Ant Design (antd) is a popular React UI library, providing a suite of ready-to-use components for building enterprise-level applications. Comparing versions 2.6.3 and 2.6.4 reveals subtle but noteworthy changes for developers. Both versions share a core set of dependencies, showcasing stability in foundational libraries like moment, rc-form, and various rc-* components.
Delving into the differences, version 2.6.4 introduces updates primarily within the development environment. A key change is the updated bisheng version, moving from 0.18.0 to 0.20.0. Notably, version 2.6.3 has dependencies that changed or were removed from 2.6.4, such as "history": "^4.4.0","css-split-webpack-plugin": "^0.2.1","jsonml-to-react-component": "~0.2.0" and the versions of bisheng plugins were upgraded. These updates will allow developers to use a newer version of antd with other new libraries in their projects.
Developers migrating to version 2.6.4 should be aware of these updated dev dependencies, and test their apps appropriately. The core component libraries remain consistent, these updates are focused on improving the development workflow and build processes,. Both versions maintain the MIT license, ensuring flexibility for developers. The releaseDate also indicates a quick succession, suggesting bug fixes or minor enhancements driving the new release.
All the vulnerabilities related to the version 2.6.4 of the package
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.
