Moment.js saw a notable update between versions 2.17.1 and 2.18.0, primarily reflected in the release date jump from December 2016 to March 2017. While the core description remains consistent – a library for parsing, validating, manipulating, and displaying dates in JavaScript – developers will be keen to understand any underlying changes and improvements. A quick comparison of the data reveals that the devDependencies section appears identical between the two versions, listing tools like nyc, grunt, karma, rollup, and others used for development and testing. This suggests that the development environment and testing methodologies remained largely unchanged during this period. The license continued to be MIT, the repository information stayed the same, and the author details for Iskren Ivov Chernev prevailed. For developers, the primary interest lies in understanding what bug fixes, performance improvements, or new features were introduced in 2.18.0. Analyzing the changes between these versions would involve delving into the official changelog or release notes for Moment.js to understand what drove the version number update. Although the toolchain has not changed, it is common procedure when assessing the upgrade of a library to examine the source code, tests and notes to understand the impact the upgrade would have.
All the vulnerabilities related to the version 2.18.0 of the package
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Moment.js vulnerable to Inefficient Regular Expression Complexity
The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.
In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.
There is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=
The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. moment("(".repeat(500000)) will take a few minutes to process, which is unacceptable.
