes v3.46.0...v3.47.0 (117 commits)
  • JSON.parse source text access proposal :
    • Built-ins:
      • JSON.isRawJSON
      • JSON.parse
      • JSON.rawJSON
      • JSON.stringify
    • Moved to stable ES, November 2025 TC39 meeting
    • Added es. namespace modules, /es/ and /stable/ namespaces entries
    • Reworked JSON.stringify internals
  • Iterator sequencing proposal:
    • Built-ins:
      • Iterator.concat
    • Moved to stable ES, November 2025 TC39 meeting
    • Added es. namespace modules, /es/ and /stable/ namespaces entries
  • Joint iteration proposal:
    • Built-ins:
      • Iterator.zip
      • Iterator.zipKeyed
    • Moved to stage 3, November 2025 TC39 meeting
    • Added /actual/ namespace entries, unconditional forced replacement changed to feature detection
  • Fixed increasing .size in URLSearchParams.prototype.append polyfill in IE8-
  • Compat data improvements:
    • Iterator.concat marked as shipped in FF147
    • Map upsert proposal features marked as shipped in Safari 26.2
    • Math.sumPrecise marked as shipped in Safari 26.2
    • Uint8Array.{ fromBase64, prototype.setFromBase64 } marked as fixed in Safari 26.2
    • Missed Explicit Resource Management features added in Bun 1.3.0
    • Added Oculus Quest Browser 41 compat data mapping
    • Added Electron 40 compat data mapping
• 3.46.0 - 2025-10-09
  

  Welcome to our new website, core-js.io, where our documentation is moving!

  In addition, you can now follow the project's news in X.

  ---

  • Changes v3.45.1...v3.46.0 (116 commits)
  • Map upsert stage 3 proposal:
    • Fixed a FF WeakMap.prototype.getOrInsertComputed bug with callback calling before validation a key
  • Iterator chunking proposal:
    • Built-ins:
      • Iterator.prototype.chunks
      • Iterator.prototype.windows
    • Moved to stage 2.7, September 2025 TC39 meeting
    • Iterator.prototype.sliding method replaced with an extra parameter of Iterator.prototype.windows method, tc39/proposal-iterator-chunking/#24, tc39/proposal-iterator-chunking/#26
  • Fixed Iterator.zip and Iterator.zipKeyed behavior with mode: 'longest' option, #1469, thanks @ lionel-rowe
  • Fixed work of Object.groupBy and Iterator.zipKeyed together with Symbol polyfill - some cases of symbol keys on result null-prototype object were able to leak out to for-in
  • Compat data improvements:
    • Map upsert proposal features marked as shipped from FF144
    • Added Node 25.0 compat data mapping
    • Added Deno 2.5 compat data mapping
    • Updated Electron 39 compat data mapping
    • Updated Opera 121+ compat data mapping
    • Added Opera Android 92 compat data mapping
    • Added Oculus Quest Browser 40 compat data mapping
• 3.45.1 - 2025-08-20
  
  • Changes v3.45.0...v3.45.1 (30 commits)
  • Fixed a conflict of native methods from Map upsert proposal with polyfilled methods in the pure version
  • Added bugs fields to package.json of all packages
  • Compat data improvements:
    • Map upsert proposal features marked as shipped from Bun 1.2.20
    • Added Samsung Internet 29 compat data mapping
    • Added Electron 39 compat data mapping
• 3.45.0 - 2025-08-04
  
