Moment.js version 2.25.2 represents a subtle evolution from its predecessor, version 2.25.1, in the ongoing journey of this widely used JavaScript date manipulation library. Both versions share the core functionality that developers rely on for parsing, validating, manipulating, and displaying dates and times. The development dependencies, crucial for building and testing the library, remain consistent between the two versions, indicating a stable and well-maintained codebase.
The key differences lie in the distribution details. Version 2.25.2 shows a noticeable increase in file count (524 vs 391) and unpacked size (4056041 bytes vs 3503937 bytes) compared to version 2.25.1, suggesting that changes could include added documentation, tests, or possibly bug fixes that led to more verbose code. This increase could impact the library's initial load time and overall footprint in web applications, but the benefits of this increase can range anywhere from new features to even better stability of the library. The 2.25.2 release date also shows that it had a newer release, making it the more uptodate version of the library making it the better choice in almost any case. For developers, the choice between these two versions hinges on specific project needs. If minimizing package size and load time are critical, version 2.25.1 might seem preferable. However, the newer version has a higher probability of delivering bug fixes and enhancements, so it is therefore the better choice.
All the vulnerabilities related to the version 2.25.2 of the package
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory:
Moment.js vulnerable to Inefficient Regular Expression Complexity
The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.
In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.
There is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=
The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. moment("(".repeat(500000)) will take a few minutes to process, which is unacceptable.
