Ant Design (antd) is a popular, enterprise-class UI design language and React-based implementation. Comparing versions 2.6.0 and 2.6.1, while seemingly a minor patch, reveals subtle but important changes for developers. Both versions share identical dependencies, including core libraries like moment, rc-form, rc-menu, and react-slick, ensuring a consistent experience with date handling, form management, menu structures, and carousel components. Development dependencies also remain the same, indicating stability in the tooling used for building and testing the library, encompassing tools like jest, enzyme, eslint, and bisheng for testing, linting, and documentation generation.
The key difference lies in the release date, with version 2.6.1 released approximately five days after 2.6.0. This suggests that 2.6.1 likely includes bug fixes or minor improvements identified shortly after the initial 2.6.0 release. While the specific fixes aren't detailed in the metadata, developers should consider upgrading to 2.6.1, if only to benefit from potential stability enhancements. For developers using Ant Design, this highlights the importance of staying updated with minor versions. This showcases antd's commitment to providing regular updates. Since both versions share the same core dependencies and development tools, transitioning between them should be seamless. This allows developers to focus on utilizing antd's diverse range of components for building robust and visually appealing user interfaces.
All the vulnerabilities related to the version 2.6.1 of the package
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.