  • Changes v3.44.0...v3.45.0 (70 commits)
  • Uint8Array to / from base64 and hex proposal:
    • Built-ins:
      • Uint8Array.fromBase64
      • Uint8Array.fromHex
      • Uint8Array.prototype.setFromBase64
      • Uint8Array.prototype.setFromHex
      • Uint8Array.prototype.toBase64
      • Uint8Array.prototype.toHex
    • Moved to stable ES, July 2025 TC39 meeting
    • Added es. namespace modules, /es/ and /stable/ namespaces entries
    • Added detection of a Webkit bug: Uint8Array fromBase64 / setFromBase64 does not throw an error on incorrect length of base64 string
  • Math.sumPrecise proposal:
    • Built-ins:
      • Math.sumPrecise
    • Moved to stable ES, July 2025 TC39 meeting
    • Added es. namespace module, /es/ and /stable/ namespaces entries
  • Iterator sequencing proposal:
    • Built-ins:
      • Iterator.concat
    • Moved to stage 3, July 2025 TC39 meeting
    • Added /actual/ namespace entries, unconditional forced replacement changed to feature detection
  • Map upsert proposal:
    • Built-ins:
      • Map.prototype.getOrInsert
      • Map.prototype.getOrInsertComputed
      • WeakMap.prototype.getOrInsert
      • WeakMap.prototype.getOrInsertComputed
    • Moved to stage 3, July 2025 TC39 meeting
    • Added /actual/ namespace entries, unconditional forced replacement changed to feature detection
  • Added missing dependencies to some entries of static Iterator methods
  • Fixed Joint Iteration proposal in /stage/ entries
  • Compat data improvements:
    • Uint8Array to / from base64 and hex proposal features marked as supported from V8 ~ Chromium 140
    • Uint8Array.{ fromBase64, prototype.setFromBase64 } marked as unsupported in Safari and supported only from Bun 1.2.20 because of a bug: it does not throw an error on incorrect length of base64 string
    • %TypedArray%.prototype.with marked as fixed in Safari 26.0
    • Updated Electron 38 compat data mapping
    • Added Opera Android 91 compat data mapping
• 3.44.0 - 2025-07-07
  
  • Changes v3.43.0...v3.44.0 (87 commits)
  • Uint8Array to / from base64 and hex stage 3 proposal:
    • Fixed several V8 bugs in Uint8Array.fromHex and Uint8Array.prototype.{ setFromBase64, toBase64, toHex }, thanks @ brc-dd
  • Joint iteration stage 2.7 proposal:
    • Uses Get in Iterator.zipKeyed, following tc39/proposal-joint-iteration#43
  • Iterator sequencing stage 2.7 proposal:
    • Iterator.concat no longer reuses IteratorResult object of concatenated iterators, following tc39/proposal-iterator-sequencing#26
  • Iterator chunking stage 2 proposal:
    • Added built-ins:
      • Iterator.prototype.sliding
  • Number.prototype.clamp stage 2 proposal:
    • clamp no longer throws an error on NaN as min or max, following tc39/proposal-math-clamp#d2387791c265edf66fbe2455eab919016717ce6f
  • Fixed some cases of Set.prototype.{ symmetricDifference, union } detection
  • Added missing dependencies to some entries of static Iterator methods
  • Added missing /full/{ instance, number/virtual }/clamp entries
  • Some minor stylistic changes
  • Compat data improvements:
    • Added Electron 38 and 39 compat data mapping
    • Added Oculus Quest Browser 38 and 39 compat data mapping
    • Iterator helpers marked as fixed and updated following the latest spec changes in Safari 26.0
    • Set.prototype.{ difference, symmetricDifference, union } marked as fixed in Safari 26.0
    • SuppressedError marked as fixed in FF141
    • Error.isError marked as fixed in Node 24.3
    • setImmediate and clearImmediate marked as available from Deno 2.4
    • Math.sumPrecise marked as shipped in Bun 1.2.18
    • %TypedArray%.prototype.with marked as fixed in Bun 1.2.18
• 3.43.0 - 2025-06-09
  
