Moment.js saw a small update with version 2.19.4, released on December 11, 2017, following closely after version 2.19.3, which was released on November 29, 2017. Both versions retain the same core functionality for parsing, validating, manipulating, and displaying dates in JavaScript. Examining the provided metadata, the primary distinction lies within their releaseDate and dist.tarball fields, reflecting the updated build and publication time. The devDependencies, license, repository, and author details remain consistent between the two stable npm package versions.
For developers leveraging Moment.js, this incremental update suggests a focus on bug fixes, minor improvements, or dependency updates rather than significant feature additions. While the core API remains unchanged, upgrading from 2.19.3 to 2.19.4 ensures developers benefit from the latest stability enhancements and potential security patches, improving the overall reliability of their date and time handling. Therefore, while the functional impact might be minimal, staying current with the latest patch version within the 2.19.x series is generally recommended for optimal performance and codebase integrity. Before upgrading, developers should consult the official Moment.js changelog or release notes to confirm the specific changes included in version 2.19.4.
All the vulnerabilities related to the version 2.19.4 of the package
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Moment.js vulnerable to Inefficient Regular Expression Complexity
The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.
In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.
There is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=
The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. moment("(".repeat(500000)) will take a few minutes to process, which is unacceptable.
