Ant Design, a popular enterprise-class UI design language and React-based implementation, released version 2.9.0 as a minor update following version 2.8.3. Both versions share the core philosophy of providing a comprehensive suite of polished UI components suitable for building complex, data-rich applications. Examining the dependency updates reveals some key improvements.
In the dependencies section, we observe updates to several rc-* components which are the underlying react components. Specifically, rc-tabs was updated from ~7.2.0 to ~7.3.0, rc-select from ~6.7.1 to ~6.8.0, rc-slider from ~6.1.0 to ~6.3.0, rc-calendar from ~7.6.2 to ~7.8.0, rc-pagination from ~1.7.0 to ~1.8.0, rc-input-number from ~3.3.0 to ~3.4.4 and rc-progressfrom ~2.0.1 to ~2.1.0. These updates likely introduce bug fixes, performance enhancements, and potentially new features within those specific Ant Design components built upon them. Users leveraging those components, such as Tabs, Select, Slider, Calendar, Pagination, InputNumber, and Progress, should see subtle but beneficial improvements.
No considerable changes happened in devDependencies section. The release date indicates that version 2.9.0 was released approximately 6 days after version 2.8.3, suggesting an incremental update focused on refining existing components and addressing issues, rather than introducing groundbreaking new features and improvements related with dependency and underlying code. Developers already using Ant Design should find version 2.9.0 a worthwhile upgrade for increased stability and component functionality.
All the vulnerabilities related to the version 2.9.0 of the package
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Moment.js vulnerable to Inefficient Regular Expression Complexity
The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.
In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.
There is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=
The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. moment("(".repeat(500000)) will take a few minutes to process, which is unacceptable.
Prototype Pollution in lodash
Versions of lodash prior to 4.17.19 are vulnerable to Prototype Pollution. The functions pick, set, setWith, update, updateWith, and zipObjectDeep allow a malicious user to modify the prototype of Object if the property identifiers are user-supplied. Being affected by this issue requires manipulating objects based on user-provided property values or arrays.
This vulnerability causes the addition or modification of an existing property that will exist on all objects and may lead to Denial of Service or Code Execution under specific circumstances.
node-fetch forwards secure headers to untrusted sites
node-fetch forwards secure headers such as authorization, www-authenticate, cookie, & cookie2 when redirecting to a untrusted site.
