@babel/cli is a command-line interface for the Babel transpiler, allowing developers to easily compile modern JavaScript code into versions compatible with older browsers and environments. Version 7.8.4 was released on January 30, 2020, succeeding version 7.8.3 released on January 13, 2020.
A key difference between these versions lies in the updated dependencies within the development environment. Specifically, @babel/core, the core Babel transpiler, was updated from version 7.8.3 to 7.8.4. This likely includes bug fixes, performance improvements, and potentially new features within the core transpilation process. While the core functionalities related to glob, slash, lodash, chokidar, make-dir, commander, source-map, convert-source-map and fs-readdir-recursive dependencies remain the same. The size of the package has also slightly increased, with number 7.8.4 version having unpacked size of 36018 in comparison to 35997 of the previous version.
For developers using @babel/cli, upgrading from 7.8.3 to 7.8.4 ensures they are leveraging the latest advancements and bug fixes within the Babel ecosystem. Although the changes might appear incremental, staying up-to-date guarantees a more stable and optimized transpilation process. This is particularly important for developers working on complex projects where even minor improvements can have a noticeable impact on build times and overall performance. It's always recommended to review the changelog associated with @babel/core 7.8.4 to fully understand the specific changes introduced and assess their relevance to your project.
All the vulnerabilities related to the version 7.8.4 of the package
Uncontrolled resource consumption in braces
The NPM package braces fails to limit the number of characters it can handle, which could lead to Memory Exhaustion. In lib/parse.js, if a malicious user sends "imbalanced braces" as input, the parsing will enter a loop, which will cause the program to start allocating heap memory without freeing it at any moment of the loop. Eventually, the JavaScript heap limit is reached, and the program will crash.
Regular Expression Denial of Service (ReDoS) in micromatch
The NPM package micromatch prior to version 4.0.8 is vulnerable to Regular Expression Denial of Service (ReDoS). The vulnerability occurs in micromatch.braces() in index.js because the pattern .* will greedily match anything. By passing a malicious payload, the pattern matching will keep backtracking to the input while it doesn't find the closing bracket. As the input size increases, the consumption time will also increase until it causes the application to hang or slow down. There was a merged fix but further testing shows the issue persisted prior to https://github.com/micromatch/micromatch/pull/266. This issue should be mitigated by using a safe pattern that won't start backtracking the regular expression due to greedy matching.
