Babel-preset-react-app is a foundational Babel preset meticulously crafted for Create React App (CRA) projects, streamlining the often complex process of configuring Babel for React development. Versions 7.0.1 and 7.0.2 share a common goal: providing a seamless, production-ready Babel configuration for React applications. They both bundle essential Babel plugins and presets, including those for modern JavaScript syntax, React JSX transformations, TypeScript support, and performance optimizations. This pre-configured setup significantly reduces the boilerplate required for developers to start building React applications with CRA.
Looking at the dependency lists between the two versions, there are no changes; both versions share the same dependencies and versions for their underlying babel packages. Meaning the upgrades are probably just related to internal configuration or bug fixes, but not to any explicit feature upgrades. Looking at the package sizes, unpackedSize is slightly smaller from 18809 to 18757 between versions 7.0.1 and 7.0.2, respectively, which could be indicative of minor efficiency improvements within the preset's configuration. The most notable change is the release date representing almost a month in between the two releases. Developers aiming for stability should consider the release date and the time since the update became available. Generally, opting for the latest version of Babel-preset-react-app is advisable, as it incorporates the most recent refinements and potentially addresses any identified issues, although with no specific changes in the dependencies, the changes are probably minimal. Always refer to the official changelog and release notes for comprehensive information on specific changes if available.
All the vulnerabilities related to the version 7.0.2 of the package
Babel has inefficient RegExp complexity in generated code with .replace when transpiling named capturing groups
When using Babel to compile regular expression named capturing groups, Babel will generate a polyfill for the .replace method that has quadratic complexity on some specific replacement pattern strings (i.e. the second argument passed to .replace).
Your generated code is vulnerable if all the following conditions are true:
.replace method on a regular expression that contains named capturing groups.replaceIf you are using @babel/preset-env with the targets option, the transform that injects the vulnerable code is automatically enabled if:
You can verify what transforms @babel/preset-env is using by enabling the debug option.
This problem has been fixed in @babel/helpers and @babel/runtime 7.26.10 and 8.0.0-alpha.17, please upgrade. It's likely that you do not directly depend on @babel/helpers, and instead you depend on @babel/core (which itself depends on @babel/helpers). Upgrading to @babel/core 7.26.10 is not required, but it guarantees that you are on a new enough @babel/helpers version.
Please note that just updating your Babel dependencies is not enough: you will also need to re-compile your code.
If you are passing user-provided strings as the second argument of .replace on regular expressions that contain named capturing groups, validate the input and make sure it does not contain the substring $< if it's then not followed by > (possibly with other characters in between).
This vulnerability was reported and fixed in https://github.com/babel/babel/pull/17173.