Ant Design (antd) is a popular React UI library offering a rich set of pre-built components suitable for enterprise-level applications. Comparing versions 2.7.2 and 2.7.3 reveals incremental updates focused on dependency tweaks and bug fixes aimed at solidifying the stability of the library.
The most notable difference lies in the dependency updates, particularly within the core components. rc-table sees a version bump from ~5.2.0 to ~5.2.13, indicating potential bug fixes or minor feature enhancements to the table component. Additionally, rc-input-number moves from ~3.0.0 to ~3.1.1, which suggests improvements to the numerical input component, possibly including validation enhancements or improved user experience.
Both versions depend on a wide range of packages, including moment for date handling, rc-* components which are React common components and various testing and development tools. Developers using antd benefit from a comprehensive suite of components. These libraries are designed to enhance developer productivity by offering ready-to-use, customizable components that adhere to a consistent design language. This ensures a unified user interface across applications. Upgrading from 2.7.2 to 2.7.3 would provide access to the newest improvements of the table and number input components. It's worth noting the "releaseDate" difference which is important for developers to follow the library's updates.
All the vulnerabilities related to the version 2.7.3 of the package
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.
