Ant Design (antd) has released version 2.7.0, building upon the solid foundation of version 2.6.4. Both versions are enterprise-class UI design languages implemented as React components, offering a comprehensive suite of tools for building modern web applications. A key difference lies in the updated dependencies. Version 2.7.0 sees advancements in rc-form, moving from ~1.1.0 to ~1.3.0, it enhances form management capabilities. Also rc-select goes from ~6.6.1 to ~6.7.1 which could include bug fixes, performance improvements, or feature enhancements related to the Select component. Also rc-tree-select goes from ~1.8.0 to ~1.9.0 and rc-input-number from ~2.8.3 to ~3.0.0. This means that these components have a major change update.
On the development side, @types/react has been updated from caret ^15.0.0 to a specific version 15.0.4 in the newer version. Developers should carefully review the changelogs for rc-form, rc-select, rc-tree-select and rc-input-number to understand the specific changes and ensure compatibility. Upgrading to 2.7.0 offers the latest bug fixes and potentially improved performance within these core components, contributing to a more robust and refined user interface. While the core philosophy and component library remain consistent, these dependency updates are valuable for developers seeking the most up-to-date and stable version of Ant Design.
All the vulnerabilities related to the version 2.7.0 of the package
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.