  • Changes v3.42.0...v3.43.0 (139 commits)
  • Explicit Resource Management proposals:
    • Built-ins:
      • Symbol.dispose
      • Symbol.asyncDispose
      • SuppressedError
      • DisposableStack
        • DisposableStack.prototype.dispose
        • DisposableStack.prototype.use
        • DisposableStack.prototype.adopt
        • DisposableStack.prototype.defer
        • DisposableStack.prototype.move
        • DisposableStack.prototype[@@ dispose]
      • AsyncDisposableStack
        • AsyncDisposableStack.prototype.disposeAsync
        • AsyncDisposableStack.prototype.use
        • AsyncDisposableStack.prototype.adopt
        • AsyncDisposableStack.prototype.defer
        • AsyncDisposableStack.prototype.move
        • AsyncDisposableStack.prototype[@@ asyncDispose]
      • Iterator.prototype[@@ dispose]
      • AsyncIterator.prototype[@@ asyncDispose]
    • Moved to stable ES, May 2025 TC39 meeting
    • Added es. namespace module, /es/ and /stable/ namespaces entries
  • Array.fromAsync proposal:
    • Built-ins:
      • Array.fromAsync
    • Moved to stable ES, May 2025 TC39 meeting
    • Added es. namespace module, /es/ and /stable/ namespaces entries
  • Error.isError proposal:
    • Built-ins:
      • Error.isError
    • Moved to stable ES, May 2025 TC39 meeting
    • Added es. namespace module, /es/ and /stable/ namespaces entries
  • Added Joint iteration stage 2.7 proposal:
    • Added built-ins:
      • Iterator.zip
      • Iterator.zipKeyed
  • Added Iterator chunking stage 2 proposal:
    • Added built-ins:
      • Iterator.prototype.chunks
      • Iterator.prototype.windows
  • Number.prototype.clamp proposal:
    • Built-ins:
      • Number.prototype.clamp
    • Moved to stage 2, May 2025 TC39 meeting
    • Math.clamp was replaced with Number.prototype.clamp
    • Removed a RangeError if min <= max or +0 min and -0 max, tc39/proposal-math-clamp/#22
  • Always check regular expression flags by flags getter PR. Native methods are not fixed, only own implementation updated for:
    • RegExp.prototype[@@ match]
    • RegExp.prototype[@@ replace]
  • Improved handling of RegExp flags in polyfills of some methods in engines without proper support of RegExp.prototype.flags and without polyfill of this getter
  • Added feature detection for a WebKit bug that occurs when this is updated while Set.prototype.difference is being executed
  • Added feature detection for a WebKit bug that occurs when iterator record of a set-like object isn't called before cloning this in the following methods:
    • Set.prototype.symmetricDifference
    • Set.prototype.union
  • Added feature detection for a bug in V8 ~ Chromium < 126. Following methods should throw an error on invalid iterator:
    • Iterator.prototype.drop
    • Iterator.prototype.filter
    • Iterator.prototype.flatMap
    • Iterator.prototype.map
  • Added feature detection for a WebKit bug: incorrect exception thrown by Iterator.from when underlying iterator's return method is null
  • Added feature detection for a FF bug: incorrect exception thrown by Array.prototype.with when index coercion fails
  • Added feature detection for a WebKit bug: TypedArray.prototype.with should truncate negative fractional index to zero, but instead throws an error
  • Worked around a bug of many different tools (example) with incorrect transforming and breaking JS syntax on getting a method from a number literal
  • Fixed deoptimization of the Promise polyfill in the pure version
  • Added some missed dependencies to /iterator/flat-map entries
  • Some other minor fixes and improvements
  • Compat data improvements:
    • Added Deno 2.3 and Deno 2.3.2 compat data mapping
    • Updated Electron 37 compat data mapping
    • Added Opera Android 90 compat data mapping
    • Error.isError marked not supported in Node because of a bug
    • Set.prototype.difference marked as not supported in Safari and supported only from Bun 1.2.5 because of a bug
    • Set.prototype.{ symmetricDifference, union } marked as not supported in Safari and supported only from Bun 1.2.5 because of a bug
    • Iterator.from marked as not supported in Safari and supported only from Bun 1.2.5 because of a bug
    • Iterators closing on early errors in Iterator helpers marked as implemented from FF141
    • Array.prototype.with marked as supported only from FF140 because it throws an incorrect exception when index coercion fails
    • TypedArray.prototype.with marked as unsupported in Bun and Safari because it should truncate negative fractional index to zero, but instead throws an error
    • DisposableStack and AsyncDisposableStack marked as shipped in FF141 (SuppressedError has a bug)
    • AsyncDisposableStack bugs marked as fixed in Deno 2.3.2
    • SuppressedError bugs (extra arguments support and arity) marked as fixed in Bun 1.2.15
• 3.42.0 - 2025-04-29
  
