@babel/runtime version 7.23.9 is a minor update to the popular package providing Babel's modular runtime helpers, succeeding version 7.23.8. Both versions maintain the same core functionality, offering essential support for running compiled Babel code in various environments. A key aspect for developers to note is the continued dependency on regenerator-runtime version ^0.14.0, ensuring consistent handling of async/await operations across both releases. License remains under MIT.
Delving into the specifics, version 7.23.9 introduces slight adjustments, reflected in the dist metadata. The fileCount increases from 219 in 7.23.8 to 221 in 7.23.9, while the unpackedSize grows from 245977 to 248922. These changes suggest the inclusion of new or modified helper files, possibly addressing bug fixes, performance improvements, or expanding compatibility with emerging JavaScript features. Although subtle, these refinements contribute to a more robust and optimized runtime environment for Babel-transformed code.
The release date difference indicates a separation of just over two weeks, with 7.23.9 arriving on January 25, 2024, following the January 8, 2024 release of 7.23.8. Developers seeking the most up-to-date and potentially enhanced runtime support should opt for version 7.23.9 for its incremental improvements and fixes. This package provides essential features for any modern javascript developer as it takes care of compatibility for different browsers. Using the latest version grants access to the newest optimizations and bug fixes.
All the vulnerabilities related to the version 7.23.9 of the package
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).
Your generated code is vulnerable if all the following conditions are true:
.replace method on a regular expression that contains named capturing groups.replaceIf you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:
You can verify what transforms @babel/preset-env is using by enabling the debug option.
This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.
Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.
If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).
This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.