@babel/cli version 7.10.1 represents a minor update over the previous stable version, 7.10.0, primarily focusing on refinements and enhancements to the Babel command-line interface. Both versions serve the crucial role of providing developers with a tool to transpile modern JavaScript code into a format compatible with older browsers and environments. The core functionalities remain consistent, encompassing features like glob pattern matching for file selection, utilizing libraries like lodash for utility functions, and employing chokidar for file watching capabilities. Key dependencies for core functionality remain unchanged between the two versions.
A notable difference lies within the devDependencies. Version 7.10.1 updates the @babel/core dependency to version 7.10.1 and @babel/helper-fixtures also to version 7.10.1.In contrast, version 7.10.0 used @babel/core equal to 7.10.0 and @babel/helper-fixtures equal to 7.8.3. These updates likely incorporate bug fixes, performance improvements, or minor feature additions within the Babel core and helper utilities. While seemingly small, staying current with @babel/core is often vital to ensuring compatibility with the latest JavaScript syntax and features.
Developers should consider upgrading to version 7.10.1 to benefit from these updated development dependencies, potentially leading to a more stable and efficient transpilation process. The updated @babel/helper-fixtures might offer enhanced capabilities or bug fixes in Babel's testing infrastructure, ultimately leading to a more robust development workflow. Finally, the newer version includes information about the repository directory inside the git repository, which will help locating the package in monorepos.
All the vulnerabilities related to the version 7.10.1 of the package
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
