Ant Design, a popular React UI library, released version 2.6.2 shortly after 2.6.1, marking incremental changes for developers. Both versions maintain the core promise of providing enterprise-class UI components. Examining the dependency lists, the primary difference lies in the updated version of rc-calendar, moving from ~7.5.1 in 2.6.1 to ~7.6.0 in 2.6.2, suggesting bug fixes or minor feature enhancements within the calendar component.
In the development dependencies, several updates are noticeable. jest goes from ^17.0.1 to ^18.1.0, eslint-plugin-jsx-a11y updates from ^2.2.3 to ^3.0.2, and @types/react jumps from ~0.14.41 to ^15.0.0. These indicate advancements in the testing framework and type declarations aligning towards React 15, and accessibility rules, critical for building inclusive web applications. Developers integrating antd should note these updated dev dependencies, particularly if upgrading from versions prior to 2.6.1, as it may necessitate adjustments to their testing and linting configurations. While the core component APIs likely remain consistent, these upgrades enhance the tooling and development experience, promoting code quality and application maintainability. Finally there are bug fixes and enhancements in the bisheng documentation generation tool, plus new versions of internal testing libraries. The release date for 2.6.2 is January 14, 2017, while 2.6.1 was released on January 6, 2017.
All the vulnerabilities related to the version 2.6.2 of the package
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.
