Babel-preset-env is a powerful tool that allows developers to use the latest JavaScript features while ensuring compatibility across different browsers and environments. Version 1.1.9 and 1.1.8 share the same core functionality, both driven by a suite of Babel plugins designed to transform modern JavaScript into code that older environments can understand. Key dependencies for transpilation, such as plugins for arrow functions, classes, destructuring, and more, remain consistent across both versions. The browserslist dependency, crucial for targeting specific browser versions, is also the same.
However, there are notable differences, primarily within the development dependencies and a crucial update in a dependency version. Version 1.1.9 upgrades "eslint-config-babel" from version 3.0.0 in 1.1.8 to version 5.0.0, and "eslint" from version 3.3.1 to version 3.13.1. This indicates improvements in code linting and style enforcement. Crucially, the 1.1.9 version updates compat-table from github:kangax/compat-table#e732718eab42c6c83a364450f456474638d31f94 to github:kangax/compat-table#688097f1ce623cb113640cc9108fe04fc418b823, suggesting an update to the compatibility data used to determine which transformations are necessary. Developers should consider upgrading to 1.1.9 for its refined linting configurations and potentially more accurate browser compatibility targeting due to the updated compat-table. The core functionality remains the same, ensuring a smooth transition for existing users while offering enhanced development experience and accuracy. The release date difference also indicates a more recent update with potential bug fixes or optimizations included.
All the vulnerabilities related to the version 1.1.9 of the package
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.
Known affected plugins are:
@babel/plugin-transform-runtime@babel/preset-env when using its useBuiltIns option@babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regeneratorNo other plugins under the @babel/ namespace are impacted, but third-party plugins might be.
Users that only compile trusted code are not impacted.
The vulnerability has been fixed in @babel/traverse@7.23.2.
Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.
@babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version.@babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions:
@babel/plugin-transform-runtime v7.23.2@babel/preset-env v7.23.2@babel/helper-define-polyfill-provider v0.4.3babel-plugin-polyfill-corejs2 v0.4.6babel-plugin-polyfill-corejs3 v0.8.5babel-plugin-polyfill-es-shims v0.10.0babel-plugin-polyfill-regenerator v0.5.3