  • Changes v3.41.0...v3.42.0 (142 commits)
  • Map upsert proposal:
    • Moved to stage 2.7, April 2025 TC39 meeting
    • Validation order of WeakMap.prototype.getOrInsertComputed updated following tc39/proposal-upsert#79
    • Built-ins:
      • Map.prototype.getOrInsert
      • Map.prototype.getOrInsertComputed
      • WeakMap.prototype.getOrInsert
      • WeakMap.prototype.getOrInsertComputed
  • Don't call well-known Symbol methods for RegExp on primitive values following tc39/ecma262#3009:
    • For avoid performance regression, temporarily, only in own core-js implementations
    • Built-ins:
      • String.prototype.matchAll
      • String.prototype.match
      • String.prototype.replaceAll
      • String.prototype.replace
      • String.prototype.search
      • String.prototype.split
  • Added workaround for the Uint8Array.prototype.setFromBase64 bug in some of Linux builds of WebKit
  • Implemented early-error iterator closing following tc39/ecma262#3467, including fix of a WebKit bug, in the following methods:
    • Iterator.prototype.drop
    • Iterator.prototype.every
    • Iterator.prototype.filter
    • Iterator.prototype.find
    • Iterator.prototype.flatMap
    • Iterator.prototype.forEach
    • Iterator.prototype.map
    • Iterator.prototype.reduce
    • Iterator.prototype.some
    • Iterator.prototype.take
  • Fixed missing forced replacement of AsyncIterator helpers
  • Added closing of sync iterator when async wrapper yields a rejection following tc39/ecma262#2600. Affected methods:
    • Array.fromAsync (due to the lack of async feature detection capability - temporarily, only in own core-js implementation)
    • AsyncIterator.from
    • Iterator.prototype.toAsync
  • Added detection for throwing on undefined initial parameter in Iterator.prototype.reduce (see WebKit bug)
  • core-js-compat and core-js-builder API:
    • Added 'intersect' support for targets.esmodules (Babel 7 behavior)
    • Fixed handling of targets.esmodules: true (Babel 7 behavior)
  • Compat data improvements:
    • Explicit Resource Management features disabled (again) in V8 ~ Chromium 135 and re-added in 136
    • RegExp.escape marked as shipped from V8 ~ Chromium 136
    • Error.isError marked as shipped from FF138
    • Explicit Resource Management features re-enabled in Deno 2.2.10
    • Iterator helpers proposal features marked as supported from Deno 1.38.1 since it seems they were disabled in 1.38.0
    • Iterator.prototype.{ drop, reduce, take } methods marked as fixed in Bun 1.2.11
    • Added NodeJS 24.0 compat data mapping
    • Updated Electron 36 and added Electron 37 compat data mapping
    • Added Opera Android 88 and 89 compat data mapping
    • Added Oculus Quest Browser 37 compat data mapping
• 3.41.0 - 2025-03-01
  
  • Changes v3.40.0...v3.41.0 (85 commits)
  • RegExp.escape proposal:
    • Built-ins:
      • RegExp.escape
    • Moved to stable ES, February 2025 TC39 meeting
    • Added es. namespace module, /es/ and /stable/ namespaces entries
  • Float16 proposal:
    • Built-ins:
      • Math.f16round
      • DataView.prototype.getFloat16
      • DataView.prototype.setFloat16
    • Moved to stable ES, February 2025 TC39 meeting
    • Added es. namespace modules, /es/ and /stable/ namespaces entries
  • Math.clamp stage 1 proposal:
    • Built-ins:
      • Math.clamp
    • Extracted from old Math extensions proposal, February 2025 TC39 meeting
    • Added arguments validation
    • Added new entries
  • Added a workaround of a V8 AsyncDisposableStack bug, tc39/proposal-explicit-resource-management/256
  • Compat data improvements:
    • DisposableStack, SuppressedError and Iterator.prototype[@@ dispose] marked as shipped from V8 ~ Chromium 134
    • Error.isError added and marked as shipped from V8 ~ Chromium 134
    • Math.f16round and DataView.prototype.{ getFloat16, setFloat16 } marked as shipped from V8 ~ Chromium 135
    • Iterator helpers proposal features marked as shipped from Safari 18.4
    • JSON.parse source text access proposal features marked as shipped from Safari 18.4
    • Math.sumPrecise marked as shipped from FF137
    • Added Deno 2.2 compat data and compat data mapping
      • Explicit Resource Management features are available in V8 ~ Chromium 134, but not in Deno 2.2 based on it
    • Updated Electron 35 and added Electron 36 compat data mapping
    • Updated Opera Android 87 compat data mapping
    • Added Samsung Internet 28 compat data mapping
    • Added Oculus Quest Browser 36 compat data mapping
• 3.40.0 - 2025-01-07
  
