@babel/runtime, a crucial package for Babel users, provides modular runtime helpers that enable the correct execution of transformed JavaScript code. Two closely released versions, 7.20.5 and 7.20.6, offer insights into the evolution of this essential library. Both versions share the same core description, dependency on regenerator-runtime version ^0.13.11, MIT license, and maintain their location within the Babel repository on GitHub. They also appear to possess an identical number of files (199) and unpacked size (219855 bytes). The key differentiator between the two lies within their release dates. Version 7.20.5 was released on November 28, 2022, at 10:12:44.643Z, while version 7.20.6 followed shortly after on the same day at 11:02:57.948Z. This close proximity suggests that version 7.20.6 is likely a patch release addressing a bug or minor issue discovered immediately after the initial 7.20.5 release.
For developers using @babel/runtime, this information highlights the importance of staying up-to-date with the latest versions. While the differences between 7.20.5 and 7.20.6 might be subtle, a quick patch release often signifies a fix for unexpected behavior. Therefore, upgrading to the latest version (7.20.6 in this case) is recommended to ensure code stability and leverage the most refined set of runtime helpers. Always consult Babel's changelog or release notes for detailed insights into the specific changes implemented.
All the vulnerabilities related to the version 7.20.6 of the package
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).
Your generated code is vulnerable if all the following conditions are true:
.replace method on a regular expression that contains named capturing groups.replaceIf you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:
You can verify what transforms @babel/preset-env is using by enabling the debug option.
This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.
Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.
If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).
This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.