@babel/runtime version 7.13.6 is a minor update to Babel's modular runtime helpers, following closely after version 7.13.4. Both versions share the same core dependencies, relying on regenerator-runtime version ^0.13.4. They are licensed under the MIT license and maintained within the Babel project, accessible via the specified GitHub repository. Sebastian McKenzie remains the author of this package.
The practical differences between these two versions are subtle but potentially impactful for developers. Version 7.13.6, released on February 23, 2021, at 17:44:53 UTC, exhibits a slight increase in unpacked size (137330 bytes) compared to version 7.13.4 (131817 bytes), released earlier that same day at 10:40:26 UTC. Both versions contain the same number of files (248).
This indicates that version 7.13.6 likely includes bug fixes, performance improvements, or minor feature enhancements that contribute to the increased size. While the changes may not be breaking, developers are encouraged to upgrade to the latest version to benefit from these potential enhancements and ensure compatibility with their projects. When incorporating Babel into development workflows, always prioritize the most recent stable release, in this case, 7.13.6, to take advantage of the latest tooling and refined runtime environment, especially concerning asynchronous code execution. These incremental upgrades often include vital polyfills and helper functions that ensure code transpiled by Babel functions as expected across diverse JavaScript engines and environments.
All the vulnerabilities related to the version 7.13.6 of the package
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).
Your generated code is vulnerable if all the following conditions are true:
.replace method on a regular expression that contains named capturing groups.replaceIf you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:
You can verify what transforms @babel/preset-env is using by enabling the debug option.
This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.
Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.
If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).
This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.