@babel/cli 7.6.3 is a patch release that follows version 7.6.2, providing enhancements and potentially bug fixes to the Babel command-line interface. Both versions serve the same core function: enabling developers to transpile modern JavaScript code into versions compatible with older browsers and environments. While the core functionality remains consistent, the key difference lies in the updated dependencies.
Specifically, version 7.6.3 updates its dependency on the source-map package, bumping it from version 0.5.0 to 0.6.1. This is a significant upgrade since source maps are crucial for debugging transpiled code. Newer versions may incorporate performance improvements, enhanced accuracy in mapping original code locations, or fixes for previously reported issues.
Developers using Babel CLI should always aim to use the latest stable version to take advantage of the newest features, optimizations, and security patches. While the other dependencies like glob, slash, lodash, mkdirp, chokidar, commander, output-file-sync, and convert-source-map remain the same, the change of the source-map package can bring significant performance and debugging improvements. Furthermore, both versions share the same peer dependency on @babel/core, meaning that the upgrade won't impact the version of Babel's core compiler used. This makes upgrading relatively straightforward, as it is less likely to introduce breaking changes outside of source map generation. The release date also specifies that version 7.6.3 has been released at Oct 8th 2019, which is newer than version 7.6.2 which was released at Sept 23rd of the same year.
All the vulnerabilities related to the version 7.6.3 of the package
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
