Babel-preset-env is a powerful tool for JavaScript developers aiming to streamline their build process by automatically including the necessary Babel plugins to support specific target environments. Comparing versions 0.0.3 and 0.0.2 reveals subtle yet significant changes in the dependencies that directly impact the supported JavaScript features and the overall transformation process.
Version 0.0.3 simplifies the dependency list in its dependencies, notably removing plugins such as babel-plugin-transform-class-properties, babel-plugin-transform-decorators-legacy, babel-plugin-transform-do-expressions, babel-plugin-transform-es3-member-expression-literals, babel-plugin-transform-es3-property-literals, babel-plugin-transform-es5-property-mutators, babel-plugin-transform-export-extensions, babel-plugin-transform-function-bind, babel-plugin-transform-object-rest-spread, and babel-plugin-transform-proto-to-assign that were present in version 0.0.2. This indicates a possible shift in the default set of transformations or an increased reliance on external configuration for specific features. The core ES2015 transformation plugins remain consistent, ensuring continued support for fundamental ES2015 features.
Developers upgrading from 0.0.2 to 0.0.3 should carefully review their build configuration to ensure that any previously relied-upon features handled by the removed plugins are either no longer needed or are explicitly included through other means. The devDependencies remain largely unchanged, suggesting a continued focus on testing and linting best practices. While the simplified dependency list might hint at a more streamlined experience, developers should thoroughly assess their project's compatibility to avoid unexpected breakages. The MIT license ensures flexibility and ease of use in various projects contexts, empowering developers to leverage this tool effectively.
All the vulnerabilities related to the version 0.0.3 of the package
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.
Known affected plugins are:
@babel/plugin-transform-runtime@babel/preset-env when using its useBuiltIns option@babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regeneratorNo other plugins under the @babel/ namespace are impacted, but third-party plugins might be.
Users that only compile trusted code are not impacted.
The vulnerability has been fixed in @babel/traverse@7.23.2.
Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.
@babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version.@babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions:
@babel/plugin-transform-runtime v7.23.2@babel/preset-env v7.23.2@babel/helper-define-polyfill-provider v0.4.3babel-plugin-polyfill-corejs2 v0.4.6babel-plugin-polyfill-corejs3 v0.8.5babel-plugin-polyfill-es-shims v0.10.0babel-plugin-polyfill-regenerator v0.5.3