Ant Design (antd) is a popular React UI library offering a comprehensive suite of pre-built components ideal for crafting enterprise-level applications. Version 2.7.4 arrived shortly after 2.7.3, with a release date just one day apart, suggesting a quick patch or minor enhancement. A close examination of the dependencies and devDependencies reveals no changes between the two versions; all listed packages remain identical across both in name and version constraints. This indicates that the update likely focuses on internal bug fixes, performance improvements, documentation updates, or minor refinements that didn't necessitate alterations to the project's dependencies or development toolchain.
For developers, while the absence of dependency updates might seem uneventful, it provides stability and reassurance that upgrading from 2.7.3 to 2.7.4 won't introduce compatibility issues with existing projects. Upgrading will bring the benefit of the internal fixes and improvements. Always consult the official Ant Design changelog or release notes accompanying version 2.7.4 for detailed insights into the specific modifications made. By staying up-to-date, developers can ensure they are leveraging the most stable and optimized version of Ant Design for building efficient and visually appealing user interfaces.
All the vulnerabilities related to the version 2.7.4 of the package
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.
