Babel CLI version 7.11.6 represents a minor update over its predecessor, version 7.11.5, primarily affecting internal dependencies rather than introducing vast, sweeping changes to end-user functionality. Both versions serve the core purpose of providing a command-line interface for Babel, enabling developers to transpile modern JavaScript code into versions compatible with older environments.
A key difference lies in the source-map dependency. Version 7.11.6 downgrades from version 0.6.1 to 0.5.0. This could signal an attempt to resolve compatibility issues, address bugs present in the newer source-map version, or be a strategic alignment with other packages within the Babel ecosystem, or even a performance measure.. Developers incorporating source maps in their workflows should be mindful of potential behavioral differences between these versions, particularly if they rely on specific features or bug fixes introduced in source-map@0.6.1.
Beyond this, the other elements remain largely consistent. The dependencies on tools like glob, slash, lodash and chokidar, crucial for file system operations and utility functions, remain untouched. Similarly, the developer dependencies, including @babel/core and @babel/helper-fixtures, indicating a stable development environment between the two versions. The core functionality and usage of the CLI itself wouldn't drastically change, meaning upgrading from 7.11.5 to 7.11.6 should be relatively seamless. Both rely on @babel/core within the range of ^7.0.0-0 as a peer dependency ensuring compatibility across different babel core versions.
All the vulnerabilities related to the version 7.11.6 of the package
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