  • Changes v3.39.0...v3.40.0 (130 commits)
  • Added Error.isError stage 3 proposal:
    • Added built-ins:
      • Error.isError
    • We have no bulletproof way to polyfill this method / check if the object is an error, so it's an enough naive implementation that is marked as .sham
  • Explicit Resource Management stage 3 proposal:
    • Updated the way async disposing of only sync disposable resources, tc39/proposal-explicit-resource-management/218
  • Iterator sequencing stage 2.7 proposal:
    • Reuse IteratorResult objects when possible, tc39/proposal-iterator-sequencing/17, tc39/proposal-iterator-sequencing/18, December 2024 TC39 meeting
  • Added a fix of V8 < 12.8 / NodeJS < 22.10 bug with handling infinite length of set-like objects in Set methods
  • Optimized DataView.prototype.{ getFloat16, setFloat16 } performance, #1379, thanks @ LeviPesin
  • Dropped unneeded feature detection of non-standard %TypedArray%.prototype.toSpliced
  • Dropped possible re-usage of some non-standard / early stage features (like Math.scale) available on global
  • Some other minor improvements
  • Compat data improvements:
    • RegExp.escape marked as shipped from Safari 18.2
    • Promise.try marked as shipped from Safari 18.2
    • Math.f16round and DataView.prototype.{ getFloat16, setFloat16 } marked as shipped from Safari 18.2
    • Uint8Array to / from base64 and hex proposal methods marked as shipped from Safari 18.2
    • JSON.parse source text access proposal features marked as shipped from FF135
    • RegExp.escape marked as shipped from FF134
    • Promise.try marked as shipped from FF134
    • Symbol.dispose, Symbol.asyncDispose and Iterator.prototype[@@ dispose] marked as shipped from FF135
    • JSON.parse source text access proposal features marked as shipped from Bun 1.1.43
    • Fixed NodeJS version where URL.parse was added - 22.1 instead of 22.0
    • Added Deno 2.1 compat data mapping
    • Added Rhino 1.8.0 compat data with significant number of modern features
    • Added Electron 35 compat data mapping
    • Updated Opera 115+ compat data mapping
    • Added Opera Android 86 and 87 compat data mapping
• 3.39.0 - 2024-10-31
• 3.38.1 - 2024-08-20
• 3.38.0 - 2024-08-04
• 3.37.1 - 2024-05-14
• 3.37.0 - 2024-04-16
• 3.36.1 - 2024-03-19
• 3.36.0 - 2024-02-14
• 3.35.1 - 2024-01-20
• 3.35.0 - 2023-12-28
• 3.34.0 - 2023-12-05
• 3.33.3 - 2023-11-19
• 3.33.2 - 2023-10-30
• 3.33.1 - 2023-10-20
• 3.33.0 - 2023-10-01
• 3.32.2 - 2023-09-07
• 3.32.1 - 2023-08-18
• 3.32.0 - 2023-07-27
• 3.31.1 - 2023-07-06
• 3.31.0 - 2023-06-11
• 3.30.2 - 2023-05-06
• 3.30.1 - 2023-04-13
• 3.30.0 - 2023-04-03
• 3.29.1 - 2023-03-13

from core-js GitHub release notes

---

Important

• Check the changes in this PR to ensure they won't cause issues with your project.
• This PR was automatically created by Snyk using the credentials of a real user.

---

Note: You are seeing this because you or someone else with access to this repository has authorized Snyk to open upgrade PRs.

For more information:

• 🧐 View latest project report
• 📜 Customise PR templates
• 🛠 Adjust upgrade PR settings
• 🔕 Ignore this dependency or unsubscribe from future upgrade PRs

[Copilot]

Pull request overview

Upgrades the core-js runtime polyfill dependency (used by Babel useBuiltIns: "usage" in this repo) to a newer 3.x release as recommended by Snyk.

Changes:

• Bump core-js from ^3.29.1 to ^3.48.0 in package.json.
• Update package-lock.json to lock core-js@3.48.0 (including updated resolved URL and integrity hash).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
package.json	Updates the declared core-js dependency version range to ^3.48.0.
package-lock.json	Locks core-js to 3.48.0 and updates associated resolution metadata.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.