@babel/runtime version 7.9.0 introduces updates and refinements to Babel's modular runtime helpers compared to its previous stable version, 7.8.7. Both versions share the same core purpose: providing pre-compiled, reusable helper functions to reduce code duplication in Babel-transformed code. The fundamental dependencies remain consistent, with both relying on regenerator-runtime version ^0.13.4 to support async/await functionality.
The notable difference lies in the devDependencies. Version 7.9.0 upgrades the @babel/helpers dependency to ^7.9.0, while version 7.8.7 used @babel/helpers version ^7.8.4. This indicates that the build process and helper generation within the Babel ecosystem have been updated. While seemingly minor, this change often reflects improvements in code generation, bug fixes, or potentially new helper functions available for Babel's internal use.
Furthermore, there's an increase in the fileCount (from 151 to 164) and unpackedSize (from 90827 to 98901), suggesting more helper functions or larger implementations in the newer version. Developers upgrading should be aware that the update includes new features or improvements to existing helpers that support wider range of ecmascript functionality.
For developers, staying up-to-date with @babel/runtime ensures the latest bug fixes, performance improvements, and compatibility with newer ECMAScript features. The minor version bump (7.8.7 to 7.9.0) suggests backward compatibility for most use cases, but it's recommended to review the Babel changelog and test thoroughly to confirm.
All the vulnerabilities related to the version 7.9.0 of the package
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).
Your generated code is vulnerable if all the following conditions are true:
.replace method on a regular expression that contains named capturing groups.replaceIf you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:
You can verify what transforms @babel/preset-env is using by enabling the debug option.
This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.
Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.
If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).
This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.