Version 6.1.4 of the babel-plugin-transform-es2015-modules-commonjs introduces key updates compared to its predecessor, version 6.1.3, offering improved functionality for developers working with ES2015 modules. A primary focus of this Babel plugin is transforming ES2015 module syntax into CommonJS, crucial for environments where modern module support is lacking, especially in older Node.js versions.
The most notable difference lies in the dependency updates. Version 6.1.4 upgrades babel-types to "^6.1.4" and babel-plugin-transform-strict-mode to "^6.1.4" while the previous version used respectively "^6.0.18" and "^6.0.15". This upgrade in dependencies likely brings bug fixes, performance improvements, and new features from those underlying packages. Developers should investigate the changelogs of babel-types and babel-plugin-transform-strict-mode to understand the specific changes introduced. babel-template dependency remains on version "^6.0.15" and babel-runtime on version "^5.0.0" in both packages.
Additionally, version 6.1.4 includes a new devDependencies entry: babel-helper-plugin-test-runner at version "^6.1.4". This suggests internal testing improvements, ensuring greater stability and reliability for developers using the plugin. This tool likely facilitates automated testing of the Babel plugin itself, contributing to higher code quality and reduced risk of errors in the transformation process. Developers benefiting from this plugin gain a more robust and dependable transformation process for their ES2015 modules. This upgrade provides a smoother development experience for projects relying on CommonJS module format.
All the vulnerabilities related to the version 6.1.4 of the package
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.
Known affected plugins are:
@babel/plugin-transform-runtime@babel/preset-env when using its useBuiltIns option@babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regeneratorNo other plugins under the @babel/ namespace are impacted, but third-party plugins might be.
Users that only compile trusted code are not impacted.
The vulnerability has been fixed in @babel/traverse@7.23.2.
Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.
@babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version.@babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions:
@babel/plugin-transform-runtime v7.23.2@babel/preset-env v7.23.2@babel/helper-define-polyfill-provider v0.4.3babel-plugin-polyfill-corejs2 v0.4.6babel-plugin-polyfill-corejs3 v0.8.5babel-plugin-polyfill-es-shims v0.10.0babel-plugin-polyfill-regenerator v0.5.3