Ant Design, a popular React UI library, saw a version bump from 2.5.3 to 2.6.0, bringing several updates for developers. Both versions maintain the core architecture for building enterprise-grade user interfaces, offering a comprehensive suite of components like buttons, forms, menus, and tables. They share a common set of dependencies, including moment for date handling, rc-form for form management, and various rc-* components from the React Component suite, ensuring consistent functionality and styling.
The key difference lies within the rc-form dependency, which was updated from version ~1.0.0 to ~1.1.0, potentially introducing new features, bug fixes, or API refinements related to form handling. Developers upgrading to 2.6.0 should review the rc-form changelog for any breaking changes or improvements relevant to their form implementations, improving the overall UI experience of the forms present in the App. The rest of the dependencies, both direct and development, remain consistent between the two versions. This suggests a focused update primarily addressing improvements within the form component, rather than a sweeping overhaul of the entire library. Ant design continues helping developers to easily build good looking and enterprise level apps.
All the vulnerabilities related to the version 2.6.0 of the package
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.
