@babel/runtime version 7.12.17 is a minor update to Babel's runtime helpers, crucial for enabling modern JavaScript features in environments that may not natively support them. This version builds upon the previous stable release, 7.12.13, offering developers a way to incorporate cutting-edge syntax and functionalities without sacrificing compatibility. Both versions share the same core dependency: regenerator-runtime, ensuring consistent support for features like async/await.
While the core functionality remains consistent, key differences are observed in the package's distribution. Version 7.12.17 showcases a significantly reduced footprint, boasting a smaller unpacked size (15587 bytes versus 113524 bytes) and a lower file count (11 versus 167). This implies a substantial optimization effort focusing on streamlining the package and potentially removing unnecessary files, leading to faster installation times and reduced disk space usage for projects incorporating it. The newer release also happened 15 days after the older version showing a commitment of the maintainers to solve issues and optimize the library. For developers, this means a lighter and more efficient dependency without compromising on the essential runtime support provided by @babel/runtime. This optimization, alongside their shared MIT license, could encourage more developers.
All the vulnerabilities related to the version 7.12.17 of the package
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).
Your generated code is vulnerable if all the following conditions are true:
.replace method on a regular expression that contains named capturing groups.replaceIf you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:
You can verify what transforms @babel/preset-env is using by enabling the debug option.
This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.
Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.
If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).
This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.