The babel-plugin-transform-es2015-modules-commonjs package, version 6.0.2, is a Babel plugin designed to transform ES2015 module syntax into CommonJS modules. This is crucial for developers targeting environments like Node.js which natively use CommonJS. Given the absence of data for the previous stable version, we can’t pinpoint exact changes, but focusing on version 6.0.2 and its implications for developers is insightful.
This version relies on several key dependencies, specifically babel-types, babel-runtime, and babel-template, all at version 6.0.2. This suggests a tightly coupled ecosystem where compatibility among these core Babel components is paramount. Keeping these dependencies in sync is vital for avoiding unexpected issues during the transformation process.
For developers, this plugin automates the often-tedious task of converting modern ES module syntax (like import and export) into the require and module.exports format understood by CommonJS environments. This simplifies writing modern JavaScript while maintaining compatibility with older systems. The MIT license provides flexibility, allowing developers to utilize the plugin in both open-source and commercial projects. The source code is housed on GitHub under the babel/babel repository, offering transparency and encouraging community contributions. The package is easily installable via npm using the tarball link provided, streamlining integration into development workflows. Understanding these dependencies and the purpose of this plugin allows developers to utilize modern JavaScript features effectively while still maintaining compatibility with older CommonJS environments such as Node.js.
All the vulnerabilities related to the version 6.0.2 of the package
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.
Known affected plugins are:
@babel/plugin-transform-runtime@babel/preset-env when using its useBuiltIns option@babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regeneratorNo other plugins under the @babel/ namespace are impacted, but third-party plugins might be.
Users that only compile trusted code are not impacted.
The vulnerability has been fixed in @babel/traverse@7.23.2.
Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.
@babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version.@babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions:
@babel/plugin-transform-runtime v7.23.2@babel/preset-env v7.23.2@babel/helper-define-polyfill-provider v0.4.3babel-plugin-polyfill-corejs2 v0.4.6babel-plugin-polyfill-corejs3 v0.8.5babel-plugin-polyfill-es-shims v0.10.0babel-plugin-polyfill-regenerator v0.5.3