Babel Preset Stage 3 is a configuration package for Babel, the JavaScript compiler. It bundles together a set of Babel plugins that implement features proposed for inclusion in future versions of JavaScript, specifically those at Stage 3 of the TC39 standardization process. This means the features are relatively stable and likely to be included in the language.
Comparing versions 6.0.14 and 6.0.15, the core functionality remains the same. Both rely on the same dependency versions of "babel-plugin-transform-async-to-generator" and "babel-plugin-transform-exponentiation-operator". These plugins enable developers to use async/await syntax sugar and the exponentiation operator (**) in their JavaScript code, even if the target environment doesn't natively support them. Babel handles the transformation of these features into compatible JavaScript.
The key difference lies in the releaseDate. Version 6.0.15 was published on November 1, 2015, shortly after version 6.0.14, released on October 30, 2015. While the dependency versions are identical, the newer release likely contains bug fixes, minor adjustments, or internal improvements. For developers, upgrading from 6.0.14 to 6.0.15 is recommended to benefit from the latest refinements, even if the change log isn't explicitly detailed. It ensures a more stable and potentially performant compilation process when utilizing Stage 3 features. Using Babel Preset Stage 3 allows developers to adopt cutting-edge JavaScript syntax with confidence, bridging the gap between latest proposals and wider browser support.
All the vulnerabilities related to the version 6.0.15 of the package
Babel vulnerable to arbitrary code execution when compiling specifically crafted malicious code
Using Babel to compile code that was specifically crafted by an attacker can lead to arbitrary code execution during compilation, when using plugins that rely on the path.evaluate()or path.evaluateTruthy() internal Babel methods.
Known affected plugins are:
@babel/plugin-transform-runtime@babel/preset-env when using its useBuiltIns option@babel/helper-define-polyfill-provider, such as babel-plugin-polyfill-corejs3, babel-plugin-polyfill-corejs2, babel-plugin-polyfill-es-shims, babel-plugin-polyfill-regeneratorNo other plugins under the @babel/ namespace are impacted, but third-party plugins might be.
Users that only compile trusted code are not impacted.
The vulnerability has been fixed in @babel/traverse@7.23.2.
Babel 6 does not receive security fixes anymore (see Babel's security policy), hence there is no patch planned for babel-traverse@6.
@babel/traverse to v7.23.2 or higher. You can do this by deleting it from your package manager's lockfile and re-installing the dependencies. @babel/core >=7.23.2 will automatically pull in a non-vulnerable version.@babel/traverse and are using one of the affected packages mentioned above, upgrade them to their latest version to avoid triggering the vulnerable code path in affected @babel/traverse versions:
@babel/plugin-transform-runtime v7.23.2@babel/preset-env v7.23.2@babel/helper-define-polyfill-provider v0.4.3babel-plugin-polyfill-corejs2 v0.4.6babel-plugin-polyfill-corejs3 v0.8.5babel-plugin-polyfill-es-shims v0.10.0babel-plugin-polyfill-regenerator v0.5.3