Babel plugin transform async to generator version 6.0.2 offers developers a way to seamlessly convert ES2017 async functions into ES2015 generator functions. This powerful backward compatibility enables modern async/await syntax to run smoothly in older JavaScript environments that don't natively support it. The plugin relies on babel-helper-remap-async-to-generator to handle the core transformation logic, ensuring a reliable and well-tested process. Its dependency on babel-plugin-syntax-async-functions correctly parses async function syntax. Furthermore, babel-runtime provide with helper functions required during runtime.
Comparing it to the previous unspecified version, without specific information on the prior release, it's challenging to pinpoint exact disparities in functionality or performance. However, version 6.0.2, released in October 2015, presents a stable baseline for converting async functions. Developers using Babel for transpilation can easily integrate this plugin to extend async/await support to their target environments. The MIT license provides freedom for usage and modification. Developers should evaluate this version in terms of performance and compatibility compared to more recent versions for their specific infrastructure. Keep in mind that subsequent updates may include bug fixes, performance enhancements, or expanded capabilities while version 6.0.2 represents a well-defined, early release in that development lifecycle.
All the vulnerabilities related to the version 6.0.2 of the package
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.
Known affected plugins are:
@babel/plugin-transform-runtime@babel/preset-env when using its useBuiltIns option@babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regeneratorNo other plugins under the @babel/ namespace are impacted, but third-party plugins might be.
Users that only compile trusted code are not impacted.
The vulnerability has been fixed in @babel/traverse@7.23.2.
Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.
@babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version.@babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions:
@babel/plugin-transform-runtime v7.23.2@babel/preset-env v7.23.2@babel/helper-define-polyfill-provider v0.4.3babel-plugin-polyfill-corejs2 v0.4.6babel-plugin-polyfill-corejs3 v0.8.5babel-plugin-polyfill-es-shims v0.10.0babel-plugin-polyfill-regenerator v0.5.3