@babel/runtime, a crucial package for Babel users, provides modular runtime helpers that enable the execution of transformed JavaScript code in older environments. Examining versions 7.15.3 and 7.14.8 reveals subtle yet potentially important distinctions for developers. Both versions share the same core function of supporting Babel's transformations and depend on "regenerator-runtime" version "^0.13.4", ensuring compatibility with asynchronous JavaScript features. Both versions also share a permissive MIT license.
The key difference lies in the "@babel/runtime": "7.15.3" , releaseDate. Version 7.15.3 was released on August 11, 2021, succeeding version 7.14.8, which was released on July 20, 2021. While the file count remains constant at 181, indicating a similar overall structure, a minor increase in unpacked size from 143666 to 143900 might point to bug fixes, slight performance improvements, or the inclusion of new helper functions within the newer release. Therefore, an upgrade to 7.15.3 is advisable and is especially important for developers seeking the most up-to-date fixes and enhancements, even if the core dependencies remain the same. Developers should consult the official Babel changelog for detailed information on these changes.
All the vulnerabilities related to the version 7.15.3 of the package
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).
Your generated code is vulnerable if all the following conditions are true:
.replace method on a regular expression that contains named capturing groups.replaceIf you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:
You can verify what transforms @babel/preset-env is using by enabling the debug option.
This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.
Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.
If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).
This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.