Ant Design (antd) is a popular UI library for React applications, offering a comprehensive suite of components designed for enterprise-level projects. Version 2.8.2 builds upon the foundations laid by its predecessor, version 2.8.1, incorporating key updates and refinements that enhance the developer experience and overall stability.
One of the notable differences lies in the devDependencies. While many tools remain consistent, jest was updated from version 18.1.0 to 19.0.2, and bisheng-plugin-antd got updated from 0.12.0 to 0.13.2 in the newer release which suggests improvements or bug fixes in their respective testing and documentation generation processes. A new dependency was introduced in 2.8.2, color-standalone":"^0.11.6" and react-color-standalone":"^2.4.2-1". This reveals a potential focus on enhanced color management or customization capabilities within the component library. These improvements, while seemingly minor, contribute to a more robust and efficient workflow for developers utilizing Ant Design. Both versions rely on a strong set of peer dependencies, including React version 15 and various rc-* component libraries, ensuring compatibility and a cohesive ecosystem for building complex user interfaces.
For developers considering Ant Design, both versions offer a rich collection of ready-to-use components, adherence to a consistent design language, and tools for streamlined development but the newest version shows new components and testing library updates.
All the vulnerabilities related to the version 2.8.2 of the package
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.
