Babel Preset Stage-0 streamlines the process of incorporating cutting-edge JavaScript features into your projects. This preset bundles plugins that implement proposals in Stage 0 of the TC39 standardization process, offering developers an early glimpse and easy adoption of features potentially shaping the future of JavaScript. Comparing version 6.5.0 with its predecessor, 6.3.13, reveals subtle yet important advancements. While the core dependencies like "babel-plugin-transform-do-expressions", "babel-plugin-transform-function-bind", and "babel-preset-stage-1" remain consistent, suggesting feature stability in these areas, the upgrade signifies more than just a version bump.
The key difference lies in the release date: version 6.5.0 was published in February 2016, while 6.3.13 dates back to December 2015. This implies that version 6.5.0 includes bug fixes, performance improvements, or compatibility tweaks that may not be present in the older version. For developers, staying up-to-date with the latest version ensures access to the most refined implementation of Stage 0 features. Even though the dependency versions are identical, the newer release might incorporate updated build processes or internal handling of those dependencies, making it a generally recommended upgrade for improved overall stability and potentially better performance when utilizing experimental JavaScript features. Utilizing babel-preset-stage-0 allows developers to write more future-proof code, leveraging upcoming language enhancements with the comfort of Babel's robust transpilation capabilities. Remember to always check for compatibility issues associated with experimental features before deploying to production.
All the vulnerabilities related to the version 6.5.0 of the package
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.
Known affected plugins are:
@babel/plugin-transform-runtime@babel/preset-env when using its useBuiltIns option@babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regeneratorNo other plugins under the @babel/ namespace are impacted, but third-party plugins might be.
Users that only compile trusted code are not impacted.
The vulnerability has been fixed in @babel/traverse@7.23.2.
Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.
@babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version.@babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions:
@babel/plugin-transform-runtime v7.23.2@babel/preset-env v7.23.2@babel/helper-define-polyfill-provider v0.4.3babel-plugin-polyfill-corejs2 v0.4.6babel-plugin-polyfill-corejs3 v0.8.5babel-plugin-polyfill-es-shims v0.10.0babel-plugin-polyfill-regenerator v0.5.3