Moment.js version 2.29.2 represents a subtle but significant update from version 2.29.1 of this widely-used JavaScript date manipulation library. Both versions maintain the core functionality for parsing, validating, manipulating, and displaying dates in JavaScript. Examining the devDependencies reveals near identical tooling, indicating a consistent approach to development and testing. The notable differences lie in the dist object and the releaseDate. Version 2.29.2 was released on April 3, 2022, a considerable gap from the 2.29.1 release on October 6, 2020. The unpackedSize also shows a slight increase from 4,209,955 to 4,228,909, suggesting potential bug fixes and possibly minor feature enhancements or internal code adjustments that account for the file size modification. For developers already relying on Moment.js, this update likely includes refinements and improvements without introducing breaking changes. Users should always review the changelog for comprehensive details about any patches, security enhancements, or performance gains that might have been made between versions impacting the overall experience using this reliable date management tool. Existing installations will probably benefit from upgrading because of the potential stability and security improvements.
All the vulnerabilities related to the version 2.29.2 of the package
Moment.js vulnerable to Inefficient Regular Expression Complexity
The problem is patched in 2.29.4, the patch can be applied to all affected versions with minimal tweaking.
In general, given the proliferation of ReDoS attacks, it makes sense to limit the length of the user input to something sane, like 200 characters or less. I haven't seen legitimate cases of date-time strings longer than that, so all moment users who do pass a user-originating string to constructor are encouraged to apply such a rudimentary filter, that would help with this but also most future ReDoS vulnerabilities.
There is an excellent writeup of the issue here: https://github.com/moment/moment/pull/6015#issuecomment-1152961973=
The issue is rooted in the code that removes legacy comments (stuff inside parenthesis) from strings during rfc2822 parsing. moment("(".repeat(500000)) will take a few minutes to process, which is unacceptable.
