Babel Preset Stage 2 is a collection of Babel plugins designed to enable ECMAScript features that are currently at stage 2 of the TC39 standardization process. This means the features are likely to be included in future versions of JavaScript, providing developers with an opportunity to experiment and adopt upcoming language enhancements early. This preset eases the adoption of these features within Babel-enabled JavaScript projects.
Comparing version 6.5.0 with the preceding stable version, 6.3.13, one doesn't see immediate code-level differences regarding explicitly declared dependencies. Both versions share the same declared dependencies: babel-preset-stage-3, babel-plugin-transform-object-rest-spread, and babel-plugin-syntax-trailing-function-commas, all pointing to compatible versions. This indicates that the core functionality and supported features of the preset remained consistent between these releases.
The significant difference lies in the release date. Version 6.5.0 was published on February 7, 2016, while version 6.3.13 was released on December 4, 2015. The two month gap suggests that version 6.5.0 addresses potential bug fixes, performance improvements, or internal updates that don't directly impact the declared dependencies. Developers upgrading to 6.5.0 could anticipate enhanced stability and potential refinements within the existing Stage 2 features without breaking changes to their codebase. For developers incorporating this preset, it provides a simplified means of using evolving JavaScript syntax enhancements managed through a single point of configuration.
All the vulnerabilities related to the version 6.5.0 of the package
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.
Known affected plugins are:
@babel/plugin-transform-runtime@babel/preset-env when using its useBuiltIns option@babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regeneratorNo other plugins under the @babel/ namespace are impacted, but third-party plugins might be.
Users that only compile trusted code are not impacted.
The vulnerability has been fixed in @babel/traverse@7.23.2.
Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.
@babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version.@babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions:
@babel/plugin-transform-runtime v7.23.2@babel/preset-env v7.23.2@babel/helper-define-polyfill-provider v0.4.3babel-plugin-polyfill-corejs2 v0.4.6babel-plugin-polyfill-corejs3 v0.8.5babel-plugin-polyfill-es-shims v0.10.0babel-plugin-polyfill-regenerator v0.5.3