@babel/runtime version 7.19.4 represents a minor update to the popular Babel runtime library, building upon the foundation established by version 7.19.0. Both versions offer Babel's modular runtime helpers, crucial for enabling modern JavaScript features in environments that don't natively support them. The core functionality remains consistent, ensuring seamless support for transpiled code. The primary difference lies in the details: version 7.19.4, released on October 10, 2022, has a slightly smaller unpacked size (217451 bytes compared to 218413 bytes in 7.19.0) and a different release date compared to version 7.19.0 (released September 5, 2022).
For developers using @babel/runtime, this suggests potential optimizations or bug fixes implemented between the two releases. While the changelog isn't provided, the decreased size could indicate more efficient code or removal of redundant elements. Both version depends on the same regenerator-runtime which is "^0.13.4". Developers should consult the official Babel changelog or release notes for a comprehensive list of changes and their impact on specific projects. Staying updated ensures access to the latest improvements and addresses any potential security vulnerabilities. The library, licensed under MIT, continues to be actively maintained by the Babel team, reflecting its importance in the JavaScript ecosystem.
All the vulnerabilities related to the version 7.19.4 of the package
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).
Your generated code is vulnerable if all the following conditions are true:
.replace method on a regular expression that contains named capturing groups.replaceIf you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:
You can verify what transforms @babel/preset-env is using by enabling the debug option.
This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.
Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.
If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).
This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.