Ant Design (antd) has released version 2.8.0, building upon the solid foundation of its previous stable release, 2.7.4. Both versions cater to developers seeking an enterprise-class UI solution built with React. Key upgrades in version 2.8.0 are seen in its dependency updates, offering subtle refinements and bug fixes. Specifically, rc-rate saw an upgrade from version ~1.1.2 to ~2.1.0, rc-tabs moved from ~7.1.0 to ~7.2.0, rc-steps jumped from ~2.3.0 to ~2.4.0, rc-calendar advanced from ~7.6.0 to ~7.6.2, rc-input-number went from ~3.1.1 to ~3.3.0 and rc-notification moved from ~1.3.4 to ~1.4.0. Furthermore, rc-editor-mention was updated from ~0.3.0 to ~0.5.2. These updates likely incorporate performance improvements and address reported issues within those individual components.
While both versions share a core set of dependencies and development tools, developers migrating to 2.8.0 should be mindful of these updated peer dependencies, ensuring compatibility within their projects. The development dependencies across versions are almost identical, suggesting a consistent development and testing environment. When choosing between the versions, if you require the latest enhancements and refinements for components, upgrading to 2.8.0 is advisable. However, review dependency upgrades to ensure compatibility. If stability with existing code is paramount, sticking with 2.7.4 may be preferable until a thorough compatibility check is performed.
All the vulnerabilities related to the version 2.8.0 of the package
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.
