@babel/runtime, a critical dependency for Babel-powered JavaScript projects, offers modular runtime helpers that enable developers to use modern JavaScript features without sacrificing compatibility with older environments. Comparing versions 7.13.4 and 7.13.2 reveals subtle yet important differences for developers to consider. Both versions maintain the same core functionality and dependencies, relying on regenerator-runtime to support async/await. They are both under the MIT license and the same github repo.
The key distinction lies in the release dates and the dist metadata. Version 7.13.4 was released on February 23, 2021, at 10:40:26.636Z, a few hours later than version 7.13.2 which was released on same day at 02:11:04.305Z. While the number of files included remains consistent at 248, there's a negligible difference in the unpacked size of the package. Version 7.13.4 has an unpacked size of 131817 bytes, slightly smaller than the 131898 bytes of version 7.13.2. This minor adjustment likely indicates bug fixes or optimizations implemented in the later release.
For developers, choosing the latest version (7.13.4) is generally advisable. While the changes might be incremental, they often include crucial fixes that enhance stability and performance. Reviewing the Babel changelog for the specific patch version provides further information about the included fixes and improvements, ensuring developers are well-informed about the benefits of upgrading. Staying up-to-date with the latest @babel/runtime ensures optimal compatibility and reliability in projects utilizing modern JavaScript syntax.
All the vulnerabilities related to the version 7.13.4 of the package
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).
Your generated code is vulnerable if all the following conditions are true:
.replace method on a regular expression that contains named capturing groups.replaceIf you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:
You can verify what transforms @babel/preset-env is using by enabling the debug option.
This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.
Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.
If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).
This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.