There are no published CVEs behind reports of core-js 2.6.12 vulnerabilities — what scanners and npm are telling you is that the entire core-js v2 line is deprecated and unmaintained, and 2.6.12 is its final release. Every npm install that resolves it prints the maintainer's own warning: core-js versions below 3 are no longer maintained and not recommended for usage. That distinction — no known vulnerability versus no future fixes — matters for how you prioritize the work, but the destination is the same: the migration to core-js 3, which is more mechanical than most teams expect.
What core-js is and why it is everywhere
core-js is the polyfill library underneath a huge fraction of the JavaScript ecosystem. It implements ECMAScript standard library features — Promise, Symbol, Array.prototype.includes, iterators, typed arrays — for engines that lack them, and Babel's preset-env injects imports from it automatically. That is why you rarely chose core-js deliberately: it arrived transitively through Babel, an old Vue or Gatsby scaffold, Angular CLI, or a component library built circa 2018-2019, when v2 was current.
Version 2.6.12 shipped in 2020 as the last patch on the v2 branch. Development had already moved to v3, and the maintainer marked everything below 3 as deprecated on npm. Five years on, any lockfile still resolving core-js@2.6.12 is pinning a frozen artifact.
The honest risk assessment
Searching NVD, GitHub Security Advisories, or Snyk for core js 2.6.12 vulnerabilities returns no direct entries. So why do audits keep flagging it?
The unmaintained-dependency category is the finding. If a security issue were discovered in the v2 polyfill code tomorrow, no patch would be published. Polyfills are an interesting attack surface too: they replace global built-ins (Promise, Object.assign, prototype methods) at application startup, so a flaw or malicious modification in a polyfill has first-class access to every code path in your app. Unmaintained code in that position earns a higher score than an unmaintained date-formatting helper.
Supply-chain posture, not exploitability. core-js also illustrates the sustainability problem in open source dependencies — a single-maintainer project underpinning millions of builds, funded by donations. The v2 deprecation is exactly the scenario SBOM and lifecycle policies exist to catch: code that is done receiving fixes while still shipping to production. An SCA tool that tracks maintenance status alongside CVEs will surface this class of finding; one that only matches CVE ranges will stay silent until it is too late to matter.
So triage it honestly: not an emergency, but a real item with a scheduled end — ideally bundled into your next Babel or framework upgrade, where it often falls out for free.
Find where v2 actually comes from
Before migrating, identify the dependency path. It is usually not your direct dependency:
npm ls core-js
Typical output shows the culprit:
myapp@1.0.0
├─ core-js@3.38.1
└─ some-ui-kit@4.2.0
└─ babel-runtime@6.26.0
└─ core-js@2.6.12
Three common sources, each with its own fix:
- Your own Babel config targets
corejs: 2. Fix directly (next section). - A transitive dependency compiled against v2 (
babel-runtime, old@vue/babel-preset-app, etc.). Upgrade that package to a release built on@babel/runtime+ core-js 3; if the package is itself abandoned, that is the finding you record. - A stale lockfile holding both v2 and v3. Dedupe after upgrading:
npm dedupeor a targetednpm update.
The migration to core-js 3
For code you control, the change is a package swap plus two config lines. core-js 3 reorganized module paths (which is why it was a major version) but Babel handles that mapping for you.
npm remove core-js
npm install core-js@3
// babel.config.js
module.exports = {
presets: [
["@babel/preset-env", {
useBuiltIns: "usage", // inject only what your code + targets need
corejs: "3.38" // pin minor so new polyfills are picked up
}]
]
};
Notes from doing this on real codebases:
useBuiltIns: "usage"versus"entry":usageinjects polyfills per file based on what you use;entryrequires a singleimport "core-js"at your entry point which Babel expands per your browserslist targets.usagetypically produces smaller bundles;entryis more predictable for libraries.- Specify the minor version in
corejs— Babel warns otherwise, and pinning"3.38"-style lets newly added polyfills be used as you update. - Direct deep imports must be rewritten.
require("core-js/modules/es6.promise")paths changed (es6.prefixes becamees.). Grep for them:grep -rn "core-js/modules/es6" src/. - Check your browserslist. The whole point of the polyfill layer is your support matrix; if you have dropped IE11 since the config was written, tightening targets shrinks the polyfill payload dramatically, sometimes to near zero.
Run your build and test suite; failures at this layer show up loudly and early (missing global, wrong import path), not subtly.
Verify the result and keep it clean
After the migration, confirm the tree is v2-free and stays that way:
npm ls core-js | grep -c "core-js@2" && echo "v2 still present" || echo "clean"
npm audit
Two durable guardrails: first, add unmaintained-package detection to CI rather than relying on humans reading npm deprecation warnings that scroll past in install logs. Second, treat polyfill and build-chain packages as tier-one dependencies in your review policy — they execute before and inside everything else you ship. The broader discipline of ranking dependencies by blast radius rather than alphabetically is covered in our Academy dependency-management track.
FAQ
Does core-js 2.6.12 have any CVEs?
No. There are no published CVEs against core-js 2.6.12. The security finding is its maintenance status: the v2 line is deprecated and receives no fixes, which most audit policies rightly flag.
Can I just silence the npm deprecation warning?
You can suppress warnings, but the warning is not the problem — the frozen dependency is. If a flaw is ever found in v2's polyfills, your only remedy will be the migration you deferred, executed under incident pressure.
How long does the v2-to-v3 migration take?
For a first-party Babel setup, typically under a day including testing: swap the package, set corejs: 3 with useBuiltIns, fix any deep-import paths. Transitive v2 via abandoned packages is the long pole — each needs an upgrade or replacement decision.
Is core-js 3 actively maintained?
Yes. The v3 line receives regular releases tracking new ECMAScript features and fixes, which is exactly the property v2 lost and the reason to move.