Babel plugin transform ES2015 modules to CommonJS aids developers in converting modern JavaScript module syntax (ES Modules) into the widely compatible CommonJS format. This is crucial for projects targeting environments like Node.js or older browsers that don't natively support ES Modules. Comparing versions 6.22.0 and 6.18.0 reveals key dependency updates. Notably, version 6.22.0 upgrades its peer dependencies to babel-types, babel-runtime, babel-template, and babel-plugin-transform-strict-mode all to version ^6.22.0. This ensures compatibility with other Babel packages within the same ecosystem. In contrast, version 6.18.0 uses older, potentially incompatible, versions of these dependencies: babel-runtime at "^6.0.0" and babel-template at "^6.16.0".
These updates often bring bug fixes, performance improvements, and new API features that enhance the module transformation process. Therefore, developers are encouraged to use later versions for optimal performance. The babel-helper-plugin-test-runner dependency is consistent across both versions, indicating a stable testing framework for the plugin itself. Both versions are released under the MIT license and share the same repository URL on GitHub, indicating that the project's location and licensing terms have not changed. Picking 6.22.0 gives enhanced stability and better integration within current Babel setups, ensuring your ES module syntax is seamlessly converted.
All the vulnerabilities related to the version 6.22.0 of the package
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.
Known affected plugins are:
@babel/plugin-transform-runtime@babel/preset-env when using its useBuiltIns option@babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regeneratorNo other plugins under the @babel/ namespace are impacted, but third-party plugins might be.
Users that only compile trusted code are not impacted.
The vulnerability has been fixed in @babel/traverse@7.23.2.
Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.
@babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version.@babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions:
@babel/plugin-transform-runtime v7.23.2@babel/preset-env v7.23.2@babel/helper-define-polyfill-provider v0.4.3babel-plugin-polyfill-corejs2 v0.4.6babel-plugin-polyfill-corejs3 v0.8.5babel-plugin-polyfill-es-shims v0.10.0babel-plugin-polyfill-regenerator v0.5.3