@babel/cli is the command-line interface for Babel, a popular JavaScript compiler. Comparing versions 7.7.5 and 7.7.4, the core functionality remains largely unchanged, focused on enabling developers to transpile modern JavaScript code into versions compatible with older environments. Both versions include dependencies like glob for file matching, slash for path manipulation, lodash for utility functions, chokidar for file watching (also listed as an optional dependency), make-dir for directory creation, commander for command-line argument parsing, and source-map and convert-source-map for debugging support. The fs-readdir-recursive dependency facilitates recursive directory reading.
The key difference lies in the updated devDependencies. Version 7.7.5 utilizes @babel/core version 7.7.5, while 7.7.4 depends on @babel/core 7.7.4. Developers considering an upgrade should investigate the @babel/core changelog for details on specific bug fixes, performance improvements, or new features introduced between these minor versions. The releaseDate also indicates that version 7.7.5 was released about two weeks after 7.7.4 and its unpacked size is slightly bigger. The peerDependencies entry, requiring @babel/core at version "^7.0.0-0", remains consistent, ensuring compatibility within the Babel 7 ecosystem. Furthermore, developers should note that the optional dependency chokidar facilitates file watching capabilities. While the core API exposed by @babel/cli persists between versions, potential enhancements or fixes within @babel/core may impact the overall transpilation process.
All the vulnerabilities related to the version 7.7.5 of the package
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
