Ant Design (antd) has released version 2.8.3, building upon the solid foundation of its previous stable release, version 2.8.2. Both versions cater to developers seeking an enterprise-class UI solution built with React.js, offering a comprehensive suite of components and a consistent design language.
A key difference lies in the updated dependencies. Version 2.8.3 upgrades moment from ~2.17.0 to ~2.18.0. While seemingly minor, this update pulls in the latest bug fixes and potentially new features from the moment library, which is crucial for date and time handling within antd components. This ensures better compatibility and reliability when dealing with date-related functionalities. Also, antd-tools was updated from ~0.18.0 to ~0.19.1 and other dev dependencies has been updated in the newer version.
For developers, sticking to the latest stable version, 2.8.3, is generally recommended. It incorporates necessary dependency updates and behind-the-scenes refinements. Both versions feature a rich set of components like buttons, forms, modals, and tables, designed to accelerate development and provide a consistent user experience. The library's extensive documentation and active community support make it easier to integrate and customize components to fit specific needs. Antd's focus on accessibility and internationalization also makes it a strong choice for developing inclusive and global applications, ensuring a wider audience can benefit from your software. The consistent design allows developers to focus on functionality, not visual implementation.
All the vulnerabilities related to the version 2.8.3 of the package
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Moment.js vulnerable to Inefficient Regular Expression Complexity
The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.
In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.
There is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=
The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. moment("(".repeat(500000)) will take a few minutes to process, which is unacceptable.
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.
