Ant Design, a popular React UI library, released version 2.8.1 shortly after 2.8.0, presenting developers with incremental updates. Both versions share the same core dependencies, ensuring familiar functionality for users already working with the library like moment, rc-form, rc-table, and other rc-* components. The description and core purpose of the library remains consistent between versions: providing an enterprise-class UI design language and React-based implementation.
A notable difference lies in the devDependencies. Version 2.8.1 removes coveralls which previously handled coverage reports and introduces antd-demo-jest to test the antd demo components and typescript-babel-jest to handle Typescript tests in Jest, showcasing a shift in the testing strategy. It also updates some versions like lodash.debounce going from version ^4.0.6 to ^4.0.8.The release date also indicates a quick follow-up to address any immediate issues found in 2.8.0.
For developers, this quick release suggests a focus on stability and addressed issues highlighted right after the 2.8.0 versions. While the core API likely remains identical, developers might want to investigate the testing changes if they're actively contributing or extending An Design. Existing users of 2.8.0 can likely upgrade to 2.8.1 with minimal risk, benefiting from any bug fixes or minor improvements introduced in the testing infrastructure. Always check the changelog for a detailed break down of the changes.
All the vulnerabilities related to the version 2.8.1 of the package
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.
