@babel/cli is a command-line interface for Babel, a JavaScript compiler that allows developers to use next-generation JavaScript features in their projects, ensuring compatibility across different environments. Version 7.8.3 was released on January 13, 2020, shortly after version 7.8.0 released on January 12, 2020. Both versions share similar core dependencies like glob, slash, lodash, chokidar, make-dir, commander, source-map, convert-source-map, and fs-readdir-recursive. These dependencies handle file system operations, command-line argument parsing, and source map generation, essential for Babel's functionality. Notably, chokidar is listed as an optional dependency, suggesting it provides enhanced features, perhaps related to file watching for automatic compilation upon changes and improves developer experience by saving manual rebuilds.
The key difference lies in the devDependencies and the @babel/core version. Version 7.8.3 depends on @babel/core version 7.8.3 along with @babel/helper-fixtures version 7.8.3, while version 7.8.0 required respective versions 7.8.0. This indicates that bug fixes, performance improvements, or new features were introduced in the core Babel compiler and related utilities between these releases. Developers should consider upgrading to version 7.8.3 for the latest improvements and potentially enhanced stability. The small difference in unpacked size (35997 vs 36019) could suggest minor adjustments in the code or assets. This incremental version update emphasizes the active development and refinement of the Babel ecosystem.
All the vulnerabilities related to the version 7.8.3 of the package
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
