@babel/runtime, a crucial package for Babel's modular runtime helpers, saw a minor update from version 7.7.0 to 7.7.1 on November 5, 2019. Both versions share the same core functionality, providing essential utilities for transpiled code to run correctly across different JavaScript environments. Examination of the provided metadata reveals both iterations depend on regenerator-runtime version ^0.13.2 and include @babel/helpers at version ^7.7.0 as a development dependency, and are licensed under the MIT license.
Notable similarities extend to the identical fileCount of 150, an unpacked size of 91433 bytes, and the same author and repository details. The primary difference lies in the slightly later releaseDate for version 7.7.1 (2019-11-05T13:47:33.956Z) compared to 7.7.0 (2019-11-05T10:53:18.403Z).
For developers, this suggests that version 7.7.1 likely contains bug fixes, performance improvements, or other minor enhancements built upon the foundation of 7.7.0. While the core API and functionality remain consistent, upgrading to the latest patch version is generally recommended to benefit from these refinements and ensure the most stable and reliable experience when using Babel's runtime helpers. This package is especially useful for developers who target older JavaScript environments and need to use modern JavaScript features, as it offers a way to include the necessary polyfills required for the code to work as expected. Since the file count and size are the same the patch is probably correcting very specific edge cases.
All the vulnerabilities related to the version 7.7.1 of the package
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).
Your generated code is vulnerable if all the following conditions are true:
.replace method on a regular expression that contains named capturing groups.replaceIf you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:
You can verify what transforms @babel/preset-env is using by enabling the debug option.
This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.
Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.
If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).
This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.