@babel/runtime versions 7.9.2 and 7.9.0 are both modular runtime helpers designed to support Babel's transformations, allowing developers to use modern JavaScript features in environments that don't natively support them. The primary difference lies in their @babel/helpers devDependency, with version 7.9.2 depending on @babel/helpers@^7.9.2 and version 7.9.0 depending on @babel/helpers@^7.9.0. This signifies that bug fixes, performance improvements, or new helper functions were likely introduced in @babel/helpers between these releases, prompting the update in the runtime dependency.
Both versions share common characteristics, including a dependency on regenerator-runtime^0.13.4, which provides support for async/await functions. Both versions have the same fileCount and unpackedSize, suggesting that the changes were primarily within the helper functions and did not significantly alter the overall size or structure of the package. For developers using @babel/runtime, the upgrade from 7.9.0 to 7.9.2 ensures they are leveraging the latest, potentially more optimized, helper functions generated by Babel. Keeping dependencies up-to-date is crucial for long-term project maintainability. The slight modification in the @babel/helpers package suggests the update carries either fixes or performance improvements in the build process. Developers should review the changelog or release notes for @babel/helpers version 7.9.2 to understand the specific changes and any potential impact on their projects when upgrading.
All the vulnerabilities related to the version 7.9.2 of the package
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).
Your generated code is vulnerable if all the following conditions are true:
.replace method on a regular expression that contains named capturing groups.replaceIf you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:
You can verify what transforms @babel/preset-env is using by enabling the debug option.
This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.
Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.
If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).
This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